KeyFocus - KFSensor Extras - kfSubSeven

kfSubSeven

kfSubSeven is a honeypot emulation of the ever popular SubSeven trojan server.

kfSubSeven behaves just like a real thing, but without the unpleasant consequences.
It is a self contained application which is designed to work within a honeypot system, it will not work by itself.

kfSubSeven is not part of the KFSensor system, but can be used to add to its capabilities.
Unlike KFSensor, this application is released as open source under the GNU General Public License.
kfSubSeven works well within KFSensor and may also work under other honeypot systems.

Key Points

kfSubSeven is not a trojan, virus, spyware or malware
kfSubSeven is not a version of SubSeven
kfSubSeven is not based on SubSeven source code
kfSubSeven will not help you hack into, or control other systems
kfSubSeven will help you to detect hackers using SubSeven

What is SubSeven
How kfSubSeven works
Example attack
Screen shots
Installing kfSubSeven
Download

What is SubSeven

SubSeven is a trojan. Once installed on a victim's machine the SubSeven server runs undetected and opens a tcp port, or backdoor, which allows a hacker complete control of the victim's machine. The hacker uses the SubSeven client program to control the SubSeven server program from a remote location.

Different trojans have different capabilities.
SubSeven has the lot.
It has the ability to upload, download and execute files, key logging, turn the victim's into a FTP, chat, ICQ server. It can even turn on the web cam and watch the victim in real time and use text2speech to talk to the victim.

It is the most popular trojan for the following reasons:

It has lots of 'cool' features
It has been developed for a number of years
It is very easy to use
It is easy to get hold of

Because of this people who use SubSeven are mostly script kiddies. However, existing SubSeven installations are also used by more advanced hackers as a convienient back door to enable them upload their custom scripts and trojans.

SubSeven can listen on any port. Its default port is 27374, which is one of the most scanned ports on the Internet.

SubSeven opens other ports for special function. 2774 for the chat feature and 7215 for the Matrix feature.

Warning: If you want to try it out for yourself bear in mind the following:
It is illegal in most countries to use it on a machine you do not legally control.
Many SubSeven distributions are infected with other trojan horses and using one of these will compromise you own security.

How kfSubSeven works

kfSubSever listens on a port and accepts connections from a SubSeven client in the same way that the SubSeven server does.
kfSubSever understands the SubSeven protocol and replicates the responses generated by the SubSeven server.

As far as a hacker is concerned there is no difference between controlling kfSubSeven and SubSeven.

Because kfSubSeven only simulates SubSeven and most importantly does not allow the hacker to compromise the system it is limited in the extent to which it can emulate SubSeven. This means an intellegent hacker, i.e. not a script kiddie will eventually work out there is something not quite right. Hopefully their intentions will be revealed by this point and a significant amount of their time will have been wasted.

For example a hacker may try to upload and execute their piece of malware on the honeypot, or use kfSubSeven to launch a scan on another machine. This will not work and will indicate that something is wrong.
However, the hacker may not realise that the server is a honeypot. Their victim's machine may be being blocked by a firewall.

kfSubSeven Features

kfSubSeven implements all the commands found in the SubSeven protocol page.

There are too many features to mention them all here.
If you are keen to know all the details then read the source code.

Here are some of the kfSubSeven highlights:

Lets the client chat to the honeypot.
SubSeven has a chat feature called 'The Matrix' that makes the victim's machine behave like it does in the film where Neo is first contacted. kfSubSeven quotes lines from the film back at the hacker. :-)
Lets the client browse the files on the computer
Lets the client upload files. These are placed in a secure area for later analysis.
Lets the client download files. These are special honey token files that you want people to see.
Lets the client obtain the systems passwords

Reminder: None of the data the client can access is genuine.

Have a look at the Screen shots for a few examples.

Staying on step ahead

If you managed to find kfSubSeven on the Internet, then you can be sure other less well intentioned people have as well. They will quickly learn what to look out for and develop tests to tell kfSubSeven and SubSeven apart, in other words they will have a kfSubSeven fingerprint.

In order to stay one step ahead do the following:

Change the kfsubseven configuration; change the settings in the kfsubseven.conf file
Let us know of anything that looks like a fingerprint and we will update kfSubSeven to counter it
Make you own customised version of kfSubSeven. The source code is there to be used

Example attack

The best way to understand how both kfSubSeven works is by example.
So we have produced an annotated record of a real life SubSeven attack on a KFSensor honeypot system, running kfSubSeven.

Click on this link to see the Example attack.

Screen shots

The screen shots are all of the SubSeven client program interacting with kfSubSeven.
They give a few examples of how well kfSubSeven can emulation SubSeven.

The hacker uses 'The Matrix' to talk to kfSubSeven and it answers him back!.
In this example the two of them swap lines from the film. The responses are configurable and can be selected at random, or picked from a sequence like this example.

SubSeven has this handy feature that tends to be the first thing hackers use.
The values can be changed in the kfsubseven.conf file.

kfSubSeven is configured with dummy passwords that it can give out.

The hacker can user SubSeven's file manager to browse the victim's hard disk.
The lists of files returned are contained in a config file.

The hacker can ask kfSubSeven to scan other computers.
The scan looks like it is working, but will never find anything, it keeps the hacker waiting for a long time.

Some of the 'fun' things SubSeven lets a hacker do to his victim.

Installing kfSubSeven

The following instructions relate to installing kfSubSeven onto a KFSensor system.

kfSubSeven consists of a single executable and a number of other configuration and honeytoken files. Installation and configuration is a manual process.

Step 1

Unzip the file kfsubseven.zip in the directory:
C:\Program Files\KeyFocus\KFSensor\files Make sure you enable the folders option of your unzip utility, to preserve the directory structure in the zip file.

Step 2

Create the following blank directory:
C:\kfsensor\subsevenuploads

You should now have the following tree structure.

C: kfsensor logs nbtuploads subsevenuploads Program Files KeyFocus KFSensor bin conf files iis wwwroot kfsubseven nbtdownloads scripts sub7downloads

Step 3

Edit the file C:\Program Files\KeyFocus\KFSensor\files\kfsubseven\kfsubseven.conf

You can change many options here but for now set the Path options as below:

UploadPath=C:\kfsensor\subsevenuploads DownloadPath=C:\Program Files\KeyFocus\KFSensor\files\sub7downloads

This enables a kfSubSeven to capture and store uploaded files into subsevenuploads and to enable files in sub7downloads to be downloaded

Step 4

kfSubSeven is now installed, but KFSensor needs to be configured to use it.

Go to the Scenario menu and select the Edit Sim Servers... menu item.

Use the Add.. button and select Action Type: Sim Std Server, Sim Type: External Console App, from the Add Sim Server dialog box.

Fill in the following field and press OK.

Note: It is very important that you get the Arguments field right, including the case. Best to just copy and paste the values.

This is the main SubSeven server

Field	Value
Name	kfSubSeven Server
Default port	27374
Severity	High
Timeout	1200
Log style	Mixed
Receive Limit	2000000
Log response lines	3
Log Response size	1000000
Log receive size	1000000
Application ID	SubSeven
Application Path	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven\kfsubseven.exe
Arguments	-ckfsubseven.conf -I$ipdst -P$dport -i$ipsrc -p$sport
Working directory	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven
Exit code

Now repeat the process for the SubServer Chat port

Field	Value
Name	kfSubSeven Chat
Default port	2774
Severity	High
Timeout	600
Log style	Mixed
Receive Limit	10240
Log response lines	0
Log Response size	10240
Log receive size	10240
Application ID	SubSeven Chat
Application Path	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven\kfsubseven.exe
Arguments	-C -ckfsubseven.conf -I$ipdst -P$dport -i$ipsrc -p$sport
Working directory	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven
Exit code

Now repeat the process for the SubServer Matrix port

Field	Value
Name	kfSubSeven Matrix
Default port	7215
Severity	High
Timeout	600
Log style	Mixed
Receive Limit	10240
Log response lines	0
Log Response size	10240
Log receive size	10240
Application ID	SubSeven Matrix
Application Path	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven\kfsubseven.exe
Arguments	-M -ckfsubseven.conf -I$ipdst -P$dport -i$ipsrc -p$sport
Working directory	C:\Program Files\KeyFocus\KFSensor\files\kfsubseven
Exit code

Go to the Scenario menu and select the Edit Active Scenario... menu item.

Use the Delete button to remove and listen definitions you might have on ports; 27374, 2774 and 7215

Use the Add... button to add three listen definitions for each of the Sim Std Server definitions you have just made.

Step 5

KFSensor should now be running kfSubSeven.

In order to test it you can either;

Use a copy of the SubSeven client, not recomended, but it is the best way
Use a Telnet client and open each of the three new ports in turn.
You can type in some of the commands in the Example attack to see if they work.

Download

Windows Executable - kfsubseven.zip
This file contains the compiled kfsubseven executable and the extra files it needs to run it on a Windows machine.

Source code - kfsubsevensrc.zip
This file contains everything you need to build kfsubseven, under Visual C++ .NET
The source code is written in ANSI C and if you create your own make file it will compile on an C compiler under Windows.

The current version contains Windows API calls and will not compile under Unix.
However, these API calls are all located in the file kfinout.c and it will not be too much work to replace them with Unix specific code.

kfSubSeven is licensed under the GNU General Public License.
If you make any enhancements to kfsubseven and want to distribute them, then please get in touch with us.
We are particulary interested in any ports to Unix or other systems.