Skip to main content /TECH with /TECH

Hacker unleashers updated backdoor program


(IDG) -- An updated version of the backdoor program SubSeven was released by its creator, a hacker known as "mobman," on Friday, according to the "official" Web page of the program.

The SubSeven backdoor, which allows malicious hackers to access and control a user's computer without his or her knowledge, is "one of the highest threats to Windows PCs, especially those running in broadband environments," said Chris Rouland, director of the X-Force research team at computer security firm Internet Security Systems (ISS) in Atlanta, Georgia.

The program typically arrives in an email disguised as one of a variety of benign file types. Users unwittingly launch the program, potentially allowing a malicious hacker to perform actions including restarting and shutting down their computer and retrieving passwords, as well as uploading, downloading, and deleting files from the hard drive.

Related Stories
Visit an IDG site search

The new version, SubSeven 2.2, has a broader set of functions than its predecessor, making it more dangerous. For example, the program includes expanded notification capabilities that could allow hackers to more effectively coordinate DDoS (distributed denial-of-service) attacks, giving them a list of infected computers. The list makes it easier to orchestrate such an attack, which can shut down a Web site by flooding it with fake requests for information.

Another new feature, which helps the attacker hide their identity, supports what are known as socks4 and socks5 proxies. Using these proxies to cross international borders between countries whose governments don't cooperate with investigators could make it even more difficult to track down the hacker, Rouland said.

SubSeven 2.2 has already been spotted on the Internet, hidden in pornography files on a Usenet group, Rouland said. It wasn't immediately clear if any users have been infected with the new version yet.

Another major development in Version 2.2 is that most of the program's functionality resides in plug-in DLLs (dynamic link libraries), making it fairly simple to upgrade. The hacker community plans to release an SDK (software developer kit), which would enable hackers to create custom plug-ins, making it even harder to detect than previous versions, as well as allowing customization of the program, Rouland said.

Backdoors such as SubSeven and the better-known BackOrifice have a tendency to spread quickly because they are easy for hackers to launch, Rouland said. ISS found one strain of SubSeven 2.17 in thousands of computers, and Rouland estimates the total number of infected machines to be in the tens of thousands. In many cases, the malicious code lies dormant in the infected PC unless a hacker chooses to target that machine.

"Up to date antivirus software and intrusion detection software is the real solution here," Rouland said.

Security center issues antihacker tool
March 13, 2001
Virus may steal AOL users' passwords
February 1, 2001
Analysis: Understanding viruses
January 30, 2001
Hacker attacks: You can never be too safe
November 1, 2000
New denial-of-service attack tool uses chat programs
September 6, 2000

Top 5 firewall utilities
Cyber-insurance gaining popularity
(The Industry Standard)
FTC workshop looks at key data privacy issues
Tool used to create Anna worm enhanced
(IDG News Service -
TCP hole may be more dangerous than first thought
FBI urges companies to trust Feds
(Network World Fusion)
World organizations urge sharing of security info
(Network World Fusion)
Here's a little advice to help you defeat the Internet's leading Trojan horse viruses

Internet Security Systems

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top