Updated backdoor program increases danger

An updated version of the backdoor program SubSeven was released by its creator, a hacker known as 'mobman,' on Friday, according to the 'official' Web page of the program.

          An updated version of the backdoor program SubSeven was released by its creator, a hacker known as "mobman," on Friday, according to the "official" Web page of the program.

          The SubSeven backdoor, which allows malicious hackers to access and control a user's computer without his or her knowledge, is "one of the highest threats to (Microsoft's) Windows PCs, especially those running in broadband environments," said Chris Rouland, director of the X-Force research team at computer security firm Internet Security Systems (ISS) in Atlanta.

          The program typically arrives in an email disguised as one of a variety of benign file types. Users unwittingly launch the program, potentially allowing a malicious hackers to perform actions including restarting and shutting down their computer and retrieving passwords, as well as uploading, downloading and deleting files from the hard drive.

          The new version, SubSeven 2.2, has a broader set of functions than its predecessor, making it more dangerous. For example, the program includes expanded notification capabilities that could allow hackers to more effectively collaborate DDoS (distributed denial-of-service) attacks, giving them a list of infected computers. The list makes it easier to orchestrate such an attack, which can shut down a Web site by flooding it with fake requests for information.

          Another new feature supports what are known as socks4 and socks5 proxies, which helps the attacker hide their identity. Using these proxies to cross international borders between countries whose governments don't cooperate with investigators could make it even more difficult to track down the hacker, Rouland said.

          SubSeven 2.2 has already been spotted on the Internet, hidden in pornography files on a Usenet group, Rouland said. It wasn't immediately clear if any users have been infected with the new version yet.

          Another major development in version 2.2 is that most of the program's functionality resides in plug-in DLLs (dynamic link libraries), making it fairly simple to upgrade. The hacker community plans to release a software developer kit (SDK), which would enable hackers to create custom plug-ins, making it even harder to detect than previous versions, as well as allowing customization of the program, Rouland said.

          Backdoors such as SubSeven and the better-known BackOrifice have a tendency to spread quickly because they are easy for hackers to launch, Rouland said. ISS found one strain of SubSeven 2.17 in thousands of computers, and Rouland estimates the total number of infected machines to be in the tens of thousands. In many cases, the malicious code lies dormant in the infected PC unless a hacker chooses to target that machine.

          "Up to date antivirus software and intrusion detection software is the real solution here," Rouland said.

          Internet Security Systems, in Atlanta, can be reached on the Web at