Security Experts Warn of Updated Trojan

An updated version of the backdoor program SubSeven was released by its creator, a hacker known as "mobman," on Friday, according to the program's "official" Web page.

The SubSeven backdoor, which allows malicious hackers to access and control your PC without your knowledge, is "one of the highest threats to Windows PCs, especially those running in broadband environments," says Chris Rouland, director of the X-Force research team at computer security firm Internet Security Systems, or ISS.

The program, a kind of Trojan horse program, typically arrives in an e-mail disguised as one of a variety of benign file types. If you unwittingly launch the program, you may allow malicious hackers entry to your system. They could restart or shut down your PC, retrieve passwords, or upload, download, and delete files from the hard drive.

Still, it can be stopped if you exercise caution about opening attachments from unknown correspondents.

"Up-to-date antivirus software and intrusion detection software is the real solution here," Rouland says.

Update Adds Hazards

The new version, SubSeven 2.2, has a broader set of functions than its predecessor, making it more dangerous, according to the ISS team. For example, the program includes expanded notification capabilities that could let hackers more effectively collaborate distributed denial-of-service attacks, giving them a list of infected computers. The list makes it easier to orchestrate such an attack, which can shut down a Web site by flooding it with fake requests for information.

Another new feature supports what are known as socks4 and socks5 proxies, which help the attackers hide their identities. Using these proxies to cross international borders between countries whose governments don't cooperate with investigators could make it even more difficult to track down the hacker, Rouland says.

Already in the Wild

SubSeven 2.2 has already been spotted on the Internet, hidden in pornography files on a Usenet group, Rouland says. It isn't clear whether any users have yet been infected with the new version.

Another major development in version 2.2 is that most of the program's functionality resides in plug-in dynamic link libraries, making it fairly simple to upgrade. The hacker community plans to release a software developer kit that would enable hackers to create custom plug-ins. This could make it even harder to detect than previous versions and allow customization of the program, Rouland says.

Backdoors such as SubSeven and the better-known BackOrifice have a tendency to spread quickly because they are easy for hackers to launch, Rouland said. ISS found one strain of SubSeven 2.17 in thousands of computers, and Rouland estimates the total number of infected machines to be in the tens of thousands. In many cases, the malicious code lies dormant in the infected PC unless a hacker chooses to target that machine.