January 02, 2001, 2:20 PM — TODAY'S INTERNET is a veritable hacker free-for-all. Underneath our noses, malicious packets rattle the virtual doors and windows of the Internet community and whiz through our computers searching for weaknesses. Their main targets are poorly configured Windows systems. And without a personal firewall on your employees' home systems, these seemingly innocuous PCs can be the death of your corporate security program.
In the span of one year, we received at our home systems more than 3,000 Trojan horse-related port scans. The sources of these scans were almost always dial-up accounts, which provide the cover that attackers need to obfuscate their origins. Dial-up accounts can be easily forged with a stolen credit card and a bogus mailing address, making them ripe for abuse. And the aggravation one must endure to stop an attacker can be overwhelming. Administrators often ignore the risk rather than go through the hassle of working with a large ISP to chase down the numerous dial-up attackers.
What is the most popular Trojan horse found on the Internet today? Well, if our firewall logs on @Home are any indication, the Subseven 2.1 is one of the most frequently scanned-for Trojan horses. Subseven installations appear to have reached epic proportions on the Internet.
The Subseven 2.1 server Trojan horse was released on Sept. 15 and contains just about everything a mad hacker's heart desires. The program is in essence a remote-control program that allows a remote attacker to use the Subseven client to connect to the server and run just about any command. Among the most deadly of these features are the port redirector and the port scanner.
The Subseven port redirector allows an attacker to target any system by redirecting ports on the affected system to a new target. This is great for malicious hackers who wish to take advantage of the home user's VPN client software, which tunnels into your corporate network and opens up your corporate systems.
The port scanner feature within Subseven allows an attacker to turn the typical @Home PC into a personal scanning system that accesses the corporate LAN. With both the port redirector and port scanner functions, the attacks will appear to be coming from trusted employees.
A Subseven infection can occur in a number of ways. The most obvious comes through unprotected shares of the root drive. This vulnerability occurs when an unsuspecting user shares the entire C: drive, for example, by allowing unauthenticated read and write access. With this in place an attacker can simply edit the win.ini file of a Windows 9x system and run the uploaded Trojan horse at will. The simple technique for infecting a system is to spam users with an executable attached to an e-mail and then tell the recipients to run it.