Trying to find and use Subseven Server Sniper!

Discussion in 'Trojan Defence Suite' started by Corey K, May 18, 2003.

Thread Status:
Not open for further replies.
  1. Corey K

    Corey K Guest

    Ok... so I got a copy of Subseven infecting my machine... fortunately I believe it is blocked by my Firewall from sending its mail notification to the infecTOR... it's identified fully by TDS-3 as SubSeven 2.2 (no beta specifications, though, so I assume its pure SS2.2) I've been searching the internet for FEW HOURS for the SubSeven Server Sniper that I've heard of for years... I keep getting referals to Diamond CS 's website for their SubSeven Server sniper for SS2.2. however... the site doesn't seem to have the link up and I can't find it... I'M LOOKING TO SNIPE THIS SERVER...ANYONE KNOW WHERE TO FIND THE SNIPER FOR IT...?
    Thank-you,
    Corey
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Corey,

    Since you have TDS3 installed, the way to go seems getting rid of this nastie using TDS3 ;).

    The DCS sniper is no longer available for quite a while now, as far as know.

    regards.

    paul
     
  3. Corey K

    Corey K Guest

    Yeah, well... I'd like to... but I can't figure out how to get TDS-3 to remove it....! It seems to just be a Trojan Identification Suite...!
    Any idea how to get it to uninstall the Trojan? And where the hell did the Sniper go?! I saw a posting on a website claiming to be from DiamondCs and they were saying how they had cracked the newest version 2.2 of SubSeven and had a sniper available... where'd it go?! Nutz... well... I need to get rid of it... Can't seem to figure out how to get TDS to ACTUALLY remove it... help...
    thanx...
    Corey
     
  4. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    I don't have TDS so I can't help. But you could try posting in the TDS forum here where it may be more likely to come to someone's attention who can help you.
     
  5. Corey K

    Corey K Guest

    Correction: I can delete the files that TDS identifies... but I would like to properly remove it ... aka registry entries.. win.ini entries... etc... plus... I'd also like to snipe the bastard... I know about spoofs and comandeering others machines... so I'm not planning to run amok on the net... perhaps just honey pot him or something... I KNEW what it was when I opened it... its just that I didn't realize that there are no SNIPERS for version 2.2... I had more than a blanket (TDS-3, Reg Prot, Outpost Firewall, Spybot, TCPView, plus my trusty "Phone-Cord-Pulling-Right-Hand") to block it from allowing him access... but I'd like to PROPERLY remove it... and SNIPE it first if able... It has been able to access a DNS server to identify what I am assuming to be my machines current IP... but the firewall blocks its attempt to mail out to a hotmail account... and there are no live connections... just dynamic ports which randomly change everytime the program runs anew. Oh well... you get me... I'm gonna keep workin on the thing... but eventually I'll be two to four years learning how to do what DCS has already done... I want the sniper... LOL
    Corey
     
  6. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi Corey,

    actually your question would be a nice thread in the TDS-3 forum. Why are you searching for Subseven Server Sniper, when you have TDS-3? TDS-3 isn't just a Trojan Identification Suite. You don't know the power you have with this tool yet. :D

    You don't need Subseven Server Sniper for tracing this guy. You have TDS-3 with which you can perform this action! :D Ever looked at the Network tools they included like TCP Connect, TCP Port Listen,... Nice tools to build up a connection with this subseven server...

    If you need further help with those, start a thread in the TDS-3 forum! ;)

    Best regards,

    Patrice
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Corey, sorry to hear about your infection and the frustrating searching for the sniper!
    And i was not around a few hours cleaning out my system (just normal housekeeping the files, no infections) and you in this big need! sorry!
    Indeed, the sniper does excist but no longer for public (i suppose for security reasons); the one on the website was for older S7 versions i guess.
    The TDS lab is able to snipe it out for you, for which they have a service, since they have been rebuilding (and still are) their web sites i can't find a link/description to this at the moment. Guess if you reallyu want to know who sent you the nasty and which is it's payload, sender, etc you best contact wayne@diamondcs.com.au or support@diamondcs.com.au
    I would like to know as well where and how so you can properly complain by the right abuse department with the proof at hand.

    In the meantime waiting DCS answer, you might like to create a folder in TDS-3 which you might like to name ScanAlerts (so you can easily find it back) and move the nasties inside and zip them, so they can't harm your system in the meantime while waiting for DCS's answer.
    Having such a folder is very handy, i move suspicious emails and all alerts inthere (or at least copy) so i can scan that whole folder at a time plus i know if they are inthere all is well, if outside it needs further attention.

    Fingers crossed for a positive answer for you!
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Oh ehhh Corey, did you say you prefer to have it running and look in the TCP Port listen set on port 27374 for packets? Or the traffic bridge?
    Do you also have Port Explorer to spy on the packets?
    And did you look in the AutostartViewer if it added autostart registry keys?
    And of course in the TDS autostart explorer and Process Lists, netstat,........
    TDS you have, Screx activated, as a most wonderful emulator?
    You do have several possibilities but CAREFULL please!
     
  9. SmackDown

    SmackDown Guest

    Hi,

    You can find a SUB7 cleaner here. http://www.kittanning-pa.com/downloads.html

    SmackDown
     
  10. Dan Perez

    Dan Perez Guest

    Hi Corey,

    If you have a registered copy of TDS, you can load the very good "SCREX" SS3 script that Andreas wrote. This includes a SubSeven emulator (which can emulate different versions) which will warn you when your "counterpart" tries to connect. Once this happens you can use some of the screx-defined commands against him.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hehhh, rereading my own messages --i was so very sure i had mentioned that Screx!-- i see i did not (probably in another message recently) so i'm glad you added this Dan!
    Even though you don't need to keep the infection for that on your system, Screx will act as if you have and so will the network functions, while Screx has commands like Dan mentioned.
     
  12. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    IIRC,
    S7Sniper was for S7 v2.1 or older, so it couldn't be used against your thingy. TDS has "extensions" that can be activated that allow similar things as the snipers used to do, but i'm not sure they can handle 2.2.
    So, if you really want to know the internal configuration of your server you either have to analyse it yourself or send it to dcs.
    To remove it, you can use TDS or the S7 cleaner that's been posted above (although i don't know that one).
    Finally if you're feeling adventurous, you can use a firewall or PE to spy on the info that the server tries to send. Probably you can set up a configuration so that the server sends its "infection successful" message to one of your machines and maybe then you can replay that against the original attacker. Best with TDS used as a Sub7 emulator - but here again, the emulator included in Screx is for an older version. I think Jazzie once has started to write a S72.2 emu. You could search for it in DCS's ss3 forum (if you're a registered user).

    HTHH,
    Andreas
     
  13. Disregard my previous entry, there were mistakes in it. D-Tech2K_Serial_Hacker™

    your best bet is that the server is (in whole, or in part) your explorer file, used to launch windows explorer.

    Do the following:

    Close all programs.
    type: cmd [ENTER]
    type: CLS [ENTER]
    type: dir \explorer.scf /s [ENTER]
    WRITE DOWN THE LOCATION OF THE FILE
    type: CLS [ENTER]

    type: TYPE [location & \FileN.ame]
    eg: C:\> TYPE C:\windows\explorer.scf
    If you see anything other than the following:

    [Shell]
    Command=2
    IconFile=explorer.exe,1

    TaskBar=Explorer

    type: ren [location & \FileN.ame] FileN.bak
    eg: C:\> ren C:\windows\explorer.scf explorer.bak

    type: EDIT [ENTER]

    Go to: File>Open

    Select explorer.bak, and click [OK]

    Delete everything but the following:

    [Shell]
    Command=2
    IconFile=explorer.exe,1

    TaskBar=Explorer

    Go to: File>[Save as...] not [Save]

    type: [original file name]
    eg: FileN.ame

    click [OK]

    Go to: File>[Exit]

    type: EXIT if you are in windows
    or
    type: WIN to start windows

    If this dose not solve your problem

    go back to DOS

    type: del [location & \FileN.ame]
    eg: C:\> del C:\windows\explorer.scf

    type: ren [location & \FileN.bak] FileN.ame
    eg: C:\> ren C:\windows\explorer.scf explorer.bak

    type: EXIT, or WIN

    then email me: dtech2000@yahoo.com
     
  14. jafee

    jafee Registered Member

    Joined:
    Jan 20, 2004
    Posts:
    1
    Location:
    Kalamazoo, Michigan USA
    This is a message displayed in my TDS-3 Control Console: "10:25:44 [Tip Of The Day] Distributed Denial-of-Service Remote Access Trojans (DDoS.RAT) represent a new breed of trojan. The first major Windows threat was WinTrinoo - DiamondCS have released a Server Sniper to prevent WinTrinoo attacks from occurring to your Windows systems - http://www.diamondcs.com.au". However, I can't find any references to this on the DCS website!! I'm just curious what this is all about. I'm not infected, but you never know when someday I will be.
     
  15. mecha_man

    mecha_man Guest

    Yeah this thread has surely been dead for a while but I thought it might be a courtesy to google searchers.
    You can download the Sub Seven Server sniper from http://www.sac.sk/files.php?d=1&l=S. The file will show up AS a trojan in both AVG and Norton, but I personally emailed Diamond CS and they replied it most certainly is not. Use at your own risk. I d/led it about a year ago and it seemed to work fine on a non AV installed computer, but I can't get the file to work now, I have AVG currently and I'm getting a weird permission error when I try to launch even though I'm admin on my comp. Hope this helps someone.
     
  16. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    If you've been infected with a Sub7 server feel free to email it to support(at)diamondcs.com.au and we'll extract the encrypted information out of it for you.
     
Thread Status:
Not open for further replies.