There is a category of Windows malware that I have been watching for some time but have not written about: graphical remote-control trojans. The two best-known examples are Sub7 and Back Orifice 2000 (BO2K). Both have matured significantly over 1999-2000 and are now widely distributed.
This is a meaningfully different threat from the mass-mailing worms I have been writing about. The worms are auto-propagating; the trojans are not. The trojans, however, give a more capable form of compromise once they are in.
What these tools are
A remote-control trojan is, in essence, a piece of software that an attacker installs on a victim's machine and that allows the attacker to control the machine remotely. The control is comprehensive: read files, write files, take screenshots, watch keystrokes, manipulate the mouse, run programs, modify the registry, all from across the internet.
The distinguishing feature of Sub7 and BO2K is the user experience. Both have polished graphical client interfaces. The attacker's machine runs a GUI application that lists their compromised hosts; clicking on a host opens a control panel; from the control panel they can do anything to the victim with a few clicks. There is essentially no technical skill required to operate them.
This is structurally different from the command-line backdoors I observed in the honeypot. Those required typing Unix commands and understanding what they did. Sub7 and BO2K require pointing and clicking.
How they get installed
Neither tool is auto-propagating. They get installed by:
- Email attachments disguised as legitimate files. Same vector as Melissa and ILOVEYOU, but the payload is different.
- Bundled with pirated software distributed on file-sharing networks. Many pirated games and applications carry remote-control trojans.
- Manually installed by malicious insiders with physical access. Surprisingly common in workplace and domestic-abuse cases.
- Drive-by installations through web browsers exploiting vulnerabilities. Less common but emerging.
The install footprint is small (a few hundred kilobytes) and the trojan typically modifies the registry to persist across reboots. Once installed, it phones home to the attacker's chosen address — either a fixed IP or a dynamic-DNS hostname — and waits for instructions.
The capabilities, in detail
Sub7 (the more polished of the two) offers, in its current versions:
- File system browsing — list, read, write, delete any file the user can access.
- Keystroke logging — records everything typed, including passwords.
- Screen capture — periodic or on-demand screenshots.
- Webcam access — if a webcam is attached, the attacker can view the feed.
- Audio recording — if a microphone is attached.
- Process management — list and kill running processes.
- Registry editing — read and modify Windows registry.
- Remote shell — command-line access.
- Pranks — play sounds, open the CD tray, display messages, swap mouse buttons. The pranks are technically trivial but are part of the marketing.
BO2K is a similar feature set with more emphasis on automation — it includes scripting capabilities for running operations against many compromised hosts at once.
Why this matters
A few reasons.
The skill threshold is low. A teenager with no technical depth can deploy these tools and use them to substantial effect. The size of the threat-actor population that can do meaningful damage has grown.
The capabilities are comprehensive. Once installed, the trojan provides essentially full access to the victim's machine. This includes the ability to monitor everything the user does, which has implications well beyond traditional computer-security concerns — domestic-abuse situations, workplace harassment, journalist surveillance.
Detection is mixed. Antivirus tools detect the known variants. New variants appear routinely, often with small modifications that defeat signature detection until the next update. The signature-detection cycle creates a window during which fresh variants are effective.
The cleanup is non-trivial. A persistent trojan can survive simple removal attempts. Full cleanup requires careful registry inspection, process auditing, and verification that the user-space binary itself is not modified. Most home users cannot do this without professional help.
What defenders should know
For people running technical infrastructure where Windows is present, a few specific points.
The network signatures are detectable. Both Sub7 and BO2K have characteristic communication patterns. Sub7 uses TCP port 27374 by default (configurable; commonly changed); BO2K uses TCP 31337 by default (also configurable). Snort rules for the default communication patterns are widely available; rules for custom-port variants require more sophistication but are feasible.
Outbound connections from desktops to dynamic-DNS hostnames are suspicious. A workstation initiating connections to *.dyndns.org or similar is, in most enterprise environments, abnormal. A workstation maintaining a long-lived outbound connection to such a host is almost certainly running a remote-control trojan.
Process auditing tools help. Comparing the running process list against a known-good baseline reveals trojans whose process names are not familiar. Tools like Process Explorer (Sysinternals) make this practical even for non-experts.
Antivirus alone is insufficient. Network-level detection, host-level process monitoring, and outbound-connection filtering all complement antivirus. A defence-in-depth posture catches what each individual layer misses.
What this teaches about the threat landscape
A few things that this category illuminates.
Attacks are commoditising. The work that was previously done by skilled attackers — establishing remote control, monitoring activity, exfiltrating data — is now packaged into point-and-click tools. The skill differentiation between attackers and defenders has changed shape.
The attack target population includes ordinary people. These tools are widely used in stalking, domestic-abuse, and similar contexts. The defensive concern is no longer just commercial infrastructure; ordinary individuals running Windows desktops are also targets.
The platform's security model is structurally inadequate. Windows of this era allows any process running with the user's credentials to access essentially everything the user can — files, peripherals, network. A remote-control trojan inherits all of this. The platform-level fix would be to apply least-privilege principles to applications, restricting them to the resources they actually need. This is the same architectural change I have been writing about for Outlook.
Cybercrime as commercial enterprise is now visible. Several services have appeared this year that offer Sub7-equipped compromised hosts for sale. Pay $X, get access to Y compromised desktops. The market is small, the operators are unsophisticated, but the category exists and is growing.
What I am doing about it
For my own infrastructure: not much directly. I do not run Windows on any internet-facing host. I am, however, paying attention to outbound traffic from the small Windows VMs I run in test environments, as a check on whether anything has slipped onto them.
For the Linux machines I administer for friends, the indirect concern is they are sending or receiving traffic to compromised Windows hosts. The traffic patterns are sometimes diagnostic — bursts of connection attempts to unusual ports, persistent connections that look like control channels. My structured-log analysis catches some of these.
For friends running Windows: I have written and circulated a short note about checking for these tools. The instructions are non-trivial for non-technical users; the alternative — using a less-vulnerable platform — is also non-trivial. Most are stuck with the situation for now.
More on the year as it develops. The next post will be about something more specifically Linux-relevant — HTTP authentication done badly, with worked examples.