A Malware retrospective: SubSeven

Jean-Pierre LESUEUR (Microsoft MVP)
Phrozen
Published in
15 min readJul 18, 2023

--

Foreword

Commencing another instalment of my stimulating series, “A Malware Retrospective,” we find ourselves stepping back into the realm of nostalgia once more. After our in-depth look at the impactful Beast RAT, which dominated the early 2000s, our historical lens now pivots toward another remarkable specimen of the era: “SubSeven.” This Remote Access Trojan, otherwise referred to as “Sub7,” was the brainchild of the elusive and enigmatic figure known as “Mobman.”

There comes a time in the life of every hacker or cybersecurity professional when a singular catalyst sparks the transition from novice to seasoned expert, from enthusiastic script kiddie to dedicated professional. For me, that catalyst, that game-changer, was SubSeven. This program wielded an influence on my life that remains unparalleled to this day. It was the driving force that propelled me into the Trojan Scene and the wider world of InfoSec.

In the days when SubSeven first caught my attention, I was merely a child, brimming with curiosity but bereft of any real understanding of how things worked in the InfoSec domain. The complexities of trojans, malware, and the cyber threat landscape seemed as intricate and impenetrable as arcane rituals. To my young and inquisitive mind, they appeared like a form of technological sorcery — a sort of black magic. The allure of this mystery was irresistible.

So profound was the impact of SubSeven on my life that it essentially charted the course for my subsequent and still ongoing professional journey. It stimulated within me an insatiable thirst for knowledge, a hunger to explore, understand, and ultimately master the cyber threat world. And as I write here today, a seasoned professional in this field, I owe much of my expertise and accomplishments to those formative years of discovery, to those initial sparks of curiosity ignited by the allure of SubSeven.

In Short, What is SubSeven?

SubSeven, for newcomers, or for those not particularly engaged in InfoSec, is a type of malicious software commonly referred to as a Trojan Horse, or more specifically, a Remote Access Trojan (RAT). The primary function of such software is to gain control over infected computers via the internet. Much like its contemporaries, SubSeven offered a range of remote control features including remote desktop, webcam spying, keylogging, fun functions, port scanning, and system management capabilities (such as registry and process control), among others.

The key difference between a legitimate remote access tool and SubSeven lies in the intended use. SubSeven was designed to infiltrate targeted machines without user consent, stealthily installing itself and operating in the background to avoid detection for malicious or surveillance purposes. It’s aptly named a Trojan, as these programs often come concealed within legitimate software to circumvent suspicion.

Mobman: A Legend Ascendant Alongside His Ingenious Creation

First and foremost, my deepest appreciation is extended to Mobman for his invaluable collaboration on this article. Generously sparing his time to address a host of queries, he has furnished this exploration with a depth and richness that would have been unattainable without his direct input. His unique insights not only authenticate the narrative but add a layer of personal colour to the tale of SubSeven. I am profoundly thankful for his involvement, which elevates the quality and precision of this retrospective to exceptional heights.

Born and raised in Craiova, Romania, Mobman was drawn to the world of software and malware at an early age. His fascination led him to the creation of the infamous SubSeven Remote Access Trojan, a feat achieved under a pseudonym inspired by his enduring favorite band, B.U.G. Mafia. As he reflected, “The nickname was inspired from my favorite band (still to this day!), the Romanian rap group called B.U.G. Mafia. I wanted to pick something mob-related and mobman just had a nice ring to it.”.

Mobman described his initial motivation behind SubSeven as a quest for knowledge. Having previously built a number of games using Turbo Pascal, he sought to learn more about Windows development and UI through Delphi — a natural progression in his programming journey. SubSeven, therefore, was conceived as a learning venture; a hands-on project to acquaint himself with a new language.

Before the advent of SubSeven, Mobman had developed numerous DOS games, but it was his RAT that marked his debut in the realm of Windows software. As he fondly recalled, “There were many DOS games before that, and many other apps and software after it, in what now seems like separate.. lifetimes.” Mobman was just 18 when SubSeven was launched in 1998.

Interestingly, Mobman confessed that there wasn’t anything specifically that attracted him to malware development. Rather, it was the joy of working on an exciting project and witnessing where it could lead. Throughout the creation of SubSeven, his driving force was an insatiable curiosity to explore possibilities, learn new things, and incorporate them into his project.

Challenges were inherent to the process, particularly due to the scarcity of available resources, especially for Delphi. However, the limitations didn’t deter him. Instead, they became an impetus for innovation and learning.

The cessation of SubSeven’s development in 2003 marked a significant turn in Mobman’s journey. There wasn’t a specific incident that triggered the halt. As he reflected, “I think I was just looking to change things up.” SubSeven was a thrilling ride and a valuable learning experience, but Mobman yearned for a change and a steady income. So, he packed up, moved to Montreal, and embarked on a new job.

Since the conclusion of SubSeven, Mobman has remained in the realm of software development. He initially focused on security, working on AV scanners, engines, firewalls, and network tools. However, as times changed, so did his focus. Today, he works as a senior software developer for a large software company in an industry completely unrelated to security. Despite the change, he continues to indulge his passion for coding in his spare time, presently working on a multi-platform game.

When asked about his thoughts on the progress of malware and cybersecurity, Mobman admitted that he had not been actively involved in the field for the past 10–15 years. Yet, he nostalgically noted that the online world seemed simpler, more naive and more innocent back in the early days.

Although Mobman no longer maintains relationships with significant figures from his past in the malware development scene, he has reconnected with a few over the years. It was a trip down memory lane, reminiscing about the camaraderie and shared experiences.

From 1999 to 2003

SubSeven v1.0 (February 1999) — First Public Release

Mobman, the mastermind behind SubSeven, introduced the world to his ingenious creation on February 28, 1999. His first edition, fondly titled as SubSeven v1.0, wasn’t born in isolation. Instead, it carried the echoes of another significant Trojan Horse from the annals of the 90s — Back Orifice (BO).

Back Orifice Remote Access Trojan by cDc

Esteemed as a forerunner in the field of Remote Access Trojans, Back Orifice was the brainchild of the infamous hacker collective, “Cult of the Dead Cow (cDc)”. Their trailblazing endeavours, influencing and shaping the cyber world, didn’t go unnoticed by the young and curious Mobman. Deeply inspired, he fashioned SubSeven as an homage to the BO, describing his creation as a clone of this renowned Trojan.

This noteworthy connection between SubSeven and Back Orifice lays bare a continuity in the tapestry of malware history, affirming the considerable influence of the cDc and their revolutionary Remote Access Trojan in shaping future generations of malware and the architects behind them.

In tracing the roots of SubSeven, we find an intriguing echo of yet another illustrious tool of the period, “NetBus.” The decision to christen this creation SubSeven sprang from a clever inversion of NetBus into “SubTen.” From here, though, Mobman was swayed by the allure of the enigmatic number seven, thus birthing the name SubSeven.

A defining characteristic of SubSeven, and often what users recall most vividly, is its distinctive user interface. Mobman’s prior experience in game development and design laid a strong foundation that likely influenced the high-quality aesthetics of SubSeven (at least for the late 90s).

To fully appreciate the visual evolution of SubSeven, it’s necessary to understand its progression through distinct design phases, or as referred to here, “version branches”:

The inaugural branch, v1.x (spanning from versions 1.0 to 1.9), offered a user experience confined primarily to a single window. This design approach ensured that most program features were directly accessible from this main window, making the user interface straightforward and easy to use. The earliest versions, from 1.0 to 1.4, adopted a red-themed visual style. However, starting from version 1.5, Mobman introduced the now-iconic blue/purple (“Sub7 Fatsie”) design that remains ingrained in the memories of past SubSeven users.

SubSeven Branch v1.x Design Evolution

By the end of the v1.x branch, and in an experimental version of 1.9 named SubSeven 1.9 Apocalypse, Mobman revamped the entire design. This radical transformation laid the groundwork for the aesthetic adopted in the next major version branch, v2.0 / v2.1.x. This new visual identity was quickly embraced by users.

SubSeven v1.9 Apocalypse (Experimental Design)

In 2001, Mobman sought to reinvent the design once again, transitioning toward a more modular approach. This gave birth to the v2.2.x branch of SubSeven.

SubSeven 2.2 and its iconic Edit Server — The Abandoned Modular Version

However, this version was short-lived. When asked about the swift abandonment, Mobman shared that users had grown comfortable with the v2.1.x design and were not ready to embrace this new change. The v2.2.x version was designed to be modular, with the intention of allowing SubSeven’s users to create their own plugins and custom features. Unfortunately, this approach did not resonate as expected, with users lacking either the skills or the motivation to create new extensions or plugins. As a result, Mobman decided to continue with the v2.1.x branch.

This decision explains the seemingly out-of-order release, where version 2.2 appeared before version 2.1.5, also known as “SubSeven Legends.” Mobman has stated that the v2.2.x branch was his favorite, and he had high hopes for its modular design. His disappointment was palpable when users did not respond as enthusiastically as he had hoped.

SubSeven 2.1.5 (Legends) and its Edit Server

Version 2.1.5 marked the end of SubSeven’s development under Mobman in 2003. While this signified the end of one era, it opened the door for other developers, including close friends of Mobman, to pick up where he left off, a topic we will delve into later in this article.

Following the culmination of the SubSeven project, Mobman bid farewell to the “Trojan Scene,” a term that fondly encapsulates the community and culture of the time. He turned his sights towards ventures unrelated to malware, thereby closing an intriguing and significant chapter of his life.

SubSeven Source Code

While the source code for SubSeven was never officially released to the public, it did manage to pass through the trusted hands of those closely associated with Mobman. “Read101” was the first to gain access to the source code, a move that fueled the 2010 reboot, which we will detail later in this article. More recently, “illwill,” another veteran member of the scene, publicly displayed the real-time compilation of SubSeven 2.1.3 on Twitter.

“Illwill” shared with me his plans to release the source code of SubSeven 2.1.3 next September (2023), potentially at the “BSides CT” conference. He had initially considered unveiling it at “ROOTCON,” but for unspecified reasons, that plan didn’t pan out.

I was also fortunate enough to obtain and examine the source code from both older versions of SubSeven (the 2.1.x branch) and SubSeven 2.2. It was an incredible experience, to say the least.

This is how I was able to definitively validate that the Mobman I was communicating with was indeed the genuine one and not yet another imposter trolling the web.

A Backdoor in the Backdoor

To cover the entirety of the SubSeven project and its offshoots would indeed necessitate a volume equivalent to a full-size book. However, I would be remiss to conclude this chapter without acknowledging one particularly infamous facet of SubSeven — the alleged backdoor incorporated by Mobman himself. It is well-documented that certain versions of SubSeven carried a secret master key:14438136782715101980,” enabling the author to connect to any server at will.

The existence of this master key birthed a flurry of conjecture. Upon its discovery, it subjected Mobman to significant scrutiny, tainting his reputation. However, in our interview, Mobman graciously agreed to revisit the issue, clarifying his intentions two decades after the fact.

When asked about the notable decision to incorporate a backdoor in SubSeven, Mobman had this to say, “It was mainly a backup option, to recover/remove unwanted installs. It was never actually shared with anyone until it was made public.” His explanation suggests that the motive wasn’t malicious, but rather a precautionary measure to maintain control and clean up unsolicited installations.

Our conversation then turned toward the much-debated master key “14438136782715101980” embedded in SubSeven. This sequence of numbers, seemingly random to the uninitiated, held a special significance. Mobman clarified, “The first part is my old ICQ number: 14438136. This was the default number in the EditServer, so it’s pretty obvious. The next 4 digits are from an old license plate I had back in Romania. The last 8 are my birthday: 15–10–1980.

And so, here we are in 2023, and the mystery that has shrouded the controversial master key of SubSeven for so long has finally been dispelled.

SubSeven 2.3 (2010): A Rebirth Not Living Up to Expectations

SubSeven 2.3.2010 Reborn by Read101 and fc

At the dawn of 2010, an unexpected revival of the SubSeven project took people by surprise and generated a great deal of excitement. This resurgence involved some former members of the Sub7 Crew, notably “FC,” a developer, and Read101, an Australian developer recognised for his creation of “LanFiltrator” and for co-founding the renowned “Fearless Crew” in the 2000s. The team based their work on the official SubSeven 2.2 source code shared by Mobman.

Although SubSeven 2.3 was grounded in the official SubSeven 2.2 source, its codebase underwent dramatic alterations to ensure compatibility with modern versions of Windows and contemporary Delphi compilers.

One of the most significant advancements was the introduction of support for reverse connections, a departure from the direct connections used by earlier versions of SubSeven.

However, despite the considerable efforts invested into the project, it failed to take hold. This was attributed primarily to stability issues and the abrasive management style of FC, a controversial Sub7 Crew member who had been involved since the project’s inception.

When I contacted Read101 about the issues surrounding the SubSeven 2.3 project, he revealed that his collaborator, FC, had barely contributed to the actual development. Beyond attempting to commercialise it for his own gain, FC merely edited the “about” text.

Highlighting the limited involvement of FC, Read101 had ingeniously embedded an easter egg in the code. Typing “WhoCODEDSubSeven23????” into the “No-IP User” field of the main program window and pressing the “About” button triggered a message: “READ101 DID ALL THE WORK ON SUBSEVEN 2.3 WHILE FC TOOK ALL THE CREDIT. TY Mobman for giving me this opportunity.

Read101 provided deeper insight into the complications surrounding the project: “FC, without any of us knowing, was taking money from people so they could test the Beta versions of the SubSeven,” he disclosed. “By the time it got to the point where he could not hide it anymore, he took everyone’s money and ran, but not before threatening everyone and burning every bridge he walked on. FC is not a good guy, and I will never work with him or even talk to him again. He has no integrity or honour.

Confirming this lack of contribution, Read101 said, “I went as far as to put an easter egg into the code, that I sent him, and he still did not find it

Read101’s Secret Easter Egg within SubSeven.

On his motivations for being part of the project, Read101 shared, “FC was the guy who opened the door for me, but it was nostalgia that made me step through.

As swiftly as it appeared, the project vanished into oblivion, much to the disappointment of a community that had held high expectations for it.

When I sought Mobman’s thoughts about this revival, he responded, “Before leaving I entrusted the 2.2 source and everything else to Read101. I believed he could continue things at the time, and he did so with my approval. I do not know a lot of details about the actual release unfortunately. There was a lot going on at the time personally and I did not actually keep up with any of it.

The Open-Source Remake, SubSeven Legacy (2021)

SubSeven Legacy in 2021

The start of 2021 marked a significant milestone in my life — I became a father. As any parent would attest, the initial months involve sleepless nights and alternating shifts with the mother. The relentless cycle of feeding and comforting the newborn can leave one fatigued, yet paradoxically, blessed with unexpected bouts of free time during each feeding. While some individuals might choose to engage in video games or indulge in movie marathons to while away these small pockets of time, I embarked on a different path.

In the quiet solitude of the early morning feeds, amidst the ceaseless hum of the nocturnal world, I decided to challenge myself. My project was ambitious: a complete, from-scratch remake of SubSeven’s 2.2.x branch — a version of the program that held a special place in my heart. Despite the exhaustive parental duties and the cumulative sleep deficit, this endeavour breathed a fresh vitality into those quiet, late-night hours.

Like its predecessor, SubSeven Legacy was entirely coded in Delphi, a language that I have a particular fondness for. Although the original SubSeven relied heavily on the renowned Delphi “FlatStyle” component pack for its design, I made the decision to create my own set of components using both VCL and WinAPI GDI/GDI+ capacities.

After dedicating hours to crafting custom VCL components, alternately studying code and refining visual details, I successfully reproduced nearly all visual components of the original SubSeven. Not only was my recreation faithful to the original, it was also optimised for the latest Delphi IDE version available at the time.

One of the most challenging yet engaging aspects of this project was implementing the network encryption tunnel. Built on top of WinSock using the pure OpenSSL APIs, the tunnel employed the most recent version of the OpenSSL library. This presented a significant challenge, as the OpenSSL documentation is notoriously difficult to decode. However, after a series of trial-and-error tests, coupled with exhaustive readings of the cryptic OpenSSL documentation, I managed to support traffic encryption with TLS 1.3, fingerprint validation, and challenge-based password authentication, all without any third-party components.

Although SubSeven Legacy didn’t boast a vast array of features, it included the essentials: a comprehensive File Manager mirroring the original, a process manager, a multi-session and parallelised remote terminal (remote shell), and so forth. While the project is currently on hiatus, it is conceivable that more features, such as screen capture, could be implemented in the not-too-distant future.

SubSeven Legacy Remote Shell (Multi-Threaded)

After the release of the SubSeven Legacy project on an old official Sub7 website (https://sub7crew.org), I was contacted by Mobman. He expressed his appreciation for the project, stating that the fan-made tribute evoked a deep sense of nostalgia in particular, and about my choice to use Delphi for the remake, “the cherry on the cake,” he said. I took the opportunity during our interview to ask him about his thoughts on the SubSeven Legacy remake: “I love it! You can tell there was a lot of hard work put into it. It’s a work of love and appreciation which can only make me happy and proud of creating something that inspired it.

In August 2022, the source code for SubSeven Legacy was released to the public, and the response was incredibly positive. It appears that this homage to the iconic SubSeven not only rekindled fond memories for the original creator but also resonated with a wider audience in the InfoSec world.

Conclusion

SubSeven, undoubtedly, stands as one of the most influential Remote Access Trojans ever conceived. Its echo reverberates through generations, resonating with both the first wave of malware and InfoSec enthusiasts as well as those who are just entering the field. It’s a name virtually impossible to miss for anyone even remotely involved in the world of cybersecurity. This formidable piece of software, crafted years ago, continues to awe us with its power and aesthetic brilliance. SubSeven didn’t just inspire an entire lineage of similar programs but also acted as a beacon for many, including myself, drawing us into the mesmerising world of InfoSec.

The tale of SubSeven is too vast and multifaceted to be encapsulated fully in a single article. Numerous important aspects, like the “Sub7 Crew” — a group of Mobman’s close friends who were instrumental in testing and refining the project — haven’t been touched upon.

Similarly, the controversy surrounding the individual who claimed to be the real Mobman, who even gave an interview to Vice Magazine, has been intentionally left out. I chose not to draw any negative attention toward him or debate his motivations for making such a claim in the face of conflicting evidence.

Despite the constraints of the article’s size, my hope is that it’s been enlightening, especially for those already familiar with SubSeven. The real highlight, however, is the rare and exclusive insights offered by the real author of SubSeven. Coming out of silence after two decades to make this article possible is a significant contribution, and for that, I am deeply grateful.

Once again, my heartfelt thanks to Mobman for his invaluable participation and for creating a program that will forever be remembered in the annals of cybersecurity history.

Featured image / banner by Lois

--

--