I can confirm this personally as I had an infected version of Sub7. I thought it was so fun to mess with my parents with it until I realized I was now compromised.
What I saw, as often as not, is that the skiddies using these tools would configure their installer/dropper and start sending it to victims, but accidentally run it on their own machine too. Meaning their own machine was now listening for control connections.
Which meant all a potential victim had to do was accept the file, not run it (renaming the extension was a good first step), and note the IP address of the skiddy who sent it to them. Inspect the file to see the port and password configured therein, run the control program, connect back to the origin IP with the given port and password, et voila.
I wonder how many of them thought their tool was backdoored, not realizing it was they who had compromised themselves.
myself248|1 year ago
Which meant all a potential victim had to do was accept the file, not run it (renaming the extension was a good first step), and note the IP address of the skiddy who sent it to them. Inspect the file to see the port and password configured therein, run the control program, connect back to the origin IP with the given port and password, et voila.
I wonder how many of them thought their tool was backdoored, not realizing it was they who had compromised themselves.
scrapcode|1 year ago
meroes|1 year ago