The CERT/CC has received an increasing number of reports regarding the compromise of home user machines running Microsoft Windows. Most of these reports surround the intruder tool SubSeven. SubSeven is often used as a Trojan horse, which allows an intruder to deliver and execute any custom payload and run arbitrary commands on the affected machine. This control includes the ability to read, modify, and delete confidential information. Additionally, the intruder may use the affected computer as a launching point for additional attacks (namely, denial of service).
While we believe that this level of intruder activity is not unusual, additional concern may be warranted in light of a new emerging class of "malware" such as W32/Leaves. W32/Leaves appears to be representative of a class of self-replicating, malicious code that automatically scans for hosts with these toolkits installed and leverages backdoors (i.e., SubSeven) for further malicious activity. An existing backdoor installed on a host by one intruder can now be used by another without any prior communication or intention for collaboration between intruders.
Additional analysis performed by the NIPC on W32/Leaves can be found at
If these protective measures reveal that the machine has already been compromised, more drastic steps need to be taken to recover. When a computer is compromised, any installed software could have been modified, including the operating system, applications, data files, and memory. In general, the only way to ensure that a compromised computer is free from backdoors and intruder modifications is to re-install the operating system from the distribution media and install vendor-recommended security patches before connecting back to the network. Merely identifying and fixing the vulnerability that was used to initially compromise the machine may not be enough.
1. Install and Maintain Anti-Virus SoftwareThe CERT/CC strongly recommends using anti-virus software. Most current anti-virus software products are able to detect and alert the user that an intruder is attempting to install a Trojan horse program or that one has already been installed.
In order to ensure the continued effectiveness of such products, it is important to keep them up to date with current virus and attack signatures supplied by the original vendors. Many anti-virus packages support automatic updates of virus definitions. We recommend using these automatic updates when available.
2. Deploy a FirewallThe CERT/CC also recommends using a firewall product, such as a network appliance or a personal firewall software package. In some situations, these products may be able to alert users to the fact that their machine has been compromised. Furthermore, they have the ability to block intruders from accessing backdoors over the network. However, no firewall can detect or stop all attacks, so it is important to continue to follow safe computing practices.
For additional information about securing home systems and networks, please see the "Home Network Security" tech tip at http://www.cert.org/tech_tips/home_networks.html
For detailed information about recovering from a system compromise, please see our "Steps for Recovering from a UNIX or NT System Compromise" tech tip at
In addition, please see our explicit guidelines on reporting an incident at