Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

[Nautilus]

Hacker Defender (HD) is a rootkit. After it has been activated the following things will happen:

1.
Any files with a name designated by the attacker will become invisible. This includes the rootkit itself and, for example, an additional backdoor/trojan. In consequence, no AV/AT on this planet will be able to detect the invisible files.

2.
HD can hide registry entries. In particular, it will hide its own autostart entries. Only special registry viewers like RegdatXP will let you see the respective registry entries because they work in a kind of raw mode. But this will only help paranoid people or people who already expect that they are 0wned ...

3.
HD can hide open ports. For example, your firewall (tested with Kerio 4.10) will not tell you that a backdoor is using an open port. Nice, eh?

4.
HD can be encrypted/compressed so that no AV/AT scanner will detect it before it is installed. Moreover, the source code of HD has been released which allows attackers to compile their own undetected versions.

5.
Unfortunately, the rootkit detector from http://3wdesign.es/security/principal.html?u=82pxv20n does not support HD version 1.00.

6.
It will not help you to boot in safe mode. HD will still get activated ...



In summary, I believe that somebody should do something right now.

I could imagine that Process Guard from DCS will take care of this rootkit. (Currently, the trial version does not.)
When you are lucky you will get the following warning:

"Welcome to DiamondCS Process Guard.
This program does not need to be running for your system to be protected.

[21:46:08] - Window Log Started
[21:46:14] - Process Guard Protection is ACTIVE
[21:46:17] - [P] - c:\dokumente und einstellungen\comp\desktop\hxdef100\hxdef100.exe [1440] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\services.exe [592]
[21:46:18] - [P] - c:\dokumente und einstellungen\comp\desktop\hxdef100\hxdef100.exe [1440] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\programme\processguard free\pg_msgprot.exe [1608]"

But this does not happen frequently. I believe it is a timing issue ... PG must simply get quicker!

System Safety Monitor will not help you either. But it is very sensitive and will crash when HD is installed. This may warn you ...


Cheers Nautilus

[Paul Wilders]

Hi Nautilus,

Hacker Defender is - as you know - rather old news. Most serious AT companies are aware of the existence for quite a while now, and are subsequently taking precautions

Thanks for bumping this issue

regards.

paul

[Nautilus]

HD 1.00 has been released on January 1, 2004 if I am not mistaken.

Previous versions could be detected quite easily. I have already explained how.

This version (1.00) has been significantly improved. That's the problem ...

EDITED: In addition, I tried to inform people in general (not merely AV/AT producers).

[Paul Wilders]

Nautilus,

Indeed this is a recent version - but then again well known in the meanwhile by major AT companies.

For the record: I'm far from neglecting the fact rootkits can/are issues to take serious: they are serious business.

That said: as ever, it's sort of a competition between black hats and white hats. Punch and counterpunch

regards.

paul

[Nautilus]

True. And I am looking for a white hat with a morning star ... ;-)

[Paul Wilders]

Quote:

quoting: Nautilus link=board=30;threadid=18848;start=0#msg115717 date=1073166166]
True. And I am looking for a white hat with a morning star ... ;-)

I'm trying to imagine that picture

regards.

paul

Btw. ... there is an open-source tool called Klister 0.3 by Joanna Rutkowska. It only works under W2K. Therefore, I have not tried it yet.

The tool is capable of detecting several rootkits. Maybe someone wants to give it a try and tell us whether it also works with HD 1.00.


TIA ntl

[illukka]

i believe kaspersky detected this generically, like the last version(0.84) was detected as similar to 083


hxdef100.zip Archive: ZIP
hxdef100.zip/bdcli100.exe Infected: Backdoor.Hacdef.084
hxdef100.zip/hxdef100.exe Infected: Backdoor.Hacdef.084
hxdef100.zip/rdrbs100.exe Infected: Backdoor.Hacdef.084
hxdef100.zip/src.zip/src/driver/driver.sys Infected: Backdoor.HacDef.073.b

wouldn't a command line scanner like kav rescue disk detect this?
here's f-secure's results of the same file

[Nautilus]

@illukka I am almost sure that KAV will not detect hxdef100.exe once you have compressed it with an unknown packer or recompiled the source code.

A scanner started from a rescue disk will detect the rootkit unless is has been compressed or modified (see above). This is because file & registry cloaking will only be activated once Windows has been started.

Moreover, it should be possible to detect activated rootkits by comparing autostart registry entries. You simply need to read the registry in two different ways: First, you will read it using standard Windows functions (i.e., you will not see the Rootkit's autostart entry due to its regkey cloaking capabilities). Second, you will read the registry with a tool like RegdatXP. The comparison will easily show you any hidden registry entries ... et voila ... the Rootkit is detected.

ntl

[illukka]

yeah an unknown packer/crypter would make it undetectable..but in such cases kav reports unable to scan or unknown format..making it possible to examine the files manually
i still think kasperskys code analyzer would nail most recompilations if no major changes are made in the code.. it has detected many releases in the haxordefender series without signature updates, based on similarities in the code of different versions..

let's try.. what compiler do i need to compile the source? i currently have nasm and lcc32, are they good for this?
really haven't that much experience in this, other than having compiled a few hundred sd-gt-spy and agobots..LOL

[4A6F4A6F]

kav is not really such a problem for an attacker if the attacker know the weak ponits of this scanner, but back to the topic
mhh this new hacker defender version is in my eyes really a beast, cause it also hides the driver (if this is not correct please let me know) i tested it and at the moment i found only one program which is able to terminate the running hacker defender rootkit. ok i must mention that klister version 0.3 didn´t work on my test system and pcquard ehm was too lazy to install it , but during reading nautilus post it seems that PG (process guard) is currently not really good for detecting this rootkit, maybe upcoming versions will fix this.

[Nautilus]

"and at the moment i found only one program which is able to terminate the running hacker defender rootkit."

Perhaps JoJo could tell us about this program ... ?

[illukka]

Quote:

quoting: 4A6F4A6F link=board=30;threadid=18848;start=0#msg115927 date=1073223764]
found only one program which is able to terminate the running hacker defender rootkit.

care to say which proggie that is?EDIT: the haxdef client LOL?
yeah i agree that this is a real nasty, caught at and av makers with their pants in their ankles so to speak..has anyone tested abtrusion protector or tiny firewall's sandbox? do those notice anything...??

[Nautilus]

@illukka I have tested previous HD versions in connection with TPF sandbox.

TPF will warn you that HD tries to intall a new service. The problem is that you do not know whether a good or a bad proggie wants to install the service. And after the service has been installed ... its already too late to change your mind.

[4A6F4A6F]

Quote:

quoting: Nautilus link=board=30;threadid=18848;start=0#msg115929 date=1073224222]
"and at the moment i found only one program which is able to terminate the running hacker defender rootkit."

Perhaps JoJo could tell us about this program ... ?

here the screenshot of the little program

[Nautilus]

The correct question should have been ... please provide download link for ntsystem's knlps.zip file ;-)

(I do not want to become a fake member of HD board just to obtain this tool.)

TIA ntl

[4A6F4A6F]

maybe if i have the time to write a small paper which describes how to find the latest rootkits i can upload it. In the meantime try to find it with google

[controler]

Along time ago we looked at hidden files, folders and system files.
I found, if you go to folder options, view and

click show hidden files and folders
uncheck hide extentions for known file types
uncheck hide operating system files

you will see files, folders and registry keys not seen before.
New trojan droppers are using these folders to hide.
for instance bittorrent's dropper installes in your user-name applications folder on a Windows Xp machine.

BAck when I was really into those hidden registry entries, I think I even found a coupe manual key changes that allowed you to view more.
I just wish i would have written them down to remember.
I do remember sending the info to the auther of

f - - - microsoft . com

con

[Nautilus]

1.
@Controler, we are talking about a different thing here. Unfortunately, your tips won't help.

2.
@JoJo I think your attitude speaks for itself ...

[Paul Wilders]

Quote:

quoting: Nautilus link=board=30;threadid=18848;start=15#msg115947 date=1073227610]
The correct question should have been ... please provide download link for ntsystem's knlps.zip file ;-)

Not allowed over on this board, Nautilus - see our TOS

regards.

paul

[controler]

There are only certian startup spots in the registry. In other words , you can't just plop a startup app in just any old key in the registry.
and unhidding them sure can't hurt.
Or maybe I am missing something here.
Ghost Keylogger has been using these hidden registry settings for some time now. So does iopus keylogger. They both hide from normal
task managers. I guess I never tried the task manager you mentioned.
also some software makers will tell you a compressed-packed file is of no harm untill unpacked.
maybe I will give that a try sine I am such a software junkie

con

[Nautilus]

@Paul

Strange comment. knlps.exe is a tool to detect rootkits. By contrast, the TOS relate to malware.

But don't worry. We won't get this tool anyway because JoJo is a moderator of several ratboards and supports Holy Father (the developer of the rootkit). And apparently, JoJo is not very interested in helping users which got infected by this rootkit ...

@controler

"Or maybe I am missing something here." Yes. Sorry. It's much more complicated. Registry cloaking works in a different way.

[spy1]

As far as rootkits - any rootkits - are concerned, they still have to be delivered, correct?

So, unless I go completely brain-dead, and I'm currently protected by everything in my sig - how does the rootkit ever get in? Pete

[Nautilus]

@spy1

Rootkits are generally used by attackers who know what they are doing. And it's absolutely no problem to pack, crypt or otherwise modify a trojan or rootkit in such a way that no AV or AT file scanner will ever detect it.

See for example our current test archive @ http://home.arcor.de/scheinsicherheit/procedure2.htm

Even Kaspersky AV (one of the best AV programs) misses a significant number of these well-known trojans. Because they are modified ...

With a rootkit things get worse. After it has been activated you will not have the possibility to use a Memory Scanner like TDS-3 or Trojan Hunter. Manual removal of a rootkit is also difficult.

Regards,

Nautilus

[spy1]

That wasn't my question - how is it going to get delivered onto my machine?

Between using "safe hex" and good, resident-running defensive programs, I personally don't see any way for it to get in to my (or anyone else's) computer.

So what am I missing? Pete