Golden Hacker Defender Game Over ?

Just seen this

But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.

The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.

http://www.f-secure.com/weblog/#00000675


StevieO

 

i wonder if hacker defender can disable PG OA AE Prevx?

 

Hi StevieO,

"In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates."

I suspect automatic updates will soon be on the Golden Hacker Defender wish list (and price list)...

Nick

 

And rootkit detectors will start using encryption/compression/code morphing to avoid signature detection by rootkits. Soon, it will be hard for security software to tell the two apart...

 

Heck even "Security software" and not just rootkit detectors themselves will start doing stuff like that to protect itself.

Just like in real combat. Stealth is parmount. You don't want your opponent to see you until you are ready to act.

 

Having gotten their hands on Hacker Defender Gold is a pretty big thing. Before they were having to go about it bind, but now they have a sample that they can really reverse engineer to see how it's doing what it's doing.. this will greatly enhance thier ability to find a way of detecting it. It will definitely be interesting to see how it goes, and whether they share that sample.

 

I can't see why they can't just annoymously pay for it, if they were really that desperate to get it. 500euro isnt much to a big company .

 

http://www.invisiblethings.org/tools.html

System Virginity Verifier is a new "rootkit detector" but more interresting to me is The powerpoint presentation. At the end she makes this statement about "implementation specific attacks"

 

deviladvocate ?

Have you tried this new command line program by Johanna? If so what do you think?

controler

 

Do you think geniuses from both sides could get together and write a new Rootkit version of Windows that would actually work like it should and be secure?

Naaah.....Forgettaboutit....this is so much more fun!

 

Devinco ?

ah yes it is way too much fun

It is all about the money , right?

Rested assured MS has some.

controler

 

users of unix and mac don't know what they are missing - they lead such quiet uneventful lives

the whole world of hacking is weird - the black hats and white hats regularly get together to share ideas. can you imagine the police and the criminals getting togther and sharing their strategies?

hey crims we just figured out a new way of detecting you - wanna hear it?
yeah sure cop and wev'e got some new ways of avoiding detection wanna know?

 

I think everyone should try it. They will be surprised at what they find on their systems...

 

Rootkits are actually from the unix world and until recently, they were way more advanced, not sure if it's true today.

 

I gave it a try.Service table redirection detected

warning level 2 ( yellow)

I don't know if you tried running it twice but I get loading driver error code = 0x422 on my VM test box.

controler

 

Interesting. What software are you running that might do that?

Possible conflict with vmware I think.

 

That is what I thought also on the driver thing. Running MS shared computer toolkit on this box and VMware on my other.
I knew Johanna had done some work on VMWare in the past. Don't think she has messed with MS's toolkit though.


Only security software I am running on this box is KIS beta.
It's proactiveness does ask to allow the driver the first time. To get it to work twice on here, I have to reboot though.

controler

 

Actually i'm pretty sure I'm rooted, I got a warniong level 4. (red)!

There's a small chance it's mistaken because of all the other security software i run that do all sorts of kernel hooking, but it's supposed to have some intelligence at telling the difference but maybe some of the good guys are hidden maybe..

I'm going to uinstall all the security software, I think that might relate, and tested again see, if it makes a difference. Unless, someone else can confirm.

 

Are going to to rerun it after each program to see which one is causing it?

Did you only use the command vss check without any other switches?

well, hi ho hi ho it's off to work I go. I will try more later.

DA ? you can always write to johanna and ask her opinion.

controler

 

Yes definitely. Of course, there's a chance none of them are.....

the m switch shows the details, but they are beyond me.

Nah, I'm too shy. Don't want to waste her time.

 

Oh come on don't be a chicken. She says she trys to answer all e-mail.

Unless it is tagged spam , which could accour if you remain anynomyous. LOL

Time to come out of the closet DA......................

controler

 

SVV appears to work on my VMware W2K...

C:\svv>svv
System Virginity Verifier 1.0 (public), September 2005
written by Joanna Rutkowska
http://invisiblethings.org

svv <command> [options] [/l <altKernelModuleName>]
command is one of the following:
check - check system virginity
fix - try to fix suspected modifications (disinfection)

following options are supported:
/a verify ALL modules (may cause false positives)
/m show details about modifications
/c show also clean modules
/d leave driver after finished
/t <n> fix to target verdict level = n (valid for fix command)

C:\svv>svv check /a
audstub.sys (f41eb000 - f41ec000)... error code = 0x490
Null.SYS (f4200000 - f4201000)... error code = 0x490
dump_diskdump.sys (bfde1000 - bfde5000)... Image file not found!
dump_vmscsi.sys (bfdd9000 - bfddc000)... Image file not found!

SYSTEM INFECTION LEVEL: 1
0 - BLUE
--> 1 - GREEN
2 - YELLOW
3 - ORANGE
4 - RED
5 - DEEPRED
Nothing suspected was detected.

...but stops quickly with this error on XP SP2, virtual or not, clean install or not:

C:\svv>svv check /a
Following important modules cannot be found:
ntoskrnl.exe

ERROR (code = 0x2): Important modules not found

Nick

 

Johanna put out a program a few months ago and none here commented on it.
Guessing the same goes here.

Now some are even saying it IS a rootkit.

controler

 

I believe that was FLISTER, which does work well.

Maybe it's because these apps install drivers, or maybe it's just fear of the command line. I ran IceSword 1.12 today on an infected machine, and McAfee blocked it as a trojan...

(that's right, McAfee was running on the infected machine)

Nick

 

Command line tools are not popular here. They look dangerous and hackerish.

Nick, I don't get the error you get.