Hacker defender

I like to know more about a trojan called hacker defender. Can anyone please state some information about it?
I want to know what it does and how harmful is it? And what's the solution to get rid of it?
I've heard some reports that hacker defender is a rootkit trojan. What is a rootkit trojan?

 

See http://scheinsicherheit.sc.funpic.de/rootkits.htm

Rootkits are used to disguise and hide trojans. anyone that has this on their system might as well reformat because after a rootkit is installed many changes to the operating system could have occured and there is no telling for sure whether or not additional backdoors have been installed to be re-activated in the future.

Hacker Defender can be extremely harmful. It is probably the most popular rootkit for windows. There are other rootkits but generally HacDef is used the most. Rootkits are also extremely difficult to detect. If one ever happens to activate on your system any scanner that you are currently using might not be able to detect it.

By the way....right now, I am in Singapore. I love your city here. I fly back to the USA tomorrow around 1 PM....I get out just in time to escappe rainy season



Starrob

 

Thanks for the info starrob. I'll add it to my knowledge.
BTW, enjoy your stay in Singapore!

 

some info here Hadirah:

http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00.html

 

It's Nadirah
Just why do some people usually spell my name wrongly?
Anyway, thanks very much for the information on hacker defender!

 

Oh, one last question: Will a firewall stop hacker defender?

 

Sorry, Nadirah

Thats my typing behave. I know you are a radiant girl

Gerard

 

No, Hacker Defender hides anything the hacker wants on your system. It will hide things from your AV/AT/FW and even things like Regedit and Taskmanager. It makes the trojan invisible. You wont even know it is there.


Starrob

 

Hi, I am afraid to read this, Is there a solution for this scrap named hacker defender? there must be at least one!!!!

uuuuuuuuhh

 

Process Guard will prevent it from installing.

 

AVs and ATs should have it in their signatures, so you'd be warned before you installed it. NOD32 definitely catches it.

 

For any rootkit trojan to have an effect, you have to run it. That means it can be detected or blocked by:

1. Anti-virus or anti-trojan scanners that recognise the signature of that specific trojan;
2. Applications that intercept any attempt to run new or altered programs (Process Guard's Execution Protection feature and System Safety Monitor's Application Watching);
3. Applications that restrict driver/service installation (Process Guard and System Safety Monitor 1.9.5 onwards).

The real danger is if someone managed to package such a rootkit trojan with a legitimate software installation that also required a driver/service install - System Safety Monitor (which prompts on each driver/service individually) coupled with user knowledge of what was legitimate or not would be the only real defence here.

 

That is the scenario that I am trying to figure out a defense against. AV/AT scanners have HacDef in their definitions but people can use different methods to beat file scanners so that various AV/AT scanners will not detect it during a scan

I also read somewhere that HacDef is still under development and that the author with each version makes it more and more difficult to detect after it is run.

Really the only defense against this is common sense and a real good knowledge of what exactly is being installed on the computer. I don't install software by fly by night companies and I block all driver installs on all software. If software requires driver install then it better be coming from a really reputable company that I can half way trust. Right now, that is my only weak defense.....

Once someone is infected with HacDef it is time for a reformat. I have seen threads were people were suggesting using things like Hijack this and the "normal" techniques for removing adware and milder trojans and I knew deep down they were probably not going to get very far.

There is different software that claims to find rootkits but most of that software is located on blackhat sites and it is not for certain that the software can find the rootkit or if it does the infected computer probably can not be put back into it's original state (i.e. the system might be unstable or contain other backdoors).

If HacDef is run on your computer the game is over. You might as well reformat.....or you could waste many hours trying to fix it and either have a unusable computer and have to reformat anyway or constantly be worried that information was still being stolen by some other hidden backdoor that was not found by all the efforts.

Ok...I got to pack up my computer now and get to the Airport. I got a long flight from the Singapore to the New York. I guess I will next be online around 24 hours when I am plugged into my own connection at home. I look fwd to reading a few threads when I get back. There is some interesting reading to do....Well, time to go....I hate these long flights!!!


Starrob

 

Ok, but I wanna know how does hacker defender get into the computer? How does it manage to get in and through which method?

 

The same as any other malware:

• Disguised as a "useful" program that you decide to download and run;
• Included in an email (probably including HTML code designed to exploit IE/Outlook weakness, now patched, that caused them to open attachments if an email was previewed);
• Embedded in a webpage (most likely via an ActiveX control, either running it directly or downloading and running it later).

Good sense, basic security and a purge of all things Microsoft are the best defenses.

 

I ran a rootkit detector from: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip

Results:
SUSPICIOUS MODULE FOUND: C:/WINDOWS/SYSTEM32/LPK.DLL
SUSPICIOUS MODULE FOUND: C:/WINDOWS/SYSTEM32/USP10.DLL
WARNING: C:/WINDOWS/SYSTEM32/MSVCRT.DLL seems to be HOOKED!

Should I be worried about this?

 

Try using the Microsoft DLL Help Database to check on potentially suspicious DLLs (both lpk.dll and usp10.dll could be legitimate, you need to check versions and filesizes).

As for hooks being present, many security programs also use them. Which ones are you running? Also try using another program like Patchfinder 2 to verify the results.

Finally the best check is to monitor network traffic coming from your PC using another PC running a packet sniffer. In a pinch, a router with a firewall will do if you use one - just set it to block (and log) everything and shutdown all applications on your PC (including any automated updates). Any traffic sent then should be regarded as suspicious except for DHCP IP address renewals (which should only go to the router anyway). While a trojan does not have to send network traffic to do mischief, in practice they all do in order to allow someone else to take control of your system.

 

Patchfinder 2.11 only supports Windows 2000. Tan Chew Keong has a beta of Kernel Hidden Process/Module Checker that works with XP.

Nick

 

Ok, I've now confirmed that those suspicious files found are legitamate. I suspected them to be part of hacker defender, but I checked the microsoft DLL library up and I confirmed that they were ok.
So, my computer is clean and ok. Anyway, thx to everyone who replied!

 

While not wishing to up the paranoia factor unnecessarily here, *chortles evilly* one of the "features" of a rootkit is the ability to alter basic Windows services to disguise its presence - so it could make a file invisible to Windows Explorer or supply false details (e.g. a different filesize, date or version) to hide alterations to a file. Running processes could be similarly hidden using a modified Task Manager or by changing Windows' internal data structures preventing any other process monitor from getting a full picture of what is running.

If you think you have got a rootkit on your system then you need to reboot using a known clean source (e.g. a Windows or Linux CD). With a Windows CD, try using the Recovery Console (see Description of the Windows XP Recovery Console for more information) to check the details - with a Linux CD (Knoppix being a particularly suitable distribution since it can run from CD only) you should be able to view and check your Windows folder contents also. Either method will bypass any attempt by a rootkit to hide itself.

 

It seems Hacker Defender can't hide traffic: Outpost alert me if hidden app try to connect. It can be because Outpost works at kernel level in the same way Hacker Defender works.

 

Hi AlbatroS,

Hacker Defender only hides open ports from netstat-type utilities. It is not able or designed to hide traffic.

Nick

 

Can anyone tell me if reformatting to get rid of hacker defender will affect my computer negatively. And what is the procedure? Will I have to re-install any programs? I work through a VPN with my corporate office. Should I be worried to infect others?

Thank you.

 

Hi Cabbyjohnson,

While reformating will remove Hacker Defender, it will also wipe your drive clean and you will lose everything. You will have to reinstall everything. Before going that route, you should back up any important documents. I have no experience with VPNs and what permissions your system would have with respect to systems at the other end. In the worst case, whoever compromised and controls your system will have the same privileges as you when connecting to your corporate office.

Nick

 

There are many ways to beat a FW....the techniques used by trojans such as Beast and Flux can beat a FW.

Hacker Defender can be used to hide these and just about any malware that a script kiddy wants.


Starrob