Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

Discussion in 'malware problems & news' started by Nautilus, Jan 3, 2004.

Thread Status:
Not open for further replies.
  1. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    Hacker Defender (HD) is a rootkit. After it has been activated the following things will happen:

    1.
    Any files with a name designated by the attacker will become invisible. This includes the rootkit itself and, for example, an additional backdoor/trojan. In consequence, no AV/AT on this planet will be able to detect the invisible files.

    2.
    HD can hide registry entries. In particular, it will hide its own autostart entries. Only special registry viewers like RegdatXP will let you see the respective registry entries because they work in a kind of raw mode. But this will only help paranoid people or people who already expect that they are 0wned ...

    3.
    HD can hide open ports. For example, your firewall (tested with Kerio 4.10) will not tell you that a backdoor is using an open port. Nice, eh?

    4.
    HD can be encrypted/compressed so that no AV/AT scanner will detect it before it is installed. Moreover, the source code of HD has been released which allows attackers to compile their own undetected versions.

    5.
    Unfortunately, the rootkit detector from http://3wdesign.es/security/principal.html?u=82pxv20n does not support HD version 1.00.

    6.
    It will not help you to boot in safe mode. HD will still get activated ...



    In summary, I believe that somebody should do something right now.

    I could imagine that Process Guard from DCS will take care of this rootkit. (Currently, the trial version does not.)
    When you are lucky you will get the following warning:

    "Welcome to DiamondCS Process Guard.
    This program does not need to be running for your system to be protected.

    [21:46:08] - Window Log Started
    [21:46:14] - Process Guard Protection is ACTIVE
    [21:46:17] - [P] - c:\dokumente und einstellungen\comp\desktop\hxdef100\hxdef100.exe [1440] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\windows\system32\services.exe [592]
    [21:46:18] - [P] - c:\dokumente und einstellungen\comp\desktop\hxdef100\hxdef100.exe [1440] tried to gain WRITE,TERMINATE,SET INFO,SUSPEND access on c:\programme\processguard free\pg_msgprot.exe [1608]"

    But this does not happen frequently. I believe it is a timing issue ... PG must simply get quicker!

    System Safety Monitor will not help you either. But it is very sensitive and will crash when HD is installed. This may warn you ...


    Cheers Nautilus
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi Nautilus,

    Hacker Defender is - as you know - rather old news. Most serious AT companies are aware of the existence for quite a while now, and are subsequently taking precautions ;)

    Thanks for bumping this issue ;)

    regards.

    paul
     
  3. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    HD 1.00 has been released on January 1, 2004 if I am not mistaken.

    Previous versions could be detected quite easily. I have already explained how.

    This version (1.00) has been significantly improved. That's the problem ...

    EDITED: In addition, I tried to inform people in general (not merely AV/AT producers).
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Nautilus,

    Indeed this is a recent version - but then again well known in the meanwhile by major AT companies.

    For the record: I'm far from neglecting the fact rootkits can/are issues to take serious: they are serious business.

    That said: as ever, it's sort of a competition between black hats and white hats. Punch and counterpunch ;)

    regards.

    paul
     
  5. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    True. And I am looking for a white hat with a morning star ... ;-)
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I'm trying to imagine that picture :D

    regards.

    paul
     
  7. ntl

    ntl Guest

    Btw. ... there is an open-source tool called Klister 0.3 by Joanna Rutkowska. It only works under W2K. Therefore, I have not tried it yet.

    The tool is capable of detecting several rootkits. Maybe someone wants to give it a try and tell us whether it also works with HD 1.00.


    TIA ntl
     
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    i believe kaspersky detected this generically, like the last version(0.84) was detected as similar to 083


    hxdef100.zip Archive: ZIP
    hxdef100.zip/bdcli100.exe Infected: Backdoor.Hacdef.084
    hxdef100.zip/hxdef100.exe Infected: Backdoor.Hacdef.084
    hxdef100.zip/rdrbs100.exe Infected: Backdoor.Hacdef.084
    hxdef100.zip/src.zip/src/driver/driver.sys Infected: Backdoor.HacDef.073.b

    wouldn't a command line scanner like kav rescue disk detect this?
    here's f-secure's results of the same file
     

    Attached Files:

  9. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @illukka I am almost sure that KAV will not detect hxdef100.exe once you have compressed it with an unknown packer or recompiled the source code.

    A scanner started from a rescue disk will detect the rootkit unless is has been compressed or modified (see above). This is because file & registry cloaking will only be activated once Windows has been started.

    Moreover, it should be possible to detect activated rootkits by comparing autostart registry entries. You simply need to read the registry in two different ways: First, you will read it using standard Windows functions (i.e., you will not see the Rootkit's autostart entry due to its regkey cloaking capabilities). Second, you will read the registry with a tool like RegdatXP. The comparison will easily show you any hidden registry entries ... et voila ... the Rootkit is detected.

    ntl
     
  10. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    yeah an unknown packer/crypter would make it undetectable..but in such cases kav reports unable to scan or unknown format..making it possible to examine the files manually
    i still think kasperskys code analyzer would nail most recompilations if no major changes are made in the code.. it has detected many releases in the haxordefender series without signature updates, based on similarities in the code of different versions..

    let's try.. what compiler do i need to compile the source? i currently have nasm and lcc32, are they good for this?
    really haven't that much experience in this, other than having compiled a few hundred sd-gt-spy and agobots..LOL
     
  11. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    kav is not really such a problem for an attacker if the attacker know the weak ponits of this scanner, but back to the topic
    mhh this new hacker defender version is in my eyes really a beast, cause it also hides the driver (if this is not correct please let me know) i tested it and at the moment i found only one program which is able to terminate the running hacker defender rootkit. ok i must mention that klister version 0.3 didn´t work on my test system :doubt: and pcquard ehm was too lazy to install it ;), but during reading nautilus post it seems that PG (process guard) is currently not really good for detecting this rootkit, maybe upcoming versions will fix this.
     
  12. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    "and at the moment i found only one program which is able to terminate the running hacker defender rootkit."

    Perhaps JoJo could tell us about this program ... ?
     
  13. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    care to say which proggie that is?EDIT: the haxdef client LOL?
    yeah i agree that this is a real nasty, caught at and av makers with their pants in their ankles so to speak..has anyone tested abtrusion protector or tiny firewall's sandbox? do those notice anything...??
     
  14. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @illukka I have tested previous HD versions in connection with TPF sandbox.

    TPF will warn you that HD tries to intall a new service. The problem is that you do not know whether a good or a bad proggie wants to install the service. And after the service has been installed ... its already too late to change your mind.
     
  15. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    here the screenshot of the little program
     

    Attached Files:

  16. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    The correct question should have been ... please provide download link for ntsystem's knlps.zip file ;-)

    (I do not want to become a fake member of HD board just to obtain this tool.)

    TIA ntl
     
  17. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    maybe if i have the time to write a small paper which describes how to find the latest rootkits i can upload it. In the meantime try to find it with google
     
  18. controler

    controler Guest

    Along time ago we looked at hidden files, folders and system files.
    I found, if you go to folder options, view and

    click show hidden files and folders
    uncheck hide extentions for known file types
    uncheck hide operating system files

    you will see files, folders and registry keys not seen before.
    New trojan droppers are using these folders to hide.
    for instance bittorrent's dropper installes in your user-name applications folder on a Windows Xp machine.

    BAck when I was really into those hidden registry entries, I think I even found a coupe manual key changes that allowed you to view more.
    I just wish i would have written them down to remember.
    I do remember sending the info to the auther of

    f - - - microsoft . com

    con
     
  19. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    1.
    @Controler, we are talking about a different thing here. Unfortunately, your tips won't help.

    2.
    @JoJo I think your attitude speaks for itself ...
     
  20. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Not allowed over on this board, Nautilus - see our TOS ;)

    regards.

    paul
     
  21. controler

    controler Guest

    There are only certian startup spots in the registry. In other words , you can't just plop a startup app in just any old key in the registry.
    and unhidding them sure can't hurt.
    Or maybe I am missing something here.
    Ghost Keylogger has been using these hidden registry settings for some time now. So does iopus keylogger. They both hide from normal
    task managers. I guess I never tried the task manager you mentioned.
    also some software makers will tell you a compressed-packed file is of no harm untill unpacked.
    maybe I will give that a try sine I am such a software junkie ;)

    con
     
  22. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @Paul

    Strange comment. knlps.exe is a tool to detect rootkits. By contrast, the TOS relate to malware.

    But don't worry. We won't get this tool anyway because JoJo is a moderator of several ratboards and supports Holy Father (the developer of the rootkit). And apparently, JoJo is not very interested in helping users which got infected by this rootkit ...

    @controler

    "Or maybe I am missing something here." Yes. Sorry. It's much more complicated. Registry cloaking works in a different way.
     
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    As far as rootkits - any rootkits - are concerned, they still have to be delivered, correct?

    So, unless I go completely brain-dead, and I'm currently protected by everything in my sig - how does the rootkit ever get in? Pete
     
  24. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    @spy1

    Rootkits are generally used by attackers who know what they are doing. And it's absolutely no problem to pack, crypt or otherwise modify a trojan or rootkit in such a way that no AV or AT file scanner will ever detect it.

    See for example our current test archive @ http://home.arcor.de/scheinsicherheit/procedure2.htm

    Even Kaspersky AV (one of the best AV programs) misses a significant number of these well-known trojans. Because they are modified ...

    With a rootkit things get worse. After it has been activated you will not have the possibility to use a Memory Scanner like TDS-3 or Trojan Hunter. Manual removal of a rootkit is also difficult.

    Regards,

    Nautilus
     
  25. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    That wasn't my question - how is it going to get delivered onto my machine?

    Between using "safe hex" and good, resident-running defensive programs, I personally don't see any way for it to get in to my (or anyone else's) computer.

    So what am I missing? Pete
     
Loading...
Thread Status:
Not open for further replies.