Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

Discussion in 'malware problems & news' started by Nautilus, Jan 3, 2004.

Thread Status:
Not open for further replies.
  1. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    Oh ... sorry. Now I got your point. It gets in via the ordinary infection vectors like one of the recent Internet Explorer or MS Windows exploits, filesharing networks, email attachments etc.

    If you frequently update your Windows, use a safe browser, do not open email attachments and do not download software from non-trustworthy sources you are almost safe. And you may not need an AV/AT scanner at all ;-)

    Cheers ntl
     
  2. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    not an several ratboards, only two, and i think this is not a crime to be a mod on an other kind of "security" board.
    I´m not supporting hf.
    And why do you think that i´m not interested in helping other users how to find or remove rootkits ?
     
  3. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    "And why do you think that i´m not interested in helping other users how to find or remove rootkits ?"

    Why not just sending knlps.zip to Paul Wilders or Rokop? This would immediately stop this discussion because you would indeed help users to find or remove rootkits. By contrast, just talking about knlps.zip and posting screenshots will not help.
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Nautilus - Liked that page you linked to - very well-written.

    In regard to your (I assume) tongue-in-cheek comment that I might not even need an AT/AV resident scanner - ha ha.

    4A6F4A6F - What are your thoughts on what I stated in my last post? Pete
     
  5. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    JoJo ... I got your PM @ Rokop board. Thanks.

    I will reply there.

    ___
     
  6. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    i sent roman a mail with this tool, if i will get an answer from Paul i will also send him a copy.
     
  7. Bigmomma

    Bigmomma Guest

    Seems Pest-Patrol is able to detect & delete this ? or is this not true ?

    http://pestpatrol.com/PestInfo/h/hacker_defender.asp

    Momma
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,473
    Location:
    The Netherlands
    Bigmomma,

    Those are older versions - v1.00 is discussed in this thread ;)

    regards,

    paul
     
  9. Nautilus

    Nautilus Registered Member

    Joined:
    Oct 22, 2002
    Posts:
    37
    In the meantime, I can confirm that the tool mentioned by JoJo works perfectly. Thanks for sharing your knowledge about it ...

    Moreover, it seems that there is an official download link for this tool. But it may be premature to post the link before Paul had the possibility to have a look at it.
     
  10. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,473
    Location:
    The Netherlands
    Still waiting, JoJo ;)

    regards.

    paul
     
  11. mike myers

    mike myers Guest

    Anyone tried "abtrusion protector" (freeware) against HD V1.00 yet ?

    I believe this program will hold off the installing ,and by doing that stopping the infection so the rootkit becomes useless.

    Mike
     
  12. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    oh i´m back sorry for the delay paul but i watched the movie space cowboys in german tv, btw a good movie, ok i tried also to find other stuff from that author who made this program but it seems the other download sites i found are down. There exists also an other similar tool named klister, now available in version 0.3, this is also able to list all processes but is not able to termiante them, but maybe the programmer will at this in other versions.
     
  13. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,473
    Location:
    The Netherlands
    No problem JoJo - ARD? ;)

    regards.

    paul
     
  14. 4A6F4A6F

    4A6F4A6F Registered Member

    Joined:
    Dec 23, 2003
    Posts:
    34
    no RTL ;)
     
  15. JSa

    JSa Guest

    JoJo

    I'm interested in testing ntsysytem's knlps,any help would be gratefully received

    fhaze at gmx dot net
     
  16. controler

    controler Guest

    Ok one more question and then i will shudup and listen :D

    You are talking about a root kit that has been recoded and compressed
    with an unknown packer correct?
    It has been my understanding that unless you unpack the file, it is harmless.
    Are we talking about a self extracting rootkit here?
    I can see an AT-AV not detecting it packed with an unknown packer.
    that is old news.
    1. the rootkit comes onto my machiine as a recoded-packed with unknown packer and my AV-AT does not detect it.

    2. How does the file get unpacked unless it is self extracting or a non-detected dropper has been attached?

    Thanks

    con
     
  17. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    http://linux.oreillynet.com/pub/a/linux/2001/12/14/rootkit.html gives a pretty good explanation as to how rootkits work, con. Pete

    * the follow-up article to that one is here: http://linux.oreillynet.com/pub/a/linux/2002/02/07/rootkits.html

    Actually, just typing "rootkit" into Google could have you reading for hours! :D

    A question I'm really fuzzy on is - if you're not running a server - are rootkits even a threat? IOW, if you're not running a server, do rootkits even have anything to do if you get one or your computer?

    (Note: I'm still convinced that anyone getting one on my machine is a near-impossibility given the fact that I'm running ProcessGuard). Pete
     
  18. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    @controler

    we're talking about runtime packing here.. but you would still have to doubleclick the file to get infected, unless you get it via an exploit, or the hacker uses a webdownloader to infect..(you'd have to doubleclick that too)
     
  19. controler

    controler Guest

    thankyou all

    I have expanded my knowledge of rootkits now. :D
    As we know Windows is targeted more then any OS but I have triede Linux and was not happy.
    As Windows evolves, it will become harder to break in. Linus on the other hand with go through the same growing pains.
    After all rootkits originated with linux.
    found a couple good site with some tools for rootkits.
    appears checksumming with encryption seesm to work
     
  20. an8

    an8 Guest

    Hi con:

    1.
    Self-extracting archives (WinRAR, WinZAP) are a completely different thing compared to runtime compressors (like UPX or Armadillo). Please try to compress a copy of your notepad.exe /w WinZIP (SFX archive) and a different copy with UPX. Then you will figure out the difference which is important to understand if you want to discuss AV/AT scanners.

    UPX, ASPack, PECompact etc. (unpacking engine required for detection) ---> Memory (Mem Scanner needed for detection)

    Armadillo (no unpacking engine can unpack it) ---> Memory (but still encrypted - doh!)

    SFX Archive --> temporary harddisk file (unpacked, easy to detect by on-access-scanner, no unpacking engine needed)---> Memory

    2.
    So far Windows rootkits differ from Linux rootkits. For Windows rootkits, checksumming will generally not work since no files are patched.
     
  21. JSa

    JSa Guest

    Anyone have a link for knlps?
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,473
    Location:
    The Netherlands
    No links please: please ask JoJo ;)

    regards.

    paul
     
  23. JSa

    JSa Guest

    JoJo is not responding Paul ,I already asked him in my earlier post
     
  24. ano1

    ano1 Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    27
    JSA Please register yourself and send a PM to me. I will reply and tell you about a download link.

    EDITED:

    I have provided three users with the download link. Please do not send me any additional PMs since I do not frequently check my message box. It may be more effective to request the link in this thread.
     
  25. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    hi
    well Joanna Rutkowska is in action again: "Patchfinder (PF) is a sophisticated diagnostic utility designed to detected system libraries and kernel compromises. Its primary use is to check if the given machine has been attacked with some modern rootkits.

    With this tool you should be able to detect even the newest versions of such rootkits like: Hacker Defender, APX, Vaniquish, He4Hook, and many more.. New release (2.x) of PF is the first version which is intended to be not only a proof-of-concept code for developers, but also to be useful tool for administrators. To make a proper use of the PF, every user should read the attached PDF paper."

    you know where to get this!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.