Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

So why aren't we seeing AT developers like DCS and Mischel offering detection tools similar to that knlps (or whatever) and perhaps RegDatXP? Anyone with basic understanding of Windows can detect a regular trojan no matter how patched it is by its autostarts and running process(es), but rootkits and dll trojans are another affair entirely. What am I missing here? And why can't the url for knlps simply be posted here, if it is an entirely legitimate utility? Why the secrecy?

 

the site offers other things too= lot's of malware...
posting links to malware sites is against the TOS

contact me if you want the link..

i'd post the file here but this site doesn't allow to attach zip files, only pics

 

ROFL.

That's what I find odd, though; that you'd find these tools on malware sites but not from the pages of AT developers. O tempora, o mores. How do you propose I contact you? I dislike the thought of registering, since I never remember my passwords anyway.

 

OSS, actually the next release of Process Guard blocks the "Kernel PS" kernel-mode process list/termination utility. In addition to this, we have a lot of anti-rootkit technology in the works for TDS4, much of it already completed.

Cheers,
Wayne

 

I appreciate that, Wayne, but unfortunately rootkits are reality today whereas TDS-4 is not, and ProcessGuard doesn't help the many 9x users still out there. I don't particularly love the idea of having an invisible HackerDefender-thingy lurking on my system with all the AV, AT and security programs I have. I'm sure many would love to find a good source of information on rootkits outside malware sites, but there doesn't seem to be one.

... Now, I've a question on this latest HackerDefender and rootkits in general - can it install properly when the user is running as a limited (regular) user instead of admin? For who in their right mind would browse the internet (among other things) as admin when there are safer options available?

 

Process Guard is reality . It's here now, and there'll be another version out probably later in the week which adds protection against KernelPS-style tools/trojans and also SetWindowsHookEx global hook attacks, making Process Guard possibly the most powerful anti-rootkit program available, even though this isn't its primary aim.

The Win9x OS is inherently insecure and as a major example, Win9x uses a flat memory model - WinNT/2K/XP etc does not, so already Win9x processes are open to attack from other processes. A program like Process Guard could be easily defeated under Win9x due to the insecure nature of the OS, so in reality such levels of security aren't feasible under Win9x - sorry, it's just the nature of the OS. There's nothing we can do about that, but Microsoft have already addressed those issues, and the results can be seen in Windows NT/2K/XP.

In regards to running as admin, actually you'll find that a lot of people do log in as Admin simply for convenience, as there are then no limitations etc. I've not personally tried Hacker Defender when logged in as a restricted user though so I couldn't answer that one for you sorry.

 

illukka@hotmail.com

sometimes these heavy metal lyrics make me ROFL

 

I've kept my two eyes on ProcessGuard, but it's a new product and certain to have some stability issues. When those are ironed out, I'll certainly be shelling out the bucks. I admit it: I fear rootkits. I know I can detect the regular trojan, even if it's patched to hell and beyond, but rootkits are another thing.

As for 9x, I understand the security model in 9x is "there is no security model, Luke", so programs like ProcessGuard aren't feasible options - but, the likes of knlps would work, would they not?

 

knlps won't work under Win9x because it's a .sys driver (it would need to be a .vxd, and even then it would be very different to the NT/2K/XP version).

 

@Illukka

Thanks for mentioning Patchfinder. This is a protection util which must be installed on a clean computer (i.e., it will not help you if you are already infected with a rootkit).

IMHO, Kernel PS is a legit protection util which helps to terminate a rootkit after it has been activated. Contrary to Patchfinder this tool is NOT hosted on a malware website. I do not know why we are not supposed to mention the DL link.

(Off topic: FYI ... AVPOffset still works fine with olders sigs. Therefore, it remains to be a nuisance ... )


@OSS

"I dislike the thought of registering, since I never remember my passwords anyway."

I have exactly the same problem ;-)

"and perhaps RegDatXP"

FYI: The developer considers to implement a special function for detecting rootkits ...

"I fear rootkits."

You may try System Safety Monitor or Tiny Personal Firewall. They will either warn you if a DLL injection takes place or a rootkit service is installed. Or they will crash (tested with Hacker Defender and SSM ;-) I have not found a rootkit yet which can be installed w/o triggering an alert or at least affecting one of these applications. In other words, if the freeware tool SSM runs on your computer w/o problems you can be relatively sure that you are not infected.


@Wayne

Looking forward to PG 1.200 which is supposed to block the Hacker Defender Rootkit. Do you already know whether PG 1.200 will also block the FU Rootkit?

 

well i could find several malwares from the knlps site. including a link to haxdef..
i wish i was better in chinese

anyone here who could translate the knlps readme file from chinese??

 

Yes it does block FU.

This is from an earlier beta version of 1.2, so some things have changed in regards to the visual display you are seeing.

-Jason-

 

@Illuka

"well i could find several malwares from the knlps site. including a link to haxdef..
i wish i was better in chinese"

My chinese is also pretty bad. But it seems you are correct. After a while I found a link called "FU rootkit".

 

I know this is an old post, but there arent any rootkits for Win9x that are in development or ITW. Noone cares about 9x anymore in the malware world, when they can usermode patch API or install a driver and have much more power over their victim. Remember most targets are not well educated nor do they have Process Guard. The best they can hope is that they only receive ITW rootkits which AV detect. With all the open source these days, thats a big risk

XP is the most popular OS already remember

 

Thanks to Babelfish:

Regards,
Jade.

 

Gavin, do you know if this latest HackerDefender can install properly if the user is running a limited, non-admin account? Anyone?

 

thanks Jade

 

I haven't tried, but an educated guess would be NO it cant. Will try for you if I get time later today

 

I have tried. In user-mode, it does not get activated (on my computer).

@Gavin Have you tried the ArmadilloTheef in the meantime?


Btw ... how does BOClean detect such rootkits (if at all)?

 

Hi,

Haven't tried any FURTHER tests on Armadillo since the first one was ok. Its been a very busy time lately both with development and new malware. Seems like this has slowed a bit now though, even the worms have slowed down a bit

BOClean (and the others) not sure.. if its too slow though, there could be trouble obviously

 

by the way, knlps.exe does NOT detect aphex 2003 rootkit. i just tested it :/ kinda pissed me off because i was hoping to uninstall that crap rootkit by killing it with knlps - but it was invisible to it. just fyi!!

 

As expected, since AFX Rootkit is injecting a DLL into every process and making a system wide hook. This is USERMODE, just run DiamondCS APT and it SHOULD show up in the process list, depending.

And/or use APM after this and unload the DLL from any process, I think I tried this once

http://www.diamondcs.com.au/index.php?page=apt

http://www.diamondcs.com.au/index.php?page=apm

 

another rootkit detection tool

from the readme:
"Rootkit Detector v0.6
======================


Haxorcitos Rootkit Detector
Programmed by aT4r@3wdesign.es

Links removed, maybe temporarily, maybe forever.
IOW: they are being reviewed - Pieter



Usage:
-----

rkdetector.exe [params]

-v - Prints Verbose Information.
-m filename - Shows md5 checksum for filename


Description:
------------

RKDetector is adiagnostic tool that provides information about Hidden proccess and Services Hooked by an NT rootkit such as Hacker Defender .
After hidden Handles are identified, rootkit Detector will Try to kill those hidden tasks and reScan the service database in order
to detect hidden services Installed by Hackers and hidden regkeys (Run, Runonce...)."

seems to work ok.although i had some errors with it..

this seems to think process guard is a suspicious one, same with thguard..
found and killed (an unmodified) haxdef too


edit: i could not find malware on the sites.. that's why i posted them..
if anyone wants it i can e-mail it, it's a small file..

 

Why this panic because of Hacker Defender?

Just use A2N or McAfee Firewall e.g..

Normally each good firewall blocks hidden trojans in Armor2Net for example you can see the TCP Connections, no matter if hidden or not!!! Reveal the hidden!

Another good idea: use from time to time external OS on CD and you will find nearly everything. Provided that you have enough time.

 

Hacker Defender doesn't create any connection, it piggybacks onto an existing listening port

It is rather stealthy, 99.9% of the internet population would have NO idea it was there, until it caused a crash or the attacker made themself obvious. Think of what happened to Valve Software - they had this thing on their production machines for who knows how long, a post on the Hacker Defender board says it was on there for months.. they only formatted the machine once explorer.exe started crashing. Open source rootkit with this much power is a VERY bad thing, even some trojan writers are against such power being put in newbie trojan users hands. I know, I read their posts in my spare time, looking for information