Are AV/AT Scanner useless now? (Hacker Defender v. 1.00)

Discussion in 'malware problems & news' started by Nautilus, Jan 3, 2004.

Thread Status:
Not open for further replies.
  1. MEGAFREAK

    MEGAFREAK Registered Member

    Joined:
    Jul 8, 2003
    Posts:
    51
    This port hijacking and backdooring is indeed dangerous, I don´t know exactly how it works, but all other aspects of Hacker Defender are harmless if you know it!

    I have a Process Tool which can detect Rootkit-Driver even if they are totally stealthed or rooted, it´s one of it´s kind. I think it is the only pro-gui-tool which is able to reveal them otherwise you need a external Operation System with NTFS Access on CD, that´s it.

    I studied Hacker Defender in the last weeks, if you know the service just do: net stop.

    I don´t fear it because I know it roughly and this telnet stuff or commandline intrusion I think it is very uncomfortable, newbies never would try to use this, so the danger from novices will be not that big and a good firewall will say alert when the hidden trojan wants to connect, that´s all.

    This commandline stuff myself I don´t like it much, I prefer GUIs in every situation.
     
  2. "I have a Process Tool which can detect Rootkit-Driver ..."

    Why do you tell us that you have this tool? Why not telling us the name of this tool? (D/L location would be even better ...)
     
  3. The new version of TaskInfo 2003 will show drivers which try to cloak themselves (e.g., Hacker Defender or Process Guard).

    See here: http://home.arcor.de/testbed/taskinfo.jpg
     
  4. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    How exactly do you make a file "invisible"? (Of course, it would only be "invisible" to normal file managers, and especially Explorer.)
     
  5. 1. Background

    An Application Programming Interface (API) is a set of definitions of the ways in which one piece of computer software communicates with another. It is a method of achieving abstraction, usually (but not necessarily) between lower-level and higher-level software. One of the primary purposes of an API is to provide a set of commonly-used functions. Programmers can then take advantage of the API by making use of its functionality, saving them the task of programming everything from scratch. APIs themselves are abstract: software which provides a certain API is often called the implementation of that API.

    2. Access to Files

    If explorer.exe or an AV/AT scanner want to access a file they communicate with the operating system via certain Windows API functions.

    Hacker Defender has "hooked" (intercepts) the following API functions ...

    Kernel32.ReadFile
    Ntdll.NtQuerySystemInformation
    Ntdll.NtQueryDirectoryFile
    Ntdll.NtVdmControl
    Ntdll.NtResumeThread
    Ntdll.NtEnumerateKey
    Ntdll.NtEnumerateValueKey
    Ntdll.NtReadVirtualMemory
    Ntdll.NtQueryVolumeInformationFile
    Ntdll.NtDeviceIoControlFile
    Ntdll.NtLdrLoadDll
    Ntdll.NtOpenProcess
    Ntdll.NtCreateFile
    Ntdll.NtLdrInitializeThunk
    WS2_32.recv
    WS2_32.WSARecv
    Advapi32.EnumServiceGroupW
    Advapi32.EnumServicesStatusExW
    Advapi32.EnumServicesStatusExA
    Advapi32.EnumServicesStatusA

    In consequence, if explorer.exe or a virus scanner tries to communicate with the Windows OS Hacker Defender will "sit in between" and can decide whether it will grant access to certain files. (The above API hooks also relate to regkey cloaking etc.)

    3. Implemention:

    There are various ways to implement API hooking (see http://www.codeproject.com/system/hooksys.asp ). For instance, Aphex rootkit injects a DLL for this purpose. By contrast, Hacker Defender uses a kernel mode driver. If you are interested in the details I suggest to have a closer look at the Hacker Defender source code which has been published.
     
  6. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    Interesting. You can see the files with a disk editor (such as WinHex), or with a third-party file viewer that bypasses those APIs. But the trick is knowing what to look for, and when to look for it. Ah, you've just got to love all those scumbags who work so hard to make other people's lives miserable.
     
  7. @nameless

    Do you know any file viewers which do not use Win API functions?
     
  8. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    I believe that X-File, made by Radsoft, is one such file viewer. I have a copy, and it allows for the display of things that Explorer refuses to show (such as the TIF directory). I'm not sure if it does this because it bypasses APIs though. Also, I don't think you can buy X-File separately.

    The best bet may be a disk editor. There are a few freeware disk editors out there (none as good as WinHex, but still usable).
     
  9. controler

    controler Guest

    shapchanger?

    What if you are using a DOS ,command line AV?
    Is Hacker Defender still able to sit in between file access?


    Thanks


    con
     
  10. @controler

    Hacker Defender is a Windows NT/2K/XP rootkit. There is no MS DOS under such operating systems. (The command prompt window under WinXP is not! MS DOS.)

    Therefore, I assume that you address the possibility to boot the computer from a bootdisk (containing MS DOS and an AV scanner) and then scan the harddrive. This will work indeed since the rootkit won't get activated at all. However, you should make sure that your harddrive is formated with FAT32 or, alternatively, you need to use NTFS Pro for DOS (from Winternals).
     
  11. controler

    controler Guest

    YUP that is what I ment go to bootdisk.com and creat a bootable
    DOS disk , then scan ;)

    In the past I was using FAT 32 on my XP machine then switched to NTFS.
    I will give the program you listed a try. :)






    con
     
  12. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Two questions: Can it really do that, and if it can, how in the heck? :D

    If TaskInfo can show HD's driver even when TaskInfo is installed post-infection, it's certainly worth every cent of the $ 35 price tag.
     
  13. "Two questions: Can it really do that,"

    No. I am a liar ;-)

    "and if it can, how in the heck?"

    I believe it uses some rare magical code.

    "If TaskInfo can show HD's driver even when TaskInfo is installed post-infection, it's certainly worth every cent of the $ 35 price tag."

    There is a trial version ... just to make sure.
     
  14. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    "No. I am a liar ;-)"

    Well, darn. :p

    "I believe it uses some rare magical code."

    Hmm. Maybe it uses some driver of its own, then... o_O

    "There is a trial version ... just to make sure."

    Yea, I noticed. Going to give it a try tomorrow. :)
     
  15. OSS

    OSS Guest

    This thread resurrection business is getting embarrassing (sorry mods), but what are your results regarding TaskInfo and HackerDefender? If TaskInfo can detect such a rootkit even if it is installed after the rootkit has infected the sys and stealthed itself, then the rootkit really is no problem, is it, and nowhere near as invincibly stealthed as hyped? I see that TaskInfo uses its own kernel driver to achieve what it does, but I don't have a system I could use as a testset... Share the information, people. :p
     
  16. OSS

    OSS Guest

    Wait a minute, why is hxdefdrv.sys code and date size 0 in that picture? Doesn't that mean that the file is somehow invisible or non-existent? It's odd, but I have a strange procexp.sys driver that TaskInfo trial shows which I cannot find from the path it is supposed to be located under (system32\drivers\) and its code and data size are 0 too. Now should I be concerned, or does that file have something to do with Sysinternals Process Explorer, which I have in its latest version? (Sorry for double posting...)
     
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    I'm sure there are other utilities that can show the driver running (I tried TaskInfo2003 and disliked it pretty intensely).

    As I mentioned before, there are other ways to detect this "invincible" rootkit. The files are not "invisible"--that's impossible. Just as with the driver, you only need to know what to look for and where. (Though a driver in memory will probably stand out more than a file on disk, unless you know exactly what to look for.)
     
  18. controler

    controler Guest

    I have a DLL that taskinfo shows loading with any program and X-Setup Pro shows it as a startup behind my back DLL but a search of my intire drive sure can't find that DLL.
    I am guessing it is leftover registry entries. What I am trying to say is taskinfo 2003 and some other software shows program's DLL that have been removed by looking at registry settings.




    con
     

    Attached Files:

  19. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,231
    You're talking about "AppInit_DLLs", as mentioned here. Easy to look for once you know about it. I know of a utility that blocks the modification of this registry key, but it's not one I'd yet recommend. An easy approach would be to either set up a scheduled task to overwrite the AppInit_DLLs value on a regular and recurring basis, to set HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows to read-only, or both.
     
  20. Aphex

    Aphex Guest

    don't call my rootkit crap or I'll break your skull
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.