Golden Hacker Defender Game Over ?

Discussion in 'other anti-trojan software' started by StevieO, Oct 11, 2005.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Guest

    Just seen this

    But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.

    The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.

    http://www.f-secure.com/weblog/#00000675


    StevieO
     
  2. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    i wonder if hacker defender can disable PG OA AE Prevx?
     
  3. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi StevieO,

    "In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates."

    I suspect automatic updates will soon be on the Golden Hacker Defender wish list (and price list)...

    Nick
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    And rootkit detectors will start using encryption/compression/code morphing to avoid signature detection by rootkits. Soon, it will be hard for security software to tell the two apart...
     
  5. Heck even "Security software" and not just rootkit detectors themselves will start doing stuff like that to protect itself.

    Just like in real combat. Stealth is parmount. You don't want your opponent to see you until you are ready to act.
     
  6. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Having gotten their hands on Hacker Defender Gold is a pretty big thing. Before they were having to go about it bind, but now they have a sample that they can really reverse engineer to see how it's doing what it's doing.. this will greatly enhance thier ability to find a way of detecting it. It will definitely be interesting to see how it goes, and whether they share that sample.
     
  7. I can't see why they can't just annoymously pay for it, if they were really that desperate to get it. 500euro isnt much to a big company .
     
  8. http://www.invisiblethings.org/tools.html

    System Virginity Verifier is a new "rootkit detector" but more interresting to me is The powerpoint presentation. At the end she makes this statement about "implementation specific attacks"

     
  9. controler

    controler Guest

    deviladvocate ?

    Have you tried this new command line program by Johanna? If so what do you think?

    controler
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Do you think geniuses from both sides could get together and write a new Rootkit version of Windows that would actually work like it should and be secure?

    Naaah.....Forgettaboutit....this is so much more fun! :D
     
  11. controler

    controler Guest

    Devinco ?

    ah yes it is way too much fun

    It is all about the money , right?

    Rested assured MS has some.

    controler
     
  12. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    users of unix and mac don't know what they are missing - they lead such quiet uneventful lives

    the whole world of hacking is weird - the black hats and white hats regularly get together to share ideas. can you imagine the police and the criminals getting togther and sharing their strategies? :D

    hey crims we just figured out a new way of detecting you - wanna hear it?
    yeah sure cop and wev'e got some new ways of avoiding detection wanna know?
     
  13. I think everyone should try it. They will be surprised at what they find on their systems...
     
  14. Rootkits are actually from the unix world and until recently, they were way more advanced, not sure if it's true today.
     
  15. controler

    controler Guest

    I gave it a try.Service table redirection detected

    warning level 2 ( yellow)

    I don't know if you tried running it twice but I get loading driver error code = 0x422 on my VM test box.

    controler
     
  16. Interesting. What software are you running that might do that?

    Possible conflict with vmware I think.
     
  17. controler

    controler Guest

    That is what I thought also on the driver thing. Running MS shared computer toolkit on this box and VMware on my other.
    I knew Johanna had done some work on VMWare in the past. Don't think she has messed with MS's toolkit though.


    Only security software I am running on this box is KIS beta.
    It's proactiveness does ask to allow the driver the first time. To get it to work twice on here, I have to reboot though.

    controler
     
  18. Actually i'm pretty sure I'm rooted, I got a warniong level 4. (red)! :)

    There's a small chance it's mistaken because of all the other security software i run that do all sorts of kernel hooking, but it's supposed to have some intelligence at telling the difference but maybe some of the good guys are hidden maybe..

    I'm going to uinstall all the security software, I think that might relate, and tested again see, if it makes a difference. Unless, someone else can confirm.
     
  19. controler

    controler Guest

    Are going to to rerun it after each program to see which one is causing it?

    Did you only use the command vss check without any other switches?

    well, hi ho hi ho it's off to work I go. I will try more later.

    DA ? you can always write to johanna and ask her opinion.

    controler
     
  20. Yes definitely. Of course, there's a chance none of them are.....

    the m switch shows the details, but they are beyond me.

    Nah, I'm too shy. Don't want to waste her time.
     
  21. controler

    controler Guest

    Oh come on don't be a chicken. She says she trys to answer all e-mail.

    Unless it is tagged spam , which could accour if you remain anynomyous. LOL

    Time to come out of the closet DA......................

    controler
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    SVV appears to work on my VMware W2K...

    C:\svv>svv
    System Virginity Verifier 1.0 (public), September 2005
    written by Joanna Rutkowska
    http://invisiblethings.org

    svv <command> [options] [/l <altKernelModuleName>]
    command is one of the following:
    check - check system virginity
    fix - try to fix suspected modifications (disinfection)

    following options are supported:
    /a verify ALL modules (may cause false positives)
    /m show details about modifications
    /c show also clean modules
    /d leave driver after finished
    /t <n> fix to target verdict level = n (valid for fix command)

    C:\svv>svv check /a
    audstub.sys (f41eb000 - f41ec000)... error code = 0x490
    Null.SYS (f4200000 - f4201000)... error code = 0x490
    dump_diskdump.sys (bfde1000 - bfde5000)... Image file not found!
    dump_vmscsi.sys (bfdd9000 - bfddc000)... Image file not found!

    SYSTEM INFECTION LEVEL: 1
    0 - BLUE
    --> 1 - GREEN
    2 - YELLOW
    3 - ORANGE
    4 - RED
    5 - DEEPRED
    Nothing suspected was detected.


    ...but stops quickly with this error on XP SP2, virtual or not, clean install or not:

    C:\svv>svv check /a
    Following important modules cannot be found:
    ntoskrnl.exe

    ERROR (code = 0x2): Important modules not found


    Nick
     
  23. controler

    controler Guest

    Johanna put out a program a few months ago and none here commented on it.
    Guessing the same goes here.

    Now some are even saying it IS a rootkit.

    controler
     
  24. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I believe that was FLISTER, which does work well.

    Maybe it's because these apps install drivers, or maybe it's just fear of the command line. I ran IceSword 1.12 today on an infected machine, and McAfee blocked it as a trojan...

    (that's right, McAfee was running on the infected machine)

    Nick
     
  25. Command line tools are not popular here. They look dangerous and hackerish.

    Nick, I don't get the error you get.
     
Thread Status:
Not open for further replies.