Hacker Defender

Discussion in 'Trojan Defence Suite' started by perdev, Aug 23, 2003.

Thread Status:
Not open for further replies.
  1. perdev

    perdev Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    We got hit at work with a worm which included a rootkit called Hacker Defender, see Link removed for verification to Wilders TOS Symantec created a special utility for us to detect and remove it, but I can't find any generally available anti-trojan software that indicates that they cover it. Since TDS appears to be very comprehensive, I did a test against Hacker Defender but TDS didn't appear to either defend against it, or detect it once installed. I'd like to inquire if the TDS authors have looked at Hacker Defender? I'm not real familiar with TDS and am testing with the eval version, so might be doing something wrong.
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Perdef, You will need to set the Configuration settings with all "Startup scanning" options enabled switches enabled.
    In Scan control - Scan options enable everything except for scan for clients & edit servers. In scan control generic detection enable both Anti Trojan & Worms/scripts boxes move the Generic sensitivity slider to high.
    Restart TDS3 & Re-scan with these settings.
    I am not sure if TDS3 will detect the particular root kit using signatures etc. I am sure that DCS will reply on Monday morning. :D

    I have removed your link as it contains links that are not allowed within Wilders TOS
     
  3. perdev

    perdev Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Sorry about the link. It's unnecessary as the info can be found via Google. I have no urgent need to remove it, I have it installed in an isolated VMWare session and was curious if anyone has a tool that can detect it or at least protect against it. This thing is scary, it intercepts all the Windows API calls and is virtually undetectable without booting through an alternate OS, or a forensics tool (which is how we found it). Even worse is that hackers are starting to package it up with a worm, as it can hide any filenames you tell it to. This is what happened to us, and traced the custom worm back to a Japanese hacker group. I just hope experts out there like TDS can do whatever is possible to combat this and the other rootkits which are getting created.
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello perdev,
    that is quite some study and testing you did. The DCS team put lot of special attention in the rootkits problems, and various are in the primaries list, including Hacker Defender. If your's is not detected you might have another variety, submit to TDS -- submit@diamondcs.com.au -- for their further advice.
     
  5. perdev

    perdev Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Thanks. I just e-mailed the actual HD exe and ini file that was in the worm to that address. Perhaps it is a variation, and good to hear TDS has already addressed Hacker Defender to some extent. I should add that this is also detectable from a remote PC by looking at the services for whatever decription the ini said to name it by. The default name from the downloadable one is HXD Service 073 but the one in our worm had a name of HXD Service 183.
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi perdev,

    The surest way to combat this particular beast is to scan it from another system, either across the network or putting the suspect drive in a non-suspect system as a secondary drive.

    HTH,

    Dan
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might like to add to your arsenal too the Port Explorer to see all kinds of connections and hidden processes, which could mean backdoors and other suspicious connections and trojans/backdoors.
    Another tool is the command line tool OpenPorts and you should have an extra look at the APM (advanced process manipulation tool) which is splendid for this task!
    http://www.diamondcs.com.au/index.php?page=products
     
  8. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    darn i missed out algain these are rare to find something to get past tds
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Mr Blaze, I am sure Gavin will have it covered by Monday if it is not already ;)
     
  10. perdev

    perdev Registered Member

    Joined:
    Aug 23, 2003
    Posts:
    4
    Gavin did respond to me Sunday that this was a modified version of Hacker Defender, and was adding a signature. I just completed a test with the current signatures and it now identifies it as Rootkit.Hacker Defender 7.3b. This was just a simple scan against the executable on an uninfected PC, I may do more indepth testing at a later date. Thanks for all your responses, TDS looks like a great product and I will be looking into it more.
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're not the first to say so :)
    It's central on my system for all kinds of other functions in the meantime, sometimes adding some fun to security and other unexpected abilities for a security program!
    Especially in the registered version with the ability of running scripts and the exec protection installed which blocked another time in all those years a file from executing, which scanning told me it was a nasty.
    Great, isn't it?
     
Thread Status:
Not open for further replies.