We got hit at work with a worm which included a rootkit called Hacker Defender, see Link removed for verification to Wilders TOS Symantec created a special utility for us to detect and remove it, but I can't find any generally available anti-trojan software that indicates that they cover it. Since TDS appears to be very comprehensive, I did a test against Hacker Defender but TDS didn't appear to either defend against it, or detect it once installed. I'd like to inquire if the TDS authors have looked at Hacker Defender? I'm not real familiar with TDS and am testing with the eval version, so might be doing something wrong.
Hi Perdef, You will need to set the Configuration settings with all "Startup scanning" options enabled switches enabled. In Scan control - Scan options enable everything except for scan for clients & edit servers. In scan control generic detection enable both Anti Trojan & Worms/scripts boxes move the Generic sensitivity slider to high. Restart TDS3 & Re-scan with these settings. I am not sure if TDS3 will detect the particular root kit using signatures etc. I am sure that DCS will reply on Monday morning. I have removed your link as it contains links that are not allowed within Wilders TOS
Sorry about the link. It's unnecessary as the info can be found via Google. I have no urgent need to remove it, I have it installed in an isolated VMWare session and was curious if anyone has a tool that can detect it or at least protect against it. This thing is scary, it intercepts all the Windows API calls and is virtually undetectable without booting through an alternate OS, or a forensics tool (which is how we found it). Even worse is that hackers are starting to package it up with a worm, as it can hide any filenames you tell it to. This is what happened to us, and traced the custom worm back to a Japanese hacker group. I just hope experts out there like TDS can do whatever is possible to combat this and the other rootkits which are getting created.
Hello perdev, that is quite some study and testing you did. The DCS team put lot of special attention in the rootkits problems, and various are in the primaries list, including Hacker Defender. If your's is not detected you might have another variety, submit to TDS -- submit@diamondcs.com.au -- for their further advice.
Thanks. I just e-mailed the actual HD exe and ini file that was in the worm to that address. Perhaps it is a variation, and good to hear TDS has already addressed Hacker Defender to some extent. I should add that this is also detectable from a remote PC by looking at the services for whatever decription the ini said to name it by. The default name from the downloadable one is HXD Service 073 but the one in our worm had a name of HXD Service 183.
Hi perdev, The surest way to combat this particular beast is to scan it from another system, either across the network or putting the suspect drive in a non-suspect system as a secondary drive. HTH, Dan
You might like to add to your arsenal too the Port Explorer to see all kinds of connections and hidden processes, which could mean backdoors and other suspicious connections and trojans/backdoors. Another tool is the command line tool OpenPorts and you should have an extra look at the APM (advanced process manipulation tool) which is splendid for this task! http://www.diamondcs.com.au/index.php?page=products
Gavin did respond to me Sunday that this was a modified version of Hacker Defender, and was adding a signature. I just completed a test with the current signatures and it now identifies it as Rootkit.Hacker Defender 7.3b. This was just a simple scan against the executable on an uninfected PC, I may do more indepth testing at a later date. Thanks for all your responses, TDS looks like a great product and I will be looking into it more.
You're not the first to say so It's central on my system for all kinds of other functions in the meantime, sometimes adding some fun to security and other unexpected abilities for a security program! Especially in the registered version with the ability of running scripts and the exec protection installed which blocked another time in all those years a file from executing, which scanning told me it was a nasty. Great, isn't it?