Hacker defender

Discussion in 'other security issues & news' started by nadirah, Nov 21, 2004.

Thread Status:
Not open for further replies.
  1. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I like to know more about a trojan called hacker defender. Can anyone please state some information about it?
    I want to know what it does and how harmful is it? And what's the solution to get rid of it?
    I've heard some reports that hacker defender is a rootkit trojan. What is a rootkit trojan?
     
    Last edited: Nov 21, 2004
  2. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    See http://scheinsicherheit.sc.funpic.de/rootkits.htm

    Rootkits are used to disguise and hide trojans. anyone that has this on their system might as well reformat because after a rootkit is installed many changes to the operating system could have occured and there is no telling for sure whether or not additional backdoors have been installed to be re-activated in the future.

    Hacker Defender can be extremely harmful. It is probably the most popular rootkit for windows. There are other rootkits but generally HacDef is used the most. Rootkits are also extremely difficult to detect. If one ever happens to activate on your system any scanner that you are currently using might not be able to detect it.

    By the way....right now, I am in Singapore. I love your city here. I fly back to the USA tomorrow around 1 PM....I get out just in time to escappe rainy season :)



    Starrob


     
  3. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Thanks for the info starrob. I'll add it to my knowledge.
    BTW, enjoy your stay in Singapore! :D:D
     
  4. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  5. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Last edited: Nov 21, 2004
  6. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Oh, one last question: Will a firewall stop hacker defender?
     
  7. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Sorry, Nadirah

    Thats my typing behave. I know you are a radiant girl ;)

    Gerard
     
  8. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    No, Hacker Defender hides anything the hacker wants on your system. It will hide things from your AV/AT/FW and even things like Regedit and Taskmanager. It makes the trojan invisible. You wont even know it is there.


    Starrob


     
  9. Hi, I am afraid to read this, Is there a solution for this scrap named hacker defender? there must be at least one!!!!

    uuuuuuuuhh
     
  10. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    Process Guard will prevent it from installing.
     
  11. Meltdown

    Meltdown Registered Member

    Joined:
    Sep 17, 2004
    Posts:
    299
    Location:
    Babylon
    AVs and ATs should have it in their signatures, so you'd be warned before you installed it. NOD32 definitely catches it.
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    For any rootkit trojan to have an effect, you have to run it. That means it can be detected or blocked by:
    1. Anti-virus or anti-trojan scanners that recognise the signature of that specific trojan;
    2. Applications that intercept any attempt to run new or altered programs (Process Guard's Execution Protection feature and System Safety Monitor's Application Watching);
    3. Applications that restrict driver/service installation (Process Guard and System Safety Monitor 1.9.5 onwards).
    The real danger is if someone managed to package such a rootkit trojan with a legitimate software installation that also required a driver/service install - System Safety Monitor (which prompts on each driver/service individually) coupled with user knowledge of what was legitimate or not would be the only real defence here.
     
  13. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    That is the scenario that I am trying to figure out a defense against. AV/AT scanners have HacDef in their definitions but people can use different methods to beat file scanners so that various AV/AT scanners will not detect it during a scan

    I also read somewhere that HacDef is still under development and that the author with each version makes it more and more difficult to detect after it is run.

    Really the only defense against this is common sense and a real good knowledge of what exactly is being installed on the computer. I don't install software by fly by night companies and I block all driver installs on all software. If software requires driver install then it better be coming from a really reputable company that I can half way trust. Right now, that is my only weak defense.....

    Once someone is infected with HacDef it is time for a reformat. I have seen threads were people were suggesting using things like Hijack this and the "normal" techniques for removing adware and milder trojans and I knew deep down they were probably not going to get very far.

    There is different software that claims to find rootkits but most of that software is located on blackhat sites and it is not for certain that the software can find the rootkit or if it does the infected computer probably can not be put back into it's original state (i.e. the system might be unstable or contain other backdoors).

    If HacDef is run on your computer the game is over. You might as well reformat.....or you could waste many hours trying to fix it and either have a unusable computer and have to reformat anyway or constantly be worried that information was still being stolen by some other hidden backdoor that was not found by all the efforts.

    Ok...I got to pack up my computer now and get to the Airport. I got a long flight from the Singapore to the New York. I guess I will next be online around 24 hours when I am plugged into my own connection at home. I look fwd to reading a few threads when I get back. There is some interesting reading to do....Well, time to go....I hate these long flights!!!


    Starrob
     
    Last edited: Nov 21, 2004
  14. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ok, but I wanna know how does hacker defender get into the computer? How does it manage to get in and through which method?
     
    Last edited: Nov 22, 2004
  15. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The same as any other malware:
    • Disguised as a "useful" program that you decide to download and run;
    • Included in an email (probably including HTML code designed to exploit IE/Outlook weakness, now patched, that caused them to open attachments if an email was previewed);
    • Embedded in a webpage (most likely via an ActiveX control, either running it directly or downloading and running it later).
    Good sense, basic security and a purge of all things Microsoft are the best defenses.
     
  16. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    I ran a rootkit detector from: http://bagpuss.swan.ac.uk/comms/RKDetectorv0%5B1%5D.62.zip

    Results:
    SUSPICIOUS MODULE FOUND: C:/WINDOWS/SYSTEM32/LPK.DLL
    SUSPICIOUS MODULE FOUND: C:/WINDOWS/SYSTEM32/USP10.DLL
    WARNING: C:/WINDOWS/SYSTEM32/MSVCRT.DLL seems to be HOOKED!

    Should I be worried about this? :(
     
  17. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Try using the Microsoft DLL Help Database to check on potentially suspicious DLLs (both lpk.dll and usp10.dll could be legitimate, you need to check versions and filesizes).

    As for hooks being present, many security programs also use them. Which ones are you running? Also try using another program like Patchfinder 2 to verify the results.

    Finally the best check is to monitor network traffic coming from your PC using another PC running a packet sniffer. In a pinch, a router with a firewall will do if you use one - just set it to block (and log) everything and shutdown all applications on your PC (including any automated updates). Any traffic sent then should be regarded as suspicious except for DHCP IP address renewals (which should only go to the router anyway). While a trojan does not have to send network traffic to do mischief, in practice they all do in order to allow someone else to take control of your system.
     
  18. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
  19. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    Ok, I've now confirmed that those suspicious files found are legitamate. I suspected them to be part of hacker defender, but I checked the microsoft DLL library up and I confirmed that they were ok.
    So, my computer is clean and ok. Anyway, thx to everyone who replied! :D
     
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    While not wishing to up the paranoia factor unnecessarily here, *chortles evilly* one of the "features" of a rootkit is the ability to alter basic Windows services to disguise its presence - so it could make a file invisible to Windows Explorer or supply false details (e.g. a different filesize, date or version) to hide alterations to a file. Running processes could be similarly hidden using a modified Task Manager or by changing Windows' internal data structures preventing any other process monitor from getting a full picture of what is running.

    If you think you have got a rootkit on your system then you need to reboot using a known clean source (e.g. a Windows or Linux CD). With a Windows CD, try using the Recovery Console (see Description of the Windows XP Recovery Console for more information) to check the details - with a Linux CD (Knoppix being a particularly suitable distribution since it can run from CD only) you should be able to view and check your Windows folder contents also. Either method will bypass any attempt by a rootkit to hide itself.
     
  21. AlbatroS

    AlbatroS Registered Member

    Joined:
    Sep 19, 2004
    Posts:
    11
    It seems Hacker Defender can't hide traffic: Outpost alert me if hidden app try to connect. It can be because Outpost works at kernel level in the same way Hacker Defender works.
     
  22. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi AlbatroS,

    Hacker Defender only hides open ports from netstat-type utilities. It is not able or designed to hide traffic.

    Nick
     
  23. Cabbyjohnson

    Cabbyjohnson Guest

    Can anyone tell me if reformatting to get rid of hacker defender will affect my computer negatively. And what is the procedure? Will I have to re-install any programs? I work through a VPN with my corporate office. Should I be worried to infect others?

    Thank you.
     
  24. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi Cabbyjohnson,

    While reformating will remove Hacker Defender, it will also wipe your drive clean and you will lose everything. You will have to reinstall everything. Before going that route, you should back up any important documents. I have no experience with VPNs and what permissions your system would have with respect to systems at the other end. In the worst case, whoever compromised and controls your system will have the same privileges as you when connecting to your corporate office.

    Nick
     
  25. Starrob

    Starrob Registered Member

    Joined:
    Apr 14, 2004
    Posts:
    493
    There are many ways to beat a FW....the techniques used by trojans such as Beast and Flux can beat a FW.

    Hacker Defender can be used to hide these and just about any malware that a script kiddy wants.


    Starrob

     
Loading...
Thread Status:
Not open for further replies.