Hacker Defender


· Overview ·
· Origins ·
· Distribution ·
· Operation ·
· Detection and Removal ·
· Research ·



Overview

Vendor Notes:

from the doc:
Hacker defender v0.2.1 - english readme
Main
Hacker defender v0.2.1 by Holy_Father
Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP. Main code was written in Delphi 6. Functions for new thread are written in assembler.
program uses adapted LDE32 LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE special edition for REVERT tool version 1.05
Usage
>hxdef021.exe [inifile] default hxdef021.ini is used if run without specifying the inifile
Idea
Main idea of this program was to use API functions WriteProcessMemory and CreateRemoteThread to create a new thread in all running processes. New thread will rewrite some functions in system modules (mostly kernel32.dll) and inject fake code which will check API results and change this result in specific cases. Program must be absolutely hidden for all others. Program installs hidden backdoors and register as hidden system service.
Version
TODO - extend backdoor (create admin part) - net functions for backdoor - run root process on system level
0.2.1 + always run as service
0.2.0 + system service installation + hiding in database of installed services + hidden backdoor + no more working with windows
0.1.1 + hidden in tasklist + usage - possibility to specify name of inifile x found and then fixed bug in communication x fixed bug in using advapi - found bug with debuggers
0.1.0 + infection of system services + smaller, tidier, faster code, more stable program x fixed bug in communication
0.0.8 + hiding files + infection of new processes - can't infect system services - bug in communication
Hooked API
List of API functions which are changed:
Kernel32.FindFirstFileExW Kernel32.FindNextFileW Kernel32.CreateProcessW Ntdll.NtQuerySystemInformation (class 5) WS2_32.recv WS2_32.WSARecv WSOCK32.recv Kernel32.ReadFile Advapi32.EnumServicesStatusW Advapi32.EnumServicesStatusA
Inifile
There are more settings in this version. Inifile must contain three parts: [Hidden Table], [Root Processes] and [Hidden Services]. Hidden Table is a list of files and directories which should be hidden. There is no chance to find those files and directories. Programs in this list will be hidden in tasklist. Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. Hidden Services is a list of service names which will be hidden in the database of installed services. Service name for the main rootkit program is HackerDefender021.
Backdoor
Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 512 bits long key the shell instance is created and next incoming data are redirected to this shell. Because rootkit hooks all process in system all TCP ports on servers will be backdoors. This backdoor will work only on servers where incoming buffer is larger or equal to 512 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle. So, backdoor is created and it is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP. During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. You have to use special client if want to connect to the backdoor. Program bdcli021.exe is used for this.
usage: bdcli021.exe host port
Known Bugs
Only one bug is known. Processes, which are debugged in the moment, can't be infect, because their debugger has exclusive rights for them. The infection will lose if the process is debugged during infection. So, it will not be changed and see everything. I think this is not a serious bug, because there is only small chance to apply this. I need help with solving this problem. It is not serious, but i have no idea how to fix it.
Holy_Father

Alias:

Backdoor.HacDef.021, Backdoor.HacDef.026, Backdoor.HacDef.030, Backdoor.HacDef.033, Backdoor.HacDef.037, Backdoor.HacDef.050, Backdoor.HacDef.051, Backdoor.HacDef.073.a, Backdoor.HacDef.084, Backdoor.Win32.HacDef.084 [Kaspersky], Bck/HacDef.C [Panda], Win32/HacDef.084 trojan [Eset]

Category:

Trojan Creation Tool: A program designed to create Trojans. Some of these tools merely wrap existing Trojans, to make them harder to detect. Others add a trojan to an existing product (such as RegEdit.exe), making it a Dropper.

Backdoor: A secret or undocumented means of getting into a computer system, or software that uses such a means to penetrate a system. Some software has a backdoor placed by the programmer to allow them to gain access to troubleshoot or change the program. Software that is classified as a "backdoor" is designed to exploit a vulnerability in a system, and open it to future access by an attacker.

Variants:

  • Hacker Defender 0.21
  • Hacker Defender 0.26
  • Hacker Defender 0.3.7
  • Hacker Defender 0.30
  • Hacker Defender 0.33
  • Hacker Defender 0.37
  • Hacker Defender 0.50
  • Hacker Defender 0.51
  • Hacker Defender 0.73
  • Hacker Defender 0.73a
  • Hacker Defender 0.84
  • Hacker Defender 1.00
  • Similar Pests:

    Trojan Creation Tool · Backdoor

    Origins

    Author:

    Holy_Father

    EMail:

    Holy_Father Ratter/29A

    URL:

    http://rootkit.host.sk, http://hxdef.czweb.org

    Programming Language:

    Delphi and Assembly.

    Date of Origin:

    Variants from August, 2002 to January, 2004

    Place of Origin:

    Czech Republic

    Distribution

    Prevalence:

  • Hacker Defender: 0.1%
  • Hacker Defender 0.73: 0.1%
  • Hacker Defender 1.00: 1.0%
  • More Info

    Clot Factor:

  • Hacker Defender: < 1
  • The "Clot Factor" is a measure of how much a pest "gums up" a machine by adding registry entries, files, and directories. As more objects are placed in a machine, manual removal becomes more difficult and more error-prone.

    Operation

    Storage Required:

  • Hacker Defender: at least 29 KB
  • Hacker Defender 0.21: at least 89 KB
  • Hacker Defender 0.30: at least 69 KB
  • Hacker Defender 0.33: at least 69 KB
  • Hacker Defender 0.37: at least 77 KB
  • Hacker Defender 0.50: at least 89 KB
  • Hacker Defender 0.51: at least 89 KB
  • Hacker Defender 0.73: at least 41 KB
  • Hacker Defender 1.00: at least 649 KB
  • ScreenShot:


    Hacker defender 0.2.1



    Hacker defender 0.2.6



    Hacker defender 0.3.0



    Hacker defender 0.3.3


    Detection and Removal

    Automatic Removal:

    PestPatrol detects this.

    PestPatrol removes this.



    Manual Removal:

    Follow these steps to remove Hacker Defender from your machine. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.
    Stop Running Processes:

    Kill these running processes with Task Manager:

    Remove Files:

    Remove these files (if present) with Windows Explorer:

    Research

    File Analyses:

    More Info:

  • AllTheWeb, AltaVista, AOL Search, Ask Jeeves, Google, HotBot, Lycos, LookSmart, MSN, Yahoo!
  • Research By:

  • PestPatrol's Pest Research Center
  • Last Revised:

    April 03, 2005