The creator of one of the world's most effective "rootkits" -- programs that can
successfully hide from antivirus software -- has been defeated, at least
temporarily, by a Chinese computer security group.
Rootkit writers have, for some time, been perfecting techniques to avoid detection by antivirus
programs. Such rootkits aren't yet widespread but
have become a serious threat.
One set of rootkit tools, called "Hacker Defender," was described to
me by Vlad Gorelik, CTO of Sana Security, in a recent interview. (I last wrote
about Sana in this space on
March 29, 2005.)
Hacker Defender, also known as
HxDef, helps a virus author make his
payload more potent by "putting it through a 'configurator' and creating a
signature that's never been seen before," Gorelik said. "Then you include Morphine
with your code so you'd have a different signature every time."
Hacker Defender? Morphine? Let's look at the techniques rootkit authors are using
today, which are bound to give you headaches tomorrow.
Buying Your Own Rootkit Maker
The author of the Hacker Defender toolkit goes by the online handle of "holy_father."
He previously used the name Jaromir Lnenicka at an address in Prague, Czech
Republic to register older Web sites, including hxdef.czweb.org. His latest
site, hxdef.org, is registered anonymously via a domain registrar. (If you
decide to visit these or other hacker sites, for safety's sake I urge you to use
Mozilla Firefox, a browser that currently has no major security holes, instead
of Microsoft's vulnerable Internet Explorer browser.)
Holy_father offers the following "antidetection" products at www.hxdef.org/antidetection.php:
• Hacker Defender.
This program is used to process virus source code so as to make it invisible to most
antivirus utilities. The basic fee for Hacker Defender is 20 euros (about $25
USD).
• Hacker Defender Driver. The driver enables a virus to operate at
Windows' "root" level, where it may go undetected, and hide its "process handle"
so it remains unseen by diagnostic tools. The driver file is included in the Hacker Defender
basic fee.
• Morphine. This generates an encrypted version of the virus,
creating a signature that (in theory) no antivirus program has ever seen before
and therefore can't quarantine. Prices for this treatment range from 25 to
75 euros. Holy_father says the higher-priced service enables a virus to evade
detection by such antivirus packages as Kaspersky, Norton, AVG, Panda, McAfee,
NOD32, Avast, and PC-cillin.
• Rootkit Detectors Antidetection Engine. This feature is said to
be effective in hiding a virus from modern antirootkit programs such as F-Secure
BlackLight, Rootkit Revealer, and Process Magic. Prices to evade these programs
range from 10 to 50 euros each.
If all these options seem confusing, take heart. You can obtain the whole
shebang in the "Golden Hacker Defender" package. For an investment of only 450
euros, you'll have everything you need to start creating your own root kits
today.
Don't think I'm revealing something hackers don't already know about.
Holy_father has stated that various versions of Hacker Defender have been
downloaded more than 100,000 times.
Have Fun Removing Rootkits
Until recently, even detecting that your computer is infected with a rootkit --
much less removing it once you've found one -- has been a tedious affair. The
process involves booting a copy of Windows from an original CD-ROM, then running
the Recovery Console and looking for unauthorized services that the rootkit
started.
Entire books are being written about this procedure, so I won't try to explain
the gory details here. If you're in immediate need of help, one good formula to
remove Hacker Defender is provided by the University of Wales'
computer
science department.
Meanwhile, a weakness in Hacker Defender -- which potentially affects all
rootkits -- may have surfaced halfway around the world from its creator's lair
in Europe.
The Beginning Of The End For Rootkits?
On May 30, Holy_father lamented in a comment posted on his site, "One of my
priorities this summer [will be] to beat IceSword." He went on to call it "such
a nice tool, [a] real challenge."
What could have caused the much-loathed creator of Hacker Defender to moan so
mournfully in the face of a competing development?
IceSword is a rootkit-beating program from Xfocus.net. The site is the home of a
Chinese group of security researchers who've published a number of Windows
vulnerabilities. The group famously announced last December some major security
holes in Internet Explorer that Microsoft scrambled to
patch.
In a posting on the Hacker Defender site, one commenter noted: "Most rootkits hide services from
service management controllers by hooking some API such as
EnumServicesStatus..." To combat such rootkits, he added: "IceSword maps the
advapi32.dll... and gets the 'pure' (unhooked) EnumServicesStatus." This permits
the program to detect anything that may have been hiding behind these services.
IceSword version 1.08, released May 10, is downloadable from Xfocus.net.
It's 920 KB in compressed .RAR format. Its origin is credited to a developer who
goes by the handle "pjf_".
There's only one problem for readers of this column who'd like to try IceSword.
The Xfocus.net site is written entirely in Chinese. There's an English-language
version of the site, Xfocus.org -- but there's not a word there about IceSword.
Nor is there is a single English-language article about the IceSword program
(not the online game character) on the entire Web, according to searches using
Google, Yahoo, and Teoma. Whatever it is that's got Holy_father so upset, you're
reading it here first.
The IceSword download page, if you're interested, is at
xfocus.net/tools/200505/1032.html.
In future columns, I'll reveal more on this rootkit arms race as it affects both
"hacker defenders" and "white-hat defenders."