Earthweb
Images Research Events Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
Search EarthWeb Network

Compare
prices
& save on:
Compare Prices:

internet.commerce
Be a Commerce Partner
Web Hosting Services
Prepaid Phone Card
Merchant Solutions
Mp3 Player Reviews
Compare Prices
Promotional
Online Education
Graphics Cards
KVM Switches Online
Promotional Hats
Cheap Airline Tickets
New Car Prices
Merchant Accounts
Online Degrees

IT Management : Columns : Executive Tech: 'Rootkit' Author Beaten, For Now

Symantec Data Management Solutions
Whitepaper: The Benefit of Continuous Data Protection
Data volume continues to grow at nearly 40% to 50% each year, making back up of mission critical data very difficult. For any organization looking to manage data growth, improve reliability, and speed data recovery, continuous data protection provides the avenue to address the challenges in a method that will improve overall data protection without weighing down IT with costly solutions.
Register Now to Download.
Whitepaper: Breaking Through the Dissimilar Hardware Restore Challenge
This paper discusses recovery to virtual computer environments, hardware migration strategies, hardware repurposing for optimal resource utilization, meeting recovery time objectives, and increasing disaster tolerance.
Register Now to Download.
Whitepaper: Converging System and Data Protection
From resilience against threats to efficient restoration of normal operations, Symantec can help keep your business up, running, and growing—no matter what happens.
Register Now to Download.
Webcast: Symantec Brings Disk-based Data Protection and Advanced System Recovery Together
Symantec Backup Exec™ and Symantec LiveState Recovery™ allow rapid and easy backup and recovery of virtually any Windows data and Windows system.
Join us for an informative Webcast to learn how to:
  • Create backups and restore to specific system recovery points
  • Maintain data availability and minimize server downtime
  • Eliminate backup windows, improving increased system reliability
  • Dramatically minimize downtime by rapidly recovering entire systems to dissimilar hardware platforms or even to virtual environments
Register Now to Watch.

Related Articles
Worst Browser Threats May Not Be Security Holes
Can Microsoft's Metro Replace PDF?
Microsoft Metro Threatens Adobe Acrobat
Can We Restore Reliability to E-Mail?
Don't Count On Your E-Mail Being Delivered
- ITSMWatch Newsletter -
email:
IT Focus
Wireless in the Enterprise

Wireless technology continues to make great inroads into networks. But IT pros still must contend with a number of issues such as security, access and integration.

Ready? Set. Go!

Mobile Workers Never Looked So Thin

The Incredible Hidden Wireless Connection

Product Watch
DataPort HotDock - External Drive Enclosure Enables IDE Hot Swap
GateDefender Performa - Gateway-Based E-Mail Anti-Spam and HTTP Content Filtering
PalmSecure - Biometric Identification via Palm Veins
VirusCop - Report Virus Spam, Erroneous E-mail Bounces, Other Spam
REV - Removable Hard Drive Platform for Storage and Backup

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Whitepaper: Converging System and Data Protection. From resilience against threats to efficient restoration of normal operations, Symantec can help keep your business up, running, and growing.

'Rootkit' Author Beaten, For Now
May 31, 2005
By Brian Livingston

Brian Livingston The creator of one of the world's most effective "rootkits" -- programs that can successfully hide from antivirus software -- has been defeated, at least temporarily, by a Chinese computer security group.

Rootkit writers have, for some time, been perfecting techniques to avoid detection by antivirus programs. Such rootkits aren't yet widespread but have become a serious threat.

One set of rootkit tools, called "Hacker Defender," was described to me by Vlad Gorelik, CTO of Sana Security, in a recent interview. (I last wrote about Sana in this space on March 29, 2005.)

Hacker Defender, also known as HxDef, helps a virus author make his payload more potent by "putting it through a 'configurator' and creating a signature that's never been seen before," Gorelik said. "Then you include Morphine with your code so you'd have a different signature every time."

Hacker Defender? Morphine? Let's look at the techniques rootkit authors are using today, which are bound to give you headaches tomorrow.

Buying Your Own Rootkit Maker

The author of the Hacker Defender toolkit goes by the online handle of "holy_father." He previously used the name Jaromir Lnenicka at an address in Prague, Czech Republic to register older Web sites, including hxdef.czweb.org. His latest site, hxdef.org, is registered anonymously via a domain registrar. (If you decide to visit these or other hacker sites, for safety's sake I urge you to use Mozilla Firefox, a browser that currently has no major security holes, instead of Microsoft's vulnerable Internet Explorer browser.)

Holy_father offers the following "antidetection" products at www.hxdef.org/antidetection.php:

Hacker Defender. This program is used to process virus source code so as to make it invisible to most antivirus utilities. The basic fee for Hacker Defender is 20 euros (about $25 USD).

Hacker Defender Driver. The driver enables a virus to operate at Windows' "root" level, where it may go undetected, and hide its "process handle" so it remains unseen by diagnostic tools. The driver file is included in the Hacker Defender basic fee.

Morphine. This generates an encrypted version of the virus, creating a signature that (in theory) no antivirus program has ever seen before and therefore can't quarantine. Prices for this treatment range from 25 to 75 euros. Holy_father says the higher-priced service enables a virus to evade detection by such antivirus packages as Kaspersky, Norton, AVG, Panda, McAfee, NOD32, Avast, and PC-cillin.

Rootkit Detectors Antidetection Engine. This feature is said to be effective in hiding a virus from modern antirootkit programs such as F-Secure BlackLight, Rootkit Revealer, and Process Magic. Prices to evade these programs range from 10 to 50 euros each.

If all these options seem confusing, take heart. You can obtain the whole shebang in the "Golden Hacker Defender" package. For an investment of only 450 euros, you'll have everything you need to start creating your own root kits today.

Don't think I'm revealing something hackers don't already know about. Holy_father has stated that various versions of Hacker Defender have been downloaded more than 100,000 times.

Have Fun Removing Rootkits

Until recently, even detecting that your computer is infected with a rootkit -- much less removing it once you've found one -- has been a tedious affair. The process involves booting a copy of Windows from an original CD-ROM, then running the Recovery Console and looking for unauthorized services that the rootkit started.

Entire books are being written about this procedure, so I won't try to explain the gory details here. If you're in immediate need of help, one good formula to remove Hacker Defender is provided by the University of Wales' computer science department.

Meanwhile, a weakness in Hacker Defender -- which potentially affects all rootkits -- may have surfaced halfway around the world from its creator's lair in Europe.

The Beginning Of The End For Rootkits?

On May 30, Holy_father lamented in a comment posted on his site, "One of my priorities this summer [will be] to beat IceSword." He went on to call it "such a nice tool, [a] real challenge."

What could have caused the much-loathed creator of Hacker Defender to moan so mournfully in the face of a competing development?

IceSword is a rootkit-beating program from Xfocus.net. The site is the home of a Chinese group of security researchers who've published a number of Windows vulnerabilities. The group famously announced last December some major security holes in Internet Explorer that Microsoft scrambled to patch.

In a posting on the Hacker Defender site, one commenter noted: "Most rootkits hide services from service management controllers by hooking some API such as EnumServicesStatus..." To combat such rootkits, he added: "IceSword maps the advapi32.dll... and gets the 'pure' (unhooked) EnumServicesStatus." This permits the program to detect anything that may have been hiding behind these services.

IceSword version 1.08, released May 10, is downloadable from Xfocus.net. It's 920 KB in compressed .RAR format. Its origin is credited to a developer who goes by the handle "pjf_".

There's only one problem for readers of this column who'd like to try IceSword. The Xfocus.net site is written entirely in Chinese. There's an English-language version of the site, Xfocus.org -- but there's not a word there about IceSword.

Nor is there is a single English-language article about the IceSword program (not the online game character) on the entire Web, according to searches using Google, Yahoo, and Teoma. Whatever it is that's got Holy_father so upset, you're reading it here first.

The IceSword download page, if you're interested, is at xfocus.net/tools/200505/1032.html.

In future columns, I'll reveal more on this rootkit arms race as it affects both "hacker defenders" and "white-hat defenders."

Brian Livingston is the editor of WindowsSecrets.com and the coauthor of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.


Executive Tech Archives


JupiterWeb networks:

Graphics.com

Search JupiterWeb:

Jupitermedia Corporation has three divisions:
JupiterResearch


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Jupitermedia Corporate Info | Newsletters | Tech Jobs | E-mail Offers