‘Rootkit’ Author Beaten, For Now

The creator of one of the world’s most effective “rootkits” — programs that can successfully hide from antivirus software — has been defeated, at least temporarily, by a Chinese computer security group.

Rootkit writers have, for some time, been perfecting techniques to avoid detection by antivirus programs. Such rootkits aren’t yet widespread but have become a serious threat.

One set of rootkit tools, called “Hacker Defender,” was described to me by Vlad Gorelik, CTO of Sana Security, in a recent interview. (I last wrote about Sana in this space on March 29, 2005.)

Hacker Defender, also known as HxDef, helps a virus author make his payload more potent by “putting it through a ‘configurator’ and creating a signature that’s never been seen before,” Gorelik said.

“Then you include Morphine with your code so you’d have a different signature every time.”

Hacker Defender? Morphine? Let’s look at the techniques rootkit authors are using today, which are bound to give you headaches tomorrow.

Buying Your Own Rootkit Maker

The author of the Hacker Defender toolkit goes by the online handle of “holy_father.” He previously used the name Jaromir Lnenicka at an address in Prague, Czech Republic to register older Web sites, including hxdef.czweb.org.

His latest site, hxdef.org, is registered anonymously via a domain registrar. (If you decide to visit these or other hacker sites, for safety’s sake I urge you to use Mozilla Firefox, a browser that currently has no major security holes, instead of Microsoft’s vulnerable Internet Explorer browser.)

Holy_father offers the following “antidetection” products at hxdef.org/antidetection.php:

Hacker Defender

This program is used to process virus source code so as to make it invisible to most antivirus utilities. The basic fee for Hacker Defender is 20 euros (about $25 USD).

Hacker Defender Driver

The driver enables a virus to operate at Windows’ “root” level, where it may go undetected, and hide its “process handle” so it remains unseen by diagnostic tools. The driver file is included in the Hacker Defender basic fee.

Morphine

This generates an encrypted version of the virus, creating a signature that (in theory) no antivirus program has ever seen before and therefore can’t quarantine.

Prices for this treatment range from 25 to 75 euros. Holy_father says the higher-priced service enables a virus to evade detection by such antivirus packages as Kaspersky, Norton, AVG, Panda, McAfee, NOD32, Avast, and PC-cillin.

Rootkit Detectors Antidetection Engine

This feature is said to be effective in hiding a virus from modern antirootkit programs such as F-Secure BlackLight, Rootkit Revealer, and Process Magic. Prices to evade these programs range from 10 to 50 euros each.

If all these options seem confusing, take heart. You can obtain the whole shebang in the “Golden Hacker Defender” package.

For an investment of only 450 euros, you’ll have everything you need to start creating your own root kits today.

Don’t think I’m revealing something hackers don’t already know about. Holy_father has stated that various versions of Hacker Defender have been downloaded more than 100,000 times.

Have Fun Removing Rootkits

Until recently, even detecting that your computer is infected with a rootkit — much less removing it once you’ve found one — has been a tedious affair.

The process involves booting a copy of Windows from an original CD-ROM, then running the Recovery Console and looking for unauthorized services that the rootkit started.

Entire books are being written about this procedure, so I won’t try to explain the gory details here. If you’re in immediate need of help, one good formula to remove Hacker Defender is provided by the University of Wales’ computer science department.

Meanwhile, a weakness in Hacker Defender — which potentially affects all rootkits — may have surfaced halfway around the world from its creator’s lair in Europe.

The Beginning Of The End For Rootkits?

On May 30, Holy_father lamented in a comment posted on his site, “One of my prioritites this summer [will be] to beat IceSword.” He went on to call it “such a nice tool, [a] real challenge.”

What could have caused the much-loathed creator of Hacker Defender to moan so mournfully in the face of a competing development?

IceSword is a rootkit-beating program from Xfocus.net. The site is the home of a Chinese group of security researchers who’ve published a number of Windows vulnerabilities.

The group famously announced last December some major security holes in Internet Explorer that Microsoft scrambled to patch.

In his rueful comments, Holy_father noted: “Most rootkits hide services from service management controllers by hooking some API such as EnumServicesStatus…”

To combat such rootkits, he added: “IceSword maps the advapi32.dll… and gets the ‘pure’ (unhooked) EnumServicesStatus.” This permits the program to detect anything that may have been hiding behind these services.

IceSword version 1.08, released May 10, is downloadable from Xfocus.net. It’s 920 KB in compressed .RAR format. Its origin is credited to a developer who goes by the handle “pjf_”.

There’s only one problem for readers of this column who’d like to try IceSword. The Xfocus.net site is written entirely in Chinese.

There’s an English-language version of the site, Xfocus.org — but there’s not a word there about IceSword.

Nor is there is a single English-language article about the IceSword program (not the online game character) on the entire Web, according to searches using Google, Yahoo, and Teoma. Whatever it is that’s got Holy_father so upset, you’re reading it here first.

The IceSword download page, if you’re interested, is at xfocus.net/tools/200505/1032.html.

In future columns, I’ll reveal more on this rootkit arms race as it affects both “hacker defenders” and “white-hat defenders.”