The attacker failed to update the signature file for detecting antivirus scanners. That’s how F-Secure claims its Backlight scanner intercepted Golden Hacker Defender… the rootkit. If that hadn’t happened, Golden Hacker Defender would have disabled F-Secure’s antivirus protection in Windows, and delivered its payload.

What payload? Whatever the attacker chose to hide beneath Golden Hacker Defender’s cloak: virus, backdoor, spyware, or you-name-it. The authors of rootkits like Golden Hacker Defender couldn’t care less. They just provide the software that disables antivirus scanners… which they detect much like antivirus scanners detect them: with binary signature files.

All versions of Hacker Defender test for Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, and PC-cillin. Once aboard, most versions trap all your logon info… including administrative services.

F-Secure says Golden Hacker Defender’s special because, unlike its open source version, Hacker Defender, it detects several commercial antivirus scanners. The creators of Golden Hacker Defender aren’t as impressed. For a real antivirus killer, they recommend their top-of-the-line Brilliant Hacker Defender. What? US$695 a bit over your budget? Hacker Defender has something on the shelf to fit any blackhat’s wallet.

Antivirus Engines and Rootkit Detectors
Trashed By Hacker Defender

Windows Code Detected
Version
Silver Golden Brilliant
F-Secure BlackLight 2.1.1019
x
x
x
F-Secure BlackLight 1.0.1017.0, 1.2.1003.0, 1.3.1015, 1.4.1003, 1.5.1002, 2.0.1008, 2.1.1010, 2.1.1012, 2.1.1013, 2.1.1018  
x
x
F-Secure BlackLight Console 1.25.1006.0, 1.28.1006.0  
x
x
Flister 0.1
x
x
x
Klister 0.4
x
x
x
KProcCheck 0.2-beta2
x
x
x
RootkitRevealer v1.31, v1.32, v1.33, v1.40, v1.51, v1.53, v1.54, v1.55
x
x
x
RootkitRevealer v1.00, v1.01, v1.10, v1.20  
x
x
UnHackMe 2.5 beta, 2.5 beta2, 2.5, 3.0 beta
x
x
x
UnHackMe 1.0, 2.0  
x
x
Find Hidden Service 1.0, 1.1  
x
x
Kernel SC 1.3  
x
x
Kernel PS 0.4, 1.0  
x
x
KHS 0.1  
x
x
Process Magic V1.0 by WinEggDrop  
x
x
RegdatXP 1.41, 1.42  
x
x
RootKitShark 3.11, 3.22, 3.27  
x
x
TaskInfo 6.0.1.134, 6.2.0.170  
x
x
IceSword 1.04, 1.06, 1.06b, 1.08, 1.10, 1.12    
x
modGREPER 0.1, 0.2    
x
Process Hunter    
x

Hacker Defender project leader holy_father claims,”There is no known public rootkit detector that can reveal the presence of Hacker defender rootkit with this antidetection engine.”

He says antivirus companies simply wait to see new virus patterns, then add signature files. holy_father insists commercial vendors,”sell the fake sense of security but they do not bring the real security to your computer.”

“The real dangers,” he says,”are pointed attacks where private tools are used. These tools uses the same methods as our tools but are not detected because security companies have no chance to download them and add those few bytes in their database. And because they catch only tools they know and do not solve the cause attackers will succeed with their tools… There is no good AV product today.”

Until there’s a good AV product, you may want to isolate your Windows computers from the Internet with a solid wall of non-Windows firewalls and gateways… and keep those antivirus signature files up-to-date.

Background (updated):