Smart computer users know that once a computer is infected by a rootkit, it’s changed forever. And as Windows rootkits go, Hacker Defender is among the most dangerous. The author of Hacker Defender, holy_father, explains why he does what he does, and what you can do to detect his rootkit.
Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users. They don’t care about the cause.
If I publish Hacker Defender’s antidetection code, antivirus companies will do nothing but add a few bytes to their databases of virus patterns, or simply fool my engine in some way. They show their customers they can handle rootkits based on my antidetection engine, but they won’t solve the problem. So there would be easy ways to bypass them again and again.
This attitude brings money to security companies because their users download upgrades and buy new versions of their products. This is why these security companies don’t want to change the situation.
Yes, antivirus products will protect you against wildly spreading threats like destructive worms. But the real danger for users is from pointed attacks, where private tools are used. These tools use the same methods as my tools. They are not detected because security companies have no chance to download them and add those few bytes to their databases. Security companies catch only the tools they know and do not solve the cause. So attackers will succeed with their tools.
This has to be changed. Hacker Defender and other rootkit projects force security companies to care about the core of the problems, to develop better and better products. And after years, I see the results. The situation is better. But there is still a lot of work to be done with rootkit detectors and antivirus products.
This is why I will continue in my work to try to find ways to bypass their poor products until antivirus companies come with the real solution. And this is why a lot of my customers are security guys who offer penetration testing etc., not bad (or blackhat) guys.
People often ask me why I don’t write security applications instead of rootkits. It is clear that I would have to prefer one of these applications, either rootkit or anti-rootkit. If it is rootkit, no one will use my anti-rootkit, so it would be a waste of time to implement anti-rootkit. If it is anti-rootkit, then again, no one will use the rootkit. I’ve decided for the rootkit way because it is more painful for so called security companies.
For example, Microsoft claims that Windows Malicious Software Removal Tool for XP/2000/2003 (MSRT) can detect Hacker Defender. I always test the latest MSRT with Hacker Defender, and the latest MSRT does not even detect the latest public version of Hacker Defender (hxdef 1.0.0 revisited), which was published weeks ago and is available for download to everyone, with full source code.
You can try it on your machine yourself.
For the paid versions of Hacker Defender, the code of the public version is scrambled and changed to avoid antivirus detection. Tests for eight antivirus products (Avast!, AVG, Kaspersky, McAfee, NOD32, Norton, Panda, PC-cillin) with the newest upgrades, are always made before the customer receives the final product. The code is always unique for each customer, which means that detection of one customer’s product should not affect other customer’s products.
If you think about it, simple code scrambling in what is called dangerous or malicious software results in a clean scan report. It is really as easy as changing one byte here and there to fool your expensive antivirus product.
This fact forced us to think about how antivirus products are implemented and what all those powerful heuristics engines that reveal even unknown future threads really mean. Just visit some antivirus vendor website to see what they offer. Then modify a few bytes in your favourite destructive malware and create your own opinion.
The antidetection engines in more advanced paid versions of Hacker Defender also evade the latest versions of all well known modern rootkit detectors like BlackLight, RootkitRevealer, IceSword, UnHackMe and RKDETECTOR 2.0.
It is curious that Hacker Defender’s antidetection was implemented months ago and hasn’t changed (except some minor bugfixes) since then. In spite of this fact, no security product is able to beat it today.
The world is still waiting for the first real rootkit detector that would bypass Hacker Defender’s antidetection engine. Hacker Defender is just there to show they have to improve their products.
Editor’s Note: While we helped a bit with english and formatting, this is pure holy_father.
Background:
10 comments
Comments feed for this article
December 20th, 2005 at 1:37 pm
tookie
Many would disagree with holy_father’s methods, but he does seem to be spurring these vendors to improve their products. Still, their products wouldn’t need to be so robust without people like holy_father trying to rootkit our systems…
December 20th, 2005 at 11:42 pm
Eduardo
I also disagree with his methods. Instead of infecting the computers and the wait of the person to see what the antivirus company makes, must work with the antivirus company to certify to themselves that computers of the peoples are safe. There its only hackers giving to a reason infect computers and to put a mark on wall. With its method, the user of the computer finishes most hurt.
December 21st, 2005 at 12:12 am
Snag
without jackasses like this there would not be a need for AV software in the first place.
December 21st, 2005 at 7:29 am
pussy
Instead of challenging the AV vendors to come up with their solution, why not just make your “ultimate anti-rootkit/virus/spywares” application so that not only you’ll still get to challenge evrybody to come up with a way to bypass your system but also maybe to take the market that all those cheap solution systems vendor are hogging at the moment. It seems that your more inclined to make rootkits because you what to prove what you can do to those AV vendors, but you dont realize that it would be more of a challenge for your capacity to be on the good side and then just make anybody come up with a way to bypass your system. In this way, you’re making money while helping everybody directly but still allowing you to prove your talent to everybody…
December 21st, 2005 at 8:04 am
shadow
This guy is full of s**t. He says he started writing rootkits because AV’s are just trying to fool everyone and are in this business just for the money, but later on in the article i see that he is doing the same thing: selling something for a price. So basicly he is doing the same thing as an AV but the object he is selling is different, and that is rootkits. In my opinion it’s way better to sell a product that it protects you from certain types of malware than selling malware itself. If i were to decide, i wouldn’t even bother publishing this guy’s article.
December 21st, 2005 at 9:11 am
Ketema
I agree that guys like holy_father should use their considerable talent to make their own anti-virus & anti_rootkit products instead, but at the same time with holy_father and the like drawing attention to the flaws of big market products users would be in much more dange, because for every holy_father who makes his source code public, there is are much more malicious persons out there just stealing your data without you ever knowing or even suspecting.
December 21st, 2005 at 9:18 am
Adrien
Do you point out that at which point web safety was just two years ago? The Chinese, with North Koreans or all the other intruders could “own” any computer on the net. The viruses and the rootkitters forced Microsoft, Linux, and the rest to be tougher upwards. Not the kid yourself. They all are not the script kiddies. Rootkits are employed by professionals of safety to examine their own systems. They are employed as an element of greater process controls. And they are sometimes maltreated for DRM, like Sony BMG showed. While a rootkitter employs the image badboy to make its name, it makes its money being sold with the good types. The termites are good for forests, bad for houses. The same thing applies to the rootkitters.
December 22nd, 2005 at 11:37 am
Rondea
This guy sounds like a Marvel comic book character… from his net-identity, holy_father, to his pronounced noble goals attained through questionable means.
January 2nd, 2006 at 11:44 pm
Dood
If any of you dorks had the slightest knowledge of how antivirus companies detect malware then maybe some of your comments would be intelligent. Yes they ARE lying to you YES they ARE giving yo ua false sense of security AND yes they are taking your mony like talking candy from a baby. Holey_Father IS making them up the stakes and become active. There is a simple truth taht no av company will be able to stop this type of progam untill they become proactive instead of reactive. Learn something about your computer you noobs
February 18th, 2007 at 8:49 pm
Chrissie
In my humble opinion, holy_father and Dood could use a lot of growing up. There IS no defense for the arguement that is made. The arrogance and sense of entitlement is astounding. As for Dood, whoever told you that your temper tantrum is acceptable sold you the London Bridge.