On the 28th day of December 2005, Tibbar encrypted the public version of Hacker Defender, the world-famous Windows rootkit. At the same time, the anonymous author unleashed codeCrypter on the web.
Then Tibbar waited.
On the first of March 2006, Tibbar (”Rabbit” spelled backwards) submitted the codeCrypter’d Hacker Defender to VirusTotal, an online virus testing service used by white and black hats alike.
The results were dispiriting. Despite two months’ warning, just four of 24 anti-virus engines recognized Tibbar’s creation: BitDefender, Ikarus, NOD32 and VBA32. Three a/v engines, CAT-QuickHeal, Fortinet and Panda, spotted something they considered suspicious.
| Date of Scan | 1-Mar-061 | 23-Mar-062 | 5-Apr-061 |
| AntiVir | — | X | — |
| ArcaVir | n/a | — | n/a |
| Avast | — | — | — |
| AVG | — | X3 | — |
| Avira | — | n/a | — |
| BitDefender | X | X | X |
| CAT-QuickHeal | X4 | n/a | X4 |
| ClamAV | — | — | — |
| DrWeb | — | X | — |
| eTrust-InoculateIT | — | n/a | — |
| eTrust-Vet | — | n/a | — |
| Ewido | — | n/a | — |
| Fortinet | X4 | X | X4 |
| F-Prot | — | — | — |
| Ikarus | X | n/a | X |
| Kaspersky | — | X | X |
| McAfee | — | n/a | — |
| NOD32v2 | X | X | X |
| Norman | — | — | — |
| Panda | X4 | n/a | X4 |
| Sophos | — | n/a | — |
| Symantec | — | n/a | — |
| TheHacker | — | n/a | — |
| UNA | — | — | — |
| VirusBuster | n/a | — | n/a |
| VBA32 | X | X | X |
| 1 | VirusTotal Virus Scan | ||
| 2 | Jotti Malware Scan | ||
| 3 | Generic signature identified. | ||
| 4 | Identified through heuristics. | ||
| — | Failed to detect the rootkit. | ||
| n/a | Not Applicable. A/V engine not tested. | ||
Tibbar waited three weeks, then tried again at a different malware scanner: Jotti. The results were slightly more encouraging. This time, AntiVir, BitDefender, Dr. Web, Fortinet, Kaspersky Anti-Virus, NOD32 and VBA32 caught him. AVG AntiVirus caught a generic backdoor. That’s eight of 15 vendors. Better.On the fifth of April, Jack Koziol took up the gauntlet at Ethical Hacking and Computer Forensics. He packaged and resubmitted the codeCrypter’d Hacker Defender rootkit to VirusTotal. Sadly, his list of worthies expanded by only one. Kaspersky found the rootkit.
So three months after release of both the virus and codeCrypter source code, only AntiVir, AVG, BitDefender, CAT-QuickHeal, DrWeb, Fortinet, Ikarus, Kaspersky, NOD32v2, Panda and VBA32 were able to detect anything out of the ordinary when cloaked by codeCrypter.
That’s just eleven of 26 anti-virus engines, most of whom have been happily cashing our checks all along. Surprised? You shouldn’t be. It took most of these yahoos over a year to detect the publicly downloadable version of Hacker Defender.
Meanwhile, Tibbar, a self-proclaimed white hat, appears to be starting to think like holy father, the developer of Hacker Defender, who wrote in Email Battles:
Antivirus companies sell a fake sense of security, but they do not bring real security to your computer. Antivirus just fights programs that are visible to common users. They don’t care about the cause …This attitude brings money to security companies because their users download upgrades and buy new versions of their products. This is why these security companies don’t want to change the situation.
Tibbar’s hard at work on a mutating version of codeCrypter that may finally get security firms’ attention… or not.
While you’re waiting, you may want to reconsider your choice of anti-virus vendor.
Email Battles Backgrounder:
- Beyond Rootkits: World’s First Standalone Kernel Mode Bot?; Email Battles; 06 April 2006
- Circumventing Antivirus via Transmutation; Jack Koziol; Ethical Hacking and Computer Forensics; 5 April 2006.
- codeCrypter next release plans; Tibbar; Adventures of the White Rabbit; 31 March 2006.
- Hacker Defender Rootkit Guru Kills Stealth Project; Email Battles; 13 March 2006
- codeCrypter; Tibbar; Adventures of the White Rabbit; 1 March 2006.
- Now, if only we had a rootkit to defeat the rootkit to defeat the rootkit…; NewsByte; Email Battles; 06 February 2006
- Symantec caught embedding rootkits; NewsByte; Email Battles; 11 January 2006
- Security Fix: Firefox, IE, Opera, Outlook & other Browsers & Email Clients; Email Battles; 04 January 2006
- Rootkit Guru: AntiVirus Makes Me Do It; Email Battles; 20 December 2005
- Adware’s Rootkit Focus: Preventing removal; NewsByte; Email Battles; 15 December 2005
- Rootkitters Lay in Wait for Vista 2006; Email Battles; 13 December 2005
- Signature War: Rootkits vs Antivirus; Email Battles; 13 December 2005
- Rootkits Unraveled; NewsByte; Email Battles; 13 December 2005
4 comments
Comments feed for this article
April 7th, 2006 at 7:32 pm
Sander Marechal
– “While you’re waiting, you may want to reconsider your choice of anti-virus vendor.”
You mean “While you’re waiting, you may want to reconsider your choice of operating system.”, right?
—
Sander
April 8th, 2006 at 10:05 am
BJ Gillette
Hi Sanders. Admittedly, when Microsoft’s own security experts, like Mike Danseglio, try the tired “it’s not Windows’ fault” chestnut, it does start to grate on the nerves.
(See “Malware overruns Windows; Apple to the rescue”, (http://www.trimmail.com/news/elsewhere/data/1144360422.6/)
Redmond says Vista’s the fix. But then, so was XP. Looks like they’re getting closer, ever so slowly.
April 8th, 2006 at 12:11 pm
Richard
when they say Vista is the fix, In my mind they say “gimme money now, so you can get vista fix” pfft.
September 24th, 2006 at 11:32 am
Art
Soloutions:
Mac OSX
SE-Linux