Wednesday, December 1, 2010

Playing Around with HXDEF Rootkit

Hacker Defender aka HXDEF is a very famous rootkit which works as a traditional rootkit as well as a trojan in some sense.

What is a Rootkit: an extremely brief introduction:

A rootkit is a piece of software which after executing is able to "hook" up - modify and take control of- Windows API calls making it undetectable. A typical rootkit is able to hide itself from the processes and services list. Modern rootkits have the ability to hide other processes as well and stealthily communicate over the network without being caught by firewalls.

These are some of the reasons Rootkits are considered much more dangerous than virus, worms, and trojans.

Introduction to Hacker Defender , HXDEF:

Hacker defender is a hybrid of a typical rootkit and trojan. It can make all its activities undetectable resembling a rootkit while it can also open many ports and create backdoors through which a remote user can connect just like a trojan.

Hacker defender was created in 2003 and was considered one of the most lethal rootkits in those times. Most of the antivirus software incorporate rootkit detection and hacker defender can be easily detected by all the major antiviruses. There are tools known as crypter which can make rootkits such as hacker defender avoid antivirus detection. Hacker defender enjoyed so much of popularity that when it was deemed obsolete, its makers came out with a premium version(search for hacker defender gold/platinum) which is still pretty popular since it claims to fully avoid antiviruses.

Still it is fun to run it on a virtual machine and mess around with the system. In this post the basic features and commands of Hacker defender will be discussed.

Installation of Hacker Defender (HXDEF):

I have uploaded the server and client .Link is provided at the bottom. Run the server on the victim PC. It will automatically hide all files with the name starting with hxdef and hacker defender. Before we continue further here is a list of the most common commands:

  • >hxdef100.exe [inifile] if you dont specify inifile then 'example.ini' will be executed where example.exe is the application. Eg in this case hxdef100.ini is the default file.
  • >hxdfe100.exe -:uninstall unistall the file you will have to go the folder where this application is stored
  •  >hxdef100.exe :-noservice doesn't install the service but simply runs them

This rootkit will hook up all the system's open ports which means any port can be used as a backdoor.Note that system ports are not hooked and therefore cannot be used as a backdoor.

Using rootkit as a trojan:

You can connect to your victim and get back a shell if there is any open port with input buffer larger than 256 bits. That means connecting to any open port listening for more than 256 bits will eventually lead to a shell being returned to the attacker.

To connect execute: bdcli100.exe [host] [port] [password]

Configuring various options:

Many options and parameters can be configured by editing the hxdef.ini file. Password used for connecting can be changed under the settings field. Other important settings:

Directories,files and processes beginning will values under [hidden table] will  hidden.
[Startup run] commands under this list will be executed as soon as a connection is established.
[Hidden ports] - all ports will be hidden from other applications.

For other options read the readme.txt file.

Detection and Disinfection:

Rootkit revealer is the most effective tool to remove rootkits.Moreover it is a freeware.

Avoiding detection:

This is also possible by processing the file through a crypter. If the file is still being detected you need to either find a unique/premium version of a crypter since free copies are not sometimes not able to change the characteristics of a file well enough. Avoiding antivirus detection is a very hot topic nowadays and will be discussed in some future article.

Obfuscation techniques:

I have already talked about crypters but if someone runs an exe and finds that nothing happens, he is obviously going to feel suspicious. This is where binders come into picture. Binders allow you to "bind" or attach an executable with another one. So you can attach the rootkit with some game and when the victim will run it, hacker defender will run in the background as well. And did you know that Windows comes with a binder of its own? The answer will be put in some future post.

Download Hacker Defender,HXDEF
Download Rootkit Revealer

No comments:

Post a Comment