RE: Backdoor:Win32/Hackdef.E

From: Jeffrey Leggett (jleggett@interland.com)
Date: Thu Oct 27 2005 - 12:55:25 EDT


We see Hacker Defender ALL the time (Webhoster). By far the most popular rootkit on Windows servers. AFAIk, MS tools DO NOT remove them (may have been superceded by new version). Current AV will detect, but is incapable of removing it (again, I don't spend all day reading every update to every vendor, so that may or may not be true any longer).

Hacking HackerDefender - Helpful Hints!

Some useful and interesting ways of defeating HackerDefender! Some of these are useful, some of them are interesting, and some are interesting but not particularly useful...

Using WinHex to help locate HackerDefender

You can search for text strings that are unique to the HackerDefender .ini file in order to locate the HackerDefender .ini file(s). Keep in mind that you may find old inactive installations of HackerDefender!!

Some examples of potentially unique text strings are:

    RegValues]

    RegKeys]

    TCP:

If you can find the .ini file for the active HackerDefender attack, you have an opportunity to uninstall HackerDefender via the built-in backdoor.

Uninstalling HackerDefender using the built-in backdoor (of limited use)

First, you will need to locate the HackerDefender .ini file.

Then, you will need to locate the backdoor password.

    In the HackerDefender .ini file, locate the [Settings] subheading. The first entry below that entry should be:

        Password=<something>

    The password is obviously the string after the equal sign.

Next you will need to identify the HackerDefender executable. If you've found the .ini file, the executable should be in the same directory as the .ini with the same base name. For example, if the .ini file is 'zx_hxdef.ini', the executable should be 'zx_hxdef.exe'

Next, download the backdoor client (bdcli100.exe) attached to this document and put in a safe location on your computer. Note: If you have VirusScan installed, you may need to configure it to exclude a directory in order to keep this file on your system.

    Drop to a command line where bdcli100.exe lives and execute the command:

        bdcli100.exe <servername> 80 <password>

    Note: If the server is not a web server, port 80 not be an option. Try other available port...

You should now have a command line on the hacked server in the hacked directory! Sweet huh!

Now, let's uninstall HackerDefender...

    zx_hxdef -:uninstall

-----Original Message-----
From: Alex Stender [mailto:alex.stender@gmail.com]
Sent: Wednesday, October 26, 2005 2:19 PM
To: pen-test@securityfocus.com
Subject: Backdoor:Win32/Hackdef.E

After installing October's MS Malicious Software Removal tool, a
couple of server, one behing a Sonicwall TZ170 firewall have shown he
presence of Win32/Hackdef.E and Win32/Hackdef.T. The MS tools they
have been removed.

Has anyone had any experience with that trojan in terms of detecting
payload etc? Is there a security scanner to check for that specific
vulnerability?

Thanks

Alex

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT