Hacker defender 0.37

Released 22 years, 2 months ago. September 2002

Copyright © MegaSecurity

By Holy_Father


Informations
From Czechoslovakia
Author Holy_Father
Family Hacker defender
Category Remote Access
Version Hacker defender 0.37
Released Date Sep 2002, 22 years, 2 months ago.
Language Delphi and Assembly

Author Information / Description
Hacker defender v0.3.7
======================

Hacker defender is rootkit for Windows NT 4.0, Windows 2000 and Windows XP.
Main code was written in Delphi 6. Functions for new thread are written 
in assembler. 

program uses adapted LDE32
LDE32, Length-Disassembler Engine, 32-bit, (x) 1999-2000 Z0MBiE
special edition for REVERT tool
version 1.05

program uses Superfast/Supertiny Compression/Encryption library
Superfast/Supertiny Compression/Encryption library.
(c) 1998 by Jacky Qwerty/29A.


Usage
-----

>hxdef037.exe [inifile]
or 
>hxdef037.exe [switch] 

	Default hxdef037.ini is used if run without specifying the inifile or 
if run with switch.
	These switches are available:

        -:refresh       -       use to update settings from inifile
        -:noservice     -       doesn't install services and run normally
        -:installonly   -       only install service, but not run

Example:
>hxdef037.exe -:refresh


Idea
----

	The Main idea of this program was to use some API functions e.g. 
WriteProcessMemory and CreateRemoteThread to create a new thread in all 
running processes. New thread will rewrite some functions in system modules 
(mostly kernel32.dll and advapi32.dll) and inject fake code which will check 
API results and change this result in specific cases.
	Program must be absolutely hidden for all others. Now the user is able
to hide files, process, system services, registry keys. Program installs hidden
backdoors and register as hidden system service.


Licence
-------

	Till version 1.0.0 it is freeware. It can be spread but not changed
and all copies must includes all files (including original readme files).
Only exception is when target person (and computer owner) wouldn't know about 
the copy. 
	This project will be open source in version 1.0.0.


Version
-------

TODO	!	low level redir based on backdoor technique
	?	running root process on system level

0.3.7	+	possibility to change settings during running
	+	wildcard in names of hidden files, process and services
	+	possibility to add programs to rootkit startup
	x	fixed bug in hidding services on Windows NT 4.0

0.3.3	+	stability realy improved
	x	fixed all bugs for Windows XP
        x	found and fixed bug in hiding in registry
	x	found and fixed bug in backdoor with more clients

0.3.0	+	connectivity, stability and functionality of backdoor improved 
	+	backdoor shell runs always on system level 
	+	backdoor shell is hidden 
	+	registry keys hiding
	x	found and fixed bug in root processes
	-	bug in XP after reboot

0.2.6	x	fixed bug in backdoor

0.2.5	+	fully interactive console
	+	backdoor identification key is now only 256 bits long
	+	improved backdoor installation
	-	bug in backdoor

0.2.1	+	always run as service

0.2.0	+	system service installation 
	+	hiding in database of installed services 
	+	hidden backdoor
	+	no more working with windows

0.1.1	+	hidden in tasklist
	+	usage - possibility to specify name of inifile
	x	found and then fixed bug in communication
	x	fixed bug in using advapi
	-	found bug with debuggers

0.1.0	+	infection of system services
	+	smaller, tidier, faster code, more stable program
	x	fixed bug in communication

0.0.8	+	hiding files
	+	infection of new processes
	-	can't infect system services
	-	bug in communication



Hooked API
----------

List of API functions which are changed:

Kernel32.FindFirstFileExW
Kernel32.FindNextFileW
Kernel32.CreateProcessW
Kernel32.CreateProcessInternalW
Ntdll.NtQuerySystemInformation (class 5)
WS2_32.recv
WS2_32.WSARecv
WSOCK32.recv
Kernel32.ReadFile
Advapi32.EnumServiceGroupW
Advapi32.EnumServicesStatusA
Advapi32.EnumServicesStatusExW
Advapi32.EnumServicesStatusExA
Advapi32.RegEnumKeyW
Advapi32.RegEnumKeyA
Advapi32.RegEnumKeyExW
Advapi32.RegEnumKeyExA


Inifile
-------

	Again, there are more settings in this version. Inifile must contain 
five parts: [Hidden Table], [Root Processes], [Hidden Services], [Hidden 
RegKeys] and [Startup Run]. In [Hidden Table], [Root Processes] and [Hidden 
Services] can used character * as the wildcard in place of strings end. 
Asterisk can be used only on strings end, everything after first asterisks is 
ignored.

Example:
[Hidden Table]
hxdef*

this will hide all files, sdir and processes which name start with "hxdef".

	Hidden Table is a list of files and directories which should be hidden.
There is no chance to find those files and directories. Programs in this list 
will be hidden in tasklist.
	Root Processes is a list of programs which will be immune against 
infection. You can see hidden files, directories and programs only with these 
root programs. So, root processes are for rootkit admins.
	Hidden Services is a list of service names which will be hidden 
in the database of installed services. Service name for the main rootkit 
program is HackerDefender037.
	Hidden RegKeys is a list of registry keys which will be hidden. Rootkit
has two keys in registry: HackerDefender037 and LEGACY_HACKERDEFENDER037.
	Startup Run is a list of programs which	rootkit run after its startup.
These programs will have same rights as rootkit. Program name is divided from 
its arguments with question tag. Do not use " characters.

Example:
[Startup Run]
c:\sys\nc.exe?-L -p 100 -t -e cmd.exe

netcat-shell is run after rootkit startup and listens on port 100


Backdoor
--------

	Rootkit hooks some API functions connected with receiving packets 
from the net. If incoming data equals to 256 bits long key the copy of a shell
named "~ �@�.exe" is created in a temp, its instance is created and next 
incoming data are redirected to this shell.
	Because rootkit hooks all process in the system all TCP ports on all
servers will be backdoors. This backdoor will work only on servers where 
incoming buffer is larger or equal to 256 bits. But this feature is on almost 
all standard servers like Apache, IIS, Oracle. So, backdoor is created and it 
is hidden because its packets go through common servers on the system. So, you 
are not able to find it with classic portscanner and this backdoor can easily 
go through firewall. Exception in this are classic proxies which are protocol 
oriented for e.g. FTP or HTTP.
	During tests on IIS services was found that HTTP server does not log 
any of this connection, FTP and SMTP servers log only disconnection at the end.
	You have to use special client if want to connect to the backdoor. 
Program bdcli037.exe is used for this.

usage: bdcli037.exe host port

	Client for version 0.3.7 is not compatible with servers in older 
version than 0.3.0.


Tests
-----

	Following table shows successfulness of rootkit during tests.

Main	
 MS Windows XP [Verze 5.1.2600]		-	100%
 MS Windows 2000 5.00.2195 SP2		-	100%
 MS Windows NT 4.0 SP6			-	100%
 	
Backdoor
 Infection
  MS Windows XP [Verze 5.1.2600]
   IIS 5.1 WWW 				-	100%
   IIS 5.1 FTP 				-	100%
   IIS 5.1 SMTP				-	100%
  MS Windows 2000 5.00.2195 SP2
   IIS 5.0 WWW				-	100%
   IIS 5.0 FTP				-	100%
   IIS 5.0 SMTP				-	100%
  MS Windows NT 4.0 SP6		
   IIS 3.0 WWW				-	100%

 Connectivity
  MS Windows XP [Verze 5.1.2600]
   IIS 5.1 WWW 				-	100%
   IIS 5.1 FTP				-	100%
   IIS 5.1 SMTP				-	100%
  MS Windows 2000 5.00.2195 SP2
   IIS 5.0 WWW				-	100%
   IIS 5.0 FTP				-	100%
   IIS 5.0 SMTP				-	100%
  MS Windows NT 4.0 SP6		
   IIS 3.0 WWW				-	100%


Known Bugs
----------

        One bug is known at the moment. 

1)	Processes, which are debugged at the moment, can't be infect, because 
their debugger has exclusive rights for them. The infection will lose if the 
process is debugged during infection. So, it will not be changed and see 
everything. I think this is not a serious bug, because there is only small 
chance to apply this. I need help with solving this problem. It is not serious, 
but i have no idea how to fix it.


Files
-----

original archive contains these files:

hxdef037.exe	48 640 b	- program Hacker defender v0.3.7
hxdef037.ini	 1 111 b	- inifile
bdcli037.exe	29 696 b	- backdoor client
readmecz.txt	 8 740 b	- czech version of help file
readmeen.txt	 8 556 b	- this help file 

Holy_Father

If you recognize any personal information on this page and wish to have it removed or redacted, please contact us at jplesueur@phrozen.io. We are committed to protecting your privacy in accordance with GDPR regulations.