Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Backdoor:Win32/Hackdef.E

from [Jeffrey Leggett] Network Security [Permanent Link]
Subject: RE: Backdoor:Win32/Hackdef.E
Date: Thu, 27 Oct 2005 12:55:25 -0400 
We see Hacker Defender ALL the time (Webhoster).  By far the most popular 
rootkit on Windows servers.  AFAIk, MS tools DO NOT remove them (may have been 
superceded by new version).  Current AV will detect, but is incapable of 
removing it (again, I don't spend all day reading every update to every vendor, 
so that may or may not be true any longer).  

Hacking HackerDefender - Helpful Hints!

Some useful and interesting ways of defeating HackerDefender!  Some of these 
are useful, some of them are interesting, and some are interesting but not 
particularly useful...

Using WinHex to help locate HackerDefender

You can search for text strings that are unique to the HackerDefender .ini file 
in order to locate the HackerDefender .ini file(s). Keep in mind that you may 
find old inactive installations of HackerDefender!!

Some examples of potentially unique text strings are:

    RegValues]

    RegKeys]

    TCP:

If you can find the .ini file for the active HackerDefender attack, you have an 
opportunity to uninstall HackerDefender via the built-in backdoor.

Uninstalling HackerDefender using the built-in backdoor (of limited use)

First, you will need to locate the HackerDefender .ini file.

Then, you will need to locate the backdoor password.

    In the HackerDefender .ini file, locate the [Settings] subheading. The 
first entry below that entry should be:

        Password=<something>

    The password is obviously the string after the equal sign.

Next you will need to identify the HackerDefender executable. If you've found 
the .ini file, the executable should be in the same directory as the .ini with 
the same base name. For example, if the .ini file is 'zx_hxdef.ini', the 
executable should be 'zx_hxdef.exe'

Next, download the backdoor client (bdcli100.exe) attached to this document and 
put in a safe location on your computer. Note: If you have VirusScan installed, 
you may need to configure it to exclude a directory in order to keep this file 
on your system.

    Drop to a command line where bdcli100.exe lives and execute the command:

        bdcli100.exe <servername> 80 <password>

    Note: If the server is not a web server, port 80 not be an option. Try 
other available port...

You should now have a command line on the hacked server in the hacked 
directory! Sweet huh!

Now, let's uninstall HackerDefender...

    zx_hxdef -:uninstall

-----Original Message-----
From: Alex Stender [mailto:alex.stender@gmail.com]
Sent: Wednesday, October 26, 2005 2:19 PM
To: pen-test@securityfocus.com
Subject: Backdoor:Win32/Hackdef.E


After installing October's MS Malicious Software Removal tool, a
couple of server, one behing a Sonicwall TZ170 firewall have shown he
presence of Win32/Hackdef.E and Win32/Hackdef.T. The MS tools they
have been removed.

Has anyone had any experience with that trojan in terms of detecting
payload etc? Is there a security scanner to check for that specific
vulnerability?

Thanks

Alex

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Backdoor:Win32/Hackdef.E, Marco Monicelli
Next by Date:  [Full-disclosure] RFID docs & tools ?, Mark Sec
Previous by Thread:  Re: Backdoor:Win32/Hackdef.E, Marco Monicelli
Next by Thread:  New SecurityFocus mailing list - Beta-Announce, Erin Carroll
Indexes:  [Date] [Thread] [Top] [All Lists]