Hacker defender is sophisticated

["Wayne J. Hauber" <wjhauber () IASTATE EDU>]

I have been working with a server administrator for the better part of a
week. One of his systems was compromised by one of the most sophisticated
trojans protection schemes that I have seen.

The trojan was using "Hacker Defender" to block detection. This scheme:

1. blocked several ports from detection by netstat or tcpview
2. hid all running executables from detection by the task manager or
process explorer
3. hid registry entries from detection by any registry editor
4. hid files in the file system from detection by any program

We ultimately found the files and thought we had the system cleaned but it
rebuilt itself as soon as we provided a network connection. This author put
his ftp server on port 116. There was a slew of other ports that were open.

I did a search on "hacker defender" and found that the first hit on google
is the author's web site. It includes a sophisticated discussion in several
white papers on how to circumvent many security tools. The author offers to
customize his work for your trojan for the number of euros in a price
schedule that he has published. It is pretty scary stuff!


Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.