funsec mailing list archives
Commercial version of Hacker Defender rootkit now available
From: "Fergie (Paul Ferguson)" <fergdawg () netzero net>
Date: Mon, 10 Oct 2005 15:56:58 GMT
Well, this doesn't sound good.... Via the F-Secure "News from the Lab" Blog: [snip] ...we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features. The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight. The most notable feature of this non-public Golden Hacker Defender is it's anti-detection engine. It is able to bypass most of the modern rootkit detectors. The anti-detection engine identifies detectors through a binary signature before the detector has a chance to execute. If the signature matches, the rootkit can disable some of its hooks or it can patch the detector's binary to modify its functionality. In this case, detection was possible because the intruder had not yet updated his/her rootkit to include the signature of our latest BlackLight release. [snip] http://www.f-secure.com/weblog/#00000675 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Commercial version of Hacker Defender rootkit now available Fergie (Paul Ferguson) (Oct 10)