Commercial version of Hacker Defender rootkit now available

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

Well, this doesn't sound good....

Via the F-Secure "News from the Lab" Blog:

[snip]

...we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of 
the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 
EUR for it, depending on the features.

The sample we got was found by a company from several of their Windows servers. The discovery was made while they were 
testing the latest beta version of BlackLight.

The most notable feature of this non-public Golden Hacker Defender is it's anti-detection engine. It is able to bypass 
most of the modern rootkit detectors. The anti-detection engine identifies detectors through a binary signature before 
the detector has a chance to execute. If the signature matches, the rootkit can disable some of its hooks or it can 
patch the detector's binary to modify its functionality.

In this case, detection was possible because the intruder had not yet updated his/her rootkit to include the signature 
of our latest BlackLight release.

[snip]

http://www.f-secure.com/weblog/#00000675

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.