Description
Win32.HacDef is a "rootkit", sometimes called "hacker defender" or "hxdef". It acts as a backdoor that allows an intruder to control an infected system remotely, as well as hide the presence of itself and other malicious files and processes.
HacDef only functions on Windows NT, 2000 and XP systems. Its functionality varies depending upon how it is configured.
Method of Installation
When the HacDef executable is run, it looks for a file in the current directory with the extension .INI, but otherwise the same name. For example, if the executable is called "hxdef100.exe", it will try to open "hxdef100.ini". HacDef may be run with a parameter to specify a different INI file.
The INI file contains configuration information for the trojan. These include directives for how it is installed, and its payload.
HacDef installs both a service and a device driver. The service is the trojan executable itself. This executable can drop the driver file to disk. The service name and description, as well as the driver name, are set in the INI file. The following are the entries used in the example INI file provided with the trojan:
ServiceName=HackerDefender100
ServiceDisplayName=HXD Service 100
ServiceDescription=powerful NT rootkit
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys
Method of Distribution
HacDef does not distribute itself. It must be installed manually through some other method of system compromise.
Payload
Backdoor Functionality
HacDef has two main payloads. First, it provides a backdoor shell using the Windows command interpreter (cmd.exe). It copies cmd.exe to the temporary directory, using a file name specified in the INI file (e.g. "hxdefß$.exe"). This backdoor does not open a new port to listen on. Instead, HacDef monitors network traffic coming into other servers on the system, and intercepts anything meant for itself. In this way, an intruder is able to connect to the backdoor through any open TCP port on the infected system, e.g. port 80 if a web server is running, or port 25 if a mail server is running. The backdoor requires a password, which is specified in the INI file.
The backdoor can also be used to redirect ports on the local machine to other ports on other machines.
Provides Stealth
The second payload involves the trojan hiding itself and other programs from the user. HacDef hooks many system functions in order to intercept and "stealth" different aspects of the system. It is able to:
- Hide files and processes (e.g. hide any file or process beginning with "hxdef").
- Hide services and drivers (the trojan's own service and driver are usually hidden).
- Hide registry keys and values (the trojan's own registry entries are usually hidden).
- Hide open ports (from programs like netstat, TCP View, etc).
The stealth methods used by HacDef are quite effective. Hidden files will be invisible to most programs, including Explorer and the command prompt. Hidden services will not appear in the Windows service list. Hidden processes will not appear in the task manager or most third party process viewers. Hidden registry entries will not appear in regedit.
At this time, hidden files CAN be seen from remote machines using Windows file sharing.
HacDef is also able to execute other programs, specified in its INI file, each time it is started.
Analysis by Hamish O'Dea