[Full-Disclosure] Remote Rootkit Scanner for Windows

From: Andres Tarasco (atarasco_at_sia.es)
Date: 10/19/04

  • Next message: Todd Towles: "RE: [Full-Disclosure] why o why did NASA do this."
    To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
    Date: Tue, 19 Oct 2004 13:12:35 +0200
    
    
    

    Hacker defender is a rootkit that is being highly deployed by Hackers in
    compromised box in the last months.
    Due to a design Flaw its possible to remotely detect if an NT based computer
    is "infected" with this rootkit.

    Rkdscan was developed to check for this flaw, performing a network scan and
    after sending some data to open ports is able to detect if the remote box
    have been compromised.

    Usage:

    C:\rkdscan>rkdscan.exe xx.yy.0.0 xx.yy.10.0
     Remote hxdef Scanner $Revision: 1.0 $
     atarasco_@_sia.es http://www.siainternational.com

     [+] Targets: xx.yy.0.0-xx.yy.10.0 with 150 Threads
     + xx.yy.0.1
     + xx.yy.1.1
    Checking xx.yy.1.5 port: 3389...
    Checking xx.yy.1.17 port: 3389...
    Checking xx.yy.1.17 port: 21...
    Checking xx.yy.1.30 port: 3389...
    Checking xx.yy.1.7 port: 21...
    Checking xx.yy.1.20 port: 21...
    Checking xx.yy.1.22 port: 1025...
     [+] IP: xx.yy.1.22 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0
    Checking xx.yy.1.66 port: 1025...
    Checking xx.yy.1.25 port: 21...
     [+] IP: xx.yy.1.66 port: 1025 INFECTED with HACKER Defender v0.84 - v1.0.0
    Checking xx.yy.1.65 port: 3389...
    Checking xx.yy.1.47 port: 3389...
    Checking xx.yy.1.52 port: 7...
     [+] IP: xx.yy.1.52 port: 7 INFECTED with HACKER DEFENDER v0.82 - 0.83
    Checking xx.yy.1.90 port: 3389...
    Checking xx.yy.1.101 port: 3389...
    Checking xx.yy.1.96 port: 3389...
    Checking xx.yy.1.97 port: 3389...
    Checking xx.yy.1.94 port: 7...
    Checking xx.yy.1.94 port: 80...
     [+] IP: xx.yy.1.94 port: 80 INFECTED with HACKER Defender v0.84 - v1.0.0
    Checking xx.yy.1.109 port: 3389...
    Checking xx.yy.1.98 port: 3389...
    Checking xx.yy.1.21 port: 25...
    Checking xx.yy.1.116 port: 21...

    attached in this e-mail is a zip file with both source and binary files

    rkdscan.c md5sum: a24c0d9f35ccaa07efa8a291476a8a4d
    rkdscan.exe md5sum: 229fd4a1df6d76c799c9b059519f204a (compiled with Bc++
    Builder)
    rkdscan.zip md5sum: bb653a41e757b9762070bcd1ec082e5e
     

    Special Thanks for Javier Olascoaga ( jolascoaga[at]sia.es ) for the
    development of a nasl/nessus script.

     

    Andrés Tarascó Acuña
    Security Consultant - Tiger Team
    Departamento de Consultoría

    Grupo SIA
    Avenida de Europa Nº 2. Alcor Plaza
    Edificio B. Parque Oeste Alcorcon.
    28.922. Madrid
    *Tel.: +34 902 480 580 * Fax: +34 91 307 79 80
    atarasco_@_sia.es
    <www.sia.es>

     <<rkdscan.zip>> <<hacker_defender.nasl>>

    
    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html




  • Next message: Todd Towles: "RE: [Full-Disclosure] why o why did NASA do this."

    Relevant Pages

    • Re: [fw-wiz] FW: OT? New compromise.
      ... If you suspect you have a rootkit, it shouldn't be that hard to find it, ... depending on whether you can shut down any of these boxes and run Knoppix ... Port 1863 is the port for Microsoft's Instant Messenger client ...
      (Firewall-Wizards)
    • RE: root_drv.sys rootkit
      ... you should also run a port scan against this machine ... Subject: root_drv.sys rootkit ... I have a Windows 2003 Web Edition Server that has been compromised due ... The question is that now this server have a rootkit installed. ...
      (Focus-Microsoft)
    • Re: [Full-Disclosure] Removing ShKit Root Kit
      ... >"Searching for ShKit rootkit default files and dirs... ... ethernet port and run netstat -tupan on the server. ... server level security. ...
      (Full-Disclosure)
    • Re: Help, possible rootkit
      ... information showing that you *do* have a rootkit. ... Did you find an open port via nmap that does not show ... a port that doesn't show up in the netstat output? ... "Windows Forensics and Incident Recovery" ...
      (Incidents)
    • RE:Unknown App
      ... The first thing i would do is run nessus on the port to check and see ... it ain't no backdoor such as "hacker defender". ... unknown application on multiple client workstations. ...
      (Pen-Test)