5. MARCO CONCEPTUAL
5.5. COMPORTAMIENTO ORGANIZACIONAL
first things first; do not let the name fool you, Hacker defender is a rootkit. it is not a way to defend hackers! Hacker defender is a full-fledged rootkit that is relatively easy to understand and configure.
there are three main files included with Hacker defender that you must be aware of: hxdef100.exe, hxdef100.ini, and bdcli100.exe. Although the .zip file will include several other files, we will focus our attention on these three. Hxdef100.exe is the executable file that runs Hacker defender on the target machine. Hxdef100.ini is the configuration file where we set up the options we want to use and list the programs, files, or services that we want to hide. Bdcli100.exe is the client software that is used to connect directly to Hacker defender’s backdoor.
once you have uploaded the hsdef100.zip file to your target, you will need to unzip it. to keep things as simple as possible, it is best to create a single folder on the root of the target drive. for the purpose of this example, we will create a folder on the c:\ drive called “rk” (for rootkit). All the files including the hxdef100.zip and its uncompressed contents are placed into this single folder. this will make it easier to keep track of the files, provide a central location to upload additional tools to, and make hiding this central repository much easier. once you have unzipped the hxdef100 file, you can begin configuring Hacker defender by modifying the hxdef100.ini file.
once you open the .ini file, you will see a number of different sections. each major section begins with a name enclosed in a square bracket. figure 6.7 shows an example of the default configuration file.
fIGURE 6.7
As you can see in figure 6.7, there are several headings including [Hidden table], [Hidden Processes], [root Processes], [Hidden services], and others. You will also notice that Hacker defender configuration file includes a cou- ple of default entries. these entries are used to hide the Hacker defender files and built in backdoor so you do not have to modify these or make additional changes. notice too that the .ini file supports the use of wildcards with the “*” character. in this case, any file that starts with the letters hxdef will automati- cally be included in the list.
start at the top and work your way through each of the headings. the first sec- tion is titled [Hidden table]. Any files, directories, or folders listed under this heading will be hidden from the explorer and file manager used by windows. if you created a folder on the root of the drive as suggested earlier, be sure to list it here. Building off of this previous example, we will list “rk” in the [Hidden table] section.
in the [Hidden Processes] section, you list each of the processes or programs you want to be concealed from the user. each of the processes listed here will be hidden from the local user when they view currently running processes with the task manager. As a nonmalicious example assume you want to hide the cal- culator program. in this case you will need to list the calculator program under the [Hidden Processes] section. By adding calc.exe to the [Hidden Processes] section, the user will no longer be able to find or interact with the calculator program. once our rootkit is started, as far as the user is concerned, there is no calculator program available on the computer.
the [root Processes] section is used to allow programs to interact with and view the previously hidden folders and processes. remember that in the pre- vious sections we were removing the computer’s ability to detect, see, and interact with various files and programs. in this section, we list any programs that we want to have full control. Any programs listed here will be allowed to view and interact with programs on the system, including those listed in the [Hidden table] and [Hidden Processes] tab.
if you have any programs that will install as a service or run services like ftP, web servers, backdoors, etc., you will need to list them in the [Hidden services] section. like each of the other sections, the [Hidden services] section will hide each of the listed services. Again, when interacting with the task manager, any program listed here will be concealed from the “services” list.
You can use the [Hidden regkeys] to hide specific registry keys. Almost all pro- grams create registry keys when they are installed or run on a computer. the [Hidden regkeys] section can be used to camouflage each of these keys. You will need to make sure that you list them all in order to avoid detection.
some instances require more granular control than simply hiding the entire key. if an entire key is missing (or hidden), a keen system administrator may get suspicious. to handle these instances, Hacker defender allows us to use
the [Hidden regValues]. entering information here will hide individual values rather than the entire key.
the [startup run] is a list of programs that will be automatically run once Hacker defender has been started. this would be a good place to list the netcat command if you were interested in creating a backdoor. Just make sure you put it in listener mode!
Just as installing programs on a windows machine automatically creates regis- try keys and values, installing programs onto a target requires disk drive space. Here again, a cunning administrator may notice if you install a program that requires lot of disk space. if a user starts his or her computer one morning and discovers that over half of the hard drive space is suddenly in use, he or she will probably become suspicious. You can use the [free space] section to force the computer to “add back” the amount of free space that you used. entering a number here will force the computer to report the actual available free space plus the number you enter in this section. in other words, if you install a pro- gram that requires 1 gB of free space, you should add 1073741824 under the [free space] heading. doing so will lessen the likelihood of discovery. Please note, this number is listed in bytes. if you need help in converting from bytes to kilobytes to megabytes to gigabytes, there are several good calculators avail- able online. simply google “kilobytes to megabytes calculator” and use one of the suggested pages returned.
if you know of ports that you plan to open, you can list them under the [Hidden Ports] section. You will notice this section is further divided with the following entries: tcPi:, tcPo, UdP. the “tcPi:” subsection is where you list any inbound ports that you want hidden. if you have multiple ports to list, simply separate them by a comma. “tcPo:” is a section where you list any out- bound tcP ports that you want to be hidden from the user. the “UdP:” sec- tion is used to specify any UdP ports that you want concealed.
now that you have an idea of how to configure the basic Hacker defender settings, let us examine the tool in action. for this example, we will install Hacker defender in a folder on the c:\ drive called “rk.” we will also place a copy of netcat into this folder. figure 6.8 shows an example of the .ini configu- ration file.
You will notice that only a few extra lines have been added to the default configuration file. in this example, we have added the “rk” folder to the [Hidden table] section, the netcat executable to the [Hidden Processes] sec- tion, and lastly set up netcat to automatically start up in server mode and provide a cmd shell on port 8888 of the target. if you wanted to add an additional layer of stealth, you could also add 8888 to the [Hidden Ports] section.
figure 6.9 shows two screenshots prior to starting Hacker defender. notice that both the “rk” folder and the netcat (nc.exe) program are visible.
However, once the hxdef100.exe file has been executed, the rootkit is in full force. figure 6.10 demonstrates that neither the “rk” folder nor the “nc.exe” program is visible to the user.
As you can see, even a simple rootkit like Hacker defender is quite capable of masking and hiding files. rootkits are a vast topic and we could easily dedicate fIGURE 6.9
Prior to Running the Rootkit Both Folder and Program Are Visible.
fIGURE 6.8
an entire book to the technical details and their makeup and inner workings. rootkit technology, like all malware, continues to develop at a staggering pace. in order to truly master rootkits you will need to begin with a solid under- standing of the operating system kernel. once you finish covering the basics, you are highly encouraged to dive into the malware rabbit hole and see just how deep it goes.