Results 1 to 4 of 4

Thread: CWS - we know what's coming

  1. #1
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899

    CWS - we know what's coming

    I just been reading this article http://www.silentrunners.org/sr_cwsremoval.html over at the silent runners website. CWS has used a version of the HackerDefender rootkit in the past to stealth itself and that article describes a variant I haven't seen yet in the wild. It looks pretty much like they like the rootkit idea.

    The hackerdefender infection I saw was pretty scary there was no sign of anything running in any standard tools but when you opened a program like Spybot, Adaware, Norton Antivirus ..etc it was killed within 5 seconds. This reminded me of the Beast trojan so I suspected a miscreant had infected this PC with something at a LAN party the owner had recently returned from. I loaded the PC with ProcessGuard and rebooted then checked through the PG log, it showed a service starting from system32 that I had never heard of. When I looked in system32 the file wasn't there. When I searched the registry there was no sign of the filename or any startup reference.

    Being the curious type I rebooted with BartPE and looked in the system32 folder, a-ha! Now it was there, I scanned it with a virus scanner - nothing. I renamed it by removing the extension and tagging it on the front (exe.naughtyfile) and rebooted. Now we are talking I could see the entries in the registry and the service startup 'hxdef100'. Once again hooray for PG but if that service had loaded before PG or if it had been something injected into a legitimate file it would have been impossible to find. Even storing it as an ADS would have made it a nightmare to trace - boot from BartPE and run lads.exe on the system, it would be a wipe and reload.

    So that's what they have done up to now - and holyfather does custom versions of hackerdefender which are undetected by any AV or Rootkit finders. I think I can guess what's coming next. Get the wipe and reload disks at the ready
    I'm using Windows 7 - you got a problem with that?

  2. #2
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,293
    Good post.
    Linux Mint Debian Edition

  3. #3
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    when you opened a program like Spybot, Adaware, Norton Antivirus ..etc it was killed within 5 seconds
    I guess we can add that as a rootkit detector.

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Like I said 'the Beast' trojan does the same thing but it's always a good idea to look in the system tray to see if an AV is running because so many malware programs disable it straight away it is the most obvious sign that a PC may be infected with something.

    Hacker defender is configured via an ini file and it's behaviour may not manifest in this way on other PCs. In fact hf does versions specifically made to sidestep various antivirus systems so they can be left running and not detect a sausage.

    Rootkits are naughty.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •