So, we're back from Virus Bulletin conference, everything went fine, including our presentations on rootkits and mobile risks. We'll be posting the papers and / or slides later this week.
But while talking about rootkits, we received the first sample of Golden Hacker Defender around a month ago. This is the commercial private version of the Hacker Defender rootkit. Bad boys are purchasing this tool in order to hide their tracks...and might pay over 500 EUR for it, depending on the features.
The sample we got was found by a company from several of their Windows servers. The discovery was made while they were testing the latest beta version of BlackLight.
The most notable feature of this non-public Golden Hacker Defender is it's anti-detection engine. It is able to bypass most of the modern rootkit detectors. The anti-detection engine identifies detectors through a binary signature before the detector has a chance to execute. If the signature matches, the rootkit can disable some of its hooks or it can patch the detector's binary to modify its functionality.
In this case, detection was possible because the intruder had not yet updated his/her rootkit to include the signature of our latest BlackLight release.
So now we have developers of rootkit detectors adding detection of latest rootkits to their scanning engines - and developers of rootkits adding detection of latest detectors to their scanning engines.
In a sense, direct attack against rootkit detectors requires that the rootkits update themselves faster than the detectors. This is not always possible: F-Secure Internet Security 2006 contains a feature to automatically update it's BlackLight engine through anti-virus updates.