The author of the Hacker Defender rootkit said hes taking a break from developing the popular hacking tool—but that he may soon return to developing new rootkit programs.
The author, who uses the name “Holy Father,” posted a message on the Hacker Defender Web site calling a truce with security companies that make anti-rootkit technology.
However, in an e-mail exchange with eWEEK, “Holy Father” said he isnt throwing in the towel, and that he may return to rootkit development after taking a break from Hacker Defender to work on other projects.
Hacker Defender is one of the best-known rootkit programs. Rootkits have been common in computer hacking circles for years, and allow attackers to maintain access to a computer, without being detected, long after they have compromised its defenses.
In recent years, authors have developed so-called “kernel mode” rootkits, like Hacker Defender, that manipulate information sent to Microsoft Windows core processing center and are very difficult to detect.
Hacker Defender was initially released as an open-source program in 2004. More recently, Holy Father has sold updated copies of the rootkit, dubbed “Golden Hacker Defender,” for 450 euros. That version of the program had an anti-detection engine designed to thwart anti-rootkit technology from vendors like anti-virus firm F-Secure, in Helsinki, Finland.
The anti-detection features put the Hacker Defender author or authors in an arms race with anti-virus companies and, in a recent post, Holy Father said he would stop updating the anti-detection service.
“For more than a year we were able to bypass any rootkit detection method and utility. We have proven that current rootkit detection methods are poor or half implemented,” he wrote in a message on the Hacker Defender Web site.
“Now we feel that our chess game cant bring anything new to any of the side,” he wrote.
In an e-mail to eWEEK, Holy Father said there were many factors that prompted him to discontinue the updates to Hacker Defender.
“Ive got some personal projects in real life work that i want to concentrate on so i also wanted to free some time on it,” he wrote.
Legitimate Hacking Only
Holy Father said he wanted to take a “rest,” and declined to say what projects he was working on. However, he didnt deny that he could develop a new rootkit program in the future.
“There might be some other tools, maybe some rootkits, well see what [the] future come with,” he wrote.
In the meantime, he gave credit to F-Secure and the creators of the IceSword anti-rootkit program for discovering novel ways to detect Hacker Defender and other rootkits.
In his Web page post, Holy Father reiterated claims, made in the past, that he does not sell his program to criminals or criminal groups.
“We preferred to sell paid versions for the legal activities such as penetration testing or security conference demonstrations. We have never supported criminals and always refused to renew the antidetection for those who misused our products,” he wrote.
The communications from the secretive rootkit author may be an effort to sanitize the shadowy Hacker Defender technology so that he can begin offering legitimate software, said Sam Curry, vice president of eTrust Security Management at Computer Associates International, in Islandia, N.Y.
“Holy Father,” who claims to live in the Czech Republic and to do Hacker Defender as a pastime, may be envisioning trying to get out of the “grey zone” of rootkit technology, which is often associated with illegal hacking, Curry said.
Computer Associates researchers are seeing more and more examples of rootkit code in other programs. The snippets of code are often used to hide viruses and other malicious wares, he said.
Rootkit techniques have also caught the attention of legitimate software vendors, as the recent flap over stealth features in digital rights management technology from Sony illustrated, Curry said.
CA has to update its product and its anti-virus engine more frequently to catch the new rootkit technology, and is spending more time and energy testing anti-rookit features to make sure they arent disruptive, Curry said.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.