From: etomcat at freemail.hu (Feher Tamas)
Subject: Windows rootkit author interview - with title in
	poor taste

http://www.infoworld.com/article/05/03/16/HNholyfather_1.html

Holy Father on rootkit writing for fun, profit
by Paul Roberts, IDG News Service, 16 Mar 2005

Rootkit author discusses efforts to highlight weaknesses in
software security

The software developer behind a leading rootkit program says
he is motivated by necessity, curiosity and a desire to
expose weaknesses in the Windows operating system and
security technology. He also isn't too worried about how
others might use his software, according to an e-mail
interview with IDG News Service. 

While he declined to provide his real name or speak by
phone, "Holy Father," author of the Hacker Defender rootkit,
claims to live in the Czech Republic, where the hacker
defender Web site (http://hxdef.czweb.org) is registered to
a "Jaromir Lnenicka" in Prague. His online name stemmed from
a desire to do "big thingz" in the computer hacking
underground. On that score, he has succeeded. Written in
conjunction with a member of the 29a malicious code writing
group, Hacker Defender has been downloaded more than 100,000
times, by his count, and grabbed the attention of security
researchers at Microsoft (Profile, Products, Articles) and
other leading companies.

Rootkits are malicious programs that are designed to be
invisible once they are installed on a computer's operating
system. They often hide by replacing core operating system
functionality with a version of the same functionality that
provides remote attackers with a back door into compromised
systems.

Like other hackers, Holy Father said he was spurred to
create Hacker Defender by the technical challenge of writing
a rootkit. However, he doesn't shy away from turning a
profit on his work, and claims that demand in the malicious
code writing underground is high for custom rootkits that
are completely undetectable and can evade detection for long
periods of time.

IDG News: What is your background? How did you get started
with rootkits?

HF: Before I started with (Hacker Defender), I needed a
rootkit that would hide my stuff (somewhere). There was
nothing I could use, so I had to implement it myself. A
simple but great idea. Eighty percent of my software is what
I needed (but) wasn't able to find, or tools that are needed
by the public and are not free (or) open by (their) original
authors.

IDG News: Did you code viruses or Trojans previously? Do you
do other kinds of software development?

HF: I code (mostly) security stuff. I can code Trojans,
viruses, whatever. But I have never coded a virus or Trojan
for me. It was always commercial stuff.

IDG News: Could you explain that more. Commercial for who or
what?

HF: I'm the coder. This means (people) hire me to code
something. I do accept or I do refuse (their) job offers;
security stuff (including trojans/virus/spyware) is what I
can code and usually do not refuse to make. For who? Who
needs and pays.

IDG News: What was your thought or goal in designing the
Hacker Defender rootkit?

HF: The main goal was to write something new -- a userland
rootkit with great capabilities (e.g. you can specify names
of files that are hidden) and ease of use.

IDG News: What other rootkits did you model Hacker Defender on?

HF: When (Hacker Defender) started there was just one
(kernel mode rootkit) from Greg (Hoglund, co-author of
"Exploiting Software: How to Break Code"), and a kernel mode
rootkit is about something else, so we can say that (Hacker
Defender) is the model for lots of new rootkits.

IDG News: Was there any particular functionality you were
looking to add, specifically, in Hacker Defender or that you
"pioneered?"

HF: The first version (of Hacker Defender) did nothing and
badly. But there was always something to add because there
was nothing on the scene like this. One of those things was
this absolutely new idea for a backdoor.

IDG News: Hacker Defender 1.0 has been out for a year. Do
you have plans for a future version of the software? If so,
how would it be different?

HF: I had plans but I become (sic) retired, so I think there
won't be such time to implement new versions.

IDG News: How many copies of Hacker Defender have been
downloaded?

HF: I don't know. My Web site is about anonymity and
freedom. There is no counter or such, but I can guess that
it is more than 100,000 from my site and lots more from
different sources. I've heard that (Hacker Defender) is very
very common on rooted NT boxes.

IDG News: What are people doing with Hacker Defender? Are
there legitimate applications of the tool, or is it a
blackhat (malicious hacking) tool only?

HF: Of course it is NOT blackhat only. I know at least one
guy who use (sic) it for whitehat (benign hacking) stuff
and, of course, there are lot of guys who speaks (sic) about
security at conferences etc. and show (Hacker Defender) to
participants. This is also legal use.

IDG News: How would you describe the community of rootkit
authors? Is it similar to the virus writing community or
different? How so? Is there cross over (i.e. virus writers
who also do rootkits), or are they totally separate communities?

HF: I know only two rootkit communities - www.rootkit.com is
the first and that on my site (http://hxdef.czweb.org/) is
the second. The (virus writing) scene is very different.
There are many (virus writing) groups . Of course, rootkit
coders are also virus writers. The rootkit community is just
a few (people) who study (operating system) kernel and
implement thingz (sic) that were never implemented before.
This is similar to (the virus writing) community.

IDG News: Can the whitehat development community learn
anything from the rootkit development community?

HF: A lot of new developers from the times I started with
(Hacker Defender) maybe they like my work and find it
interesting also Greg (Hoglund) does a lot to increase
public knowledge. Everyone can learn from rootkits.

IDG News: Security experts warn that spammers and virus
writers are going to take pieces of what is in the rootkits
-- stealth techniques and such -- and modify them for their
own purposes. Do you see this happening? What are your
thoughts on this phenomenon?

HF: I can't see (a) problem with this. If somebody hires me
for coding such stuff I will do it. The only code that I
won't support is spam. It (sucks), but virus stuff is not as
bad as (people) think and if someone (writes a) virus that
would hide itself or whatever it just shows how today's
(antivirus products) are poor and that is good cuz they are
really poor.

IDG News: How easy is it to fool current antivirus technology?

HF: Today's antivirus is good only to (protect) you against
wide spreading worms. If someone (man not computer code)
wants to attack you, just you or your company not in a wide
range, there is no antivirus in these days that can help
you, so the answer is 'Very easy,' (and that's why I can
offer anti-detection service for such low prices :))

IDG News: Explain the art of "anti-detection." How do you
figure out new ways to keep Hacker Defender and other tools
from being detected?

HF: I don't use something special. Today's (antivirus) is
poor, as I said; that means you need to change few bytes in
code and that is it.

IDG News: What do security software vendors have to do to
address the techniques you and others use in kernel rootkits?

HF: They know everything that they need to, and also their
tools work very well. The problem is that you can always
write "anti-code." I mean if somebody writes (a) virus, you
can write antivirus (that's very common)...(It's) the same
with rootkits. You can write a (rootkit) detector; I can
write a rootkit that bypasses this detector.

IDG News: Recently, more companies have announced
antirootkit programs.What are your thoughts on this?

HF: I'm pretty sure these new detectors can find (Hacker
Defender), but, as you maybe know, Hacker Defender is not
under public development for more than a year... But people
can ask me to make a version of (Hacker Defender) that would
beat these detectors. 

Powered by blists - more mailing lists