The author of the Hacker Defender rootkit, known by the handle "holy_father", said he has ended a paid service offering routes around anti-virus and anti-rootkit programs. Hacker Defender, an open-source, user-mode Windows rootkit, had become famous among security researchers and is one of the most widely deployed rootkits in the wild, according to F-Secure.
Rootkits are generally used to hide attacker activity from users and administrators. Hacker Defender modifes several Windows and Native API functions, allowing it to hide files, processes and other information from other applications, according to F-Secure. It also implements a backdoor and port redirector, making it impossible to find the hidden backdoor through traditional methods such as remote port scans, F-Secure said.
For more than a year, the Hacker Defender project offered a paid version of the rootkit in addition to the freely available open-source version, which promised additional tricks to thwart security software. Last weekend, holy_father decided to end the service, saying he has had enough of the "chess game", according to a message on the Hacker Defender site.
Though the tool has been widely used by attackers, holy_father insisted Hacker Defender's development was aimed at spurring the security industry into action. "We have proven that current rootkit detection methods are poor or half implemented," he wrote.
While there still isn't a completely effective tool against rootkits, according to holy_father, he praised F-Secure's BlackLight anti-rootkit tool and another called IceSword.
F-Secure said the news is good for computer users, but didn't mean Hacker Defender would be going away. "Since Backdoor.Win32.Hacdef is an open-source rootkit, we will most likely continue seeing private builds of it also in the future," said F-Secure researcher Antti Tikkanen on the company's
blog on Friday.