Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/Hackdef

Published: June 28, 2005

Win32/Hackdef is a family of backdoor Trojans that is distributed in various ways to computers running certain versions of Microsoft Windows. This Trojan is a user-mode rootkit. It creates, alters, and hides Windows system resources on a computer that it has infected, and can hide proxy services and backdoor functionality. It can also conceal use of TCP and UDP ports for receiving commands from attackers.

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Payload InformationPayload Information

Threat Overview

Class/typeTrojan - Rootkit-Stealth
DiscoveredMarch 19, 2005
CirculatingYes
Affected operating systemsWindows 2000
Windows XP
Windows Server 2003
Affected software Not specified
Infection ratingLow
Recovery difficultyDifficult
Damage ratingHigh
Transmission ratingLow

Technical Analysis

A variant of Win32/Hackdef can be started locally or by a remote process scanning the network for vulnerable computers. It can infect a computer only by gaining access through a local user account that has administrator privileges. After Windows restarts on a computer that is infected with Win32/Hackdef, the Trojan can run under local accounts that do not have administrator privileges.
 
The variant runs as a process and installs itself as a service. When it runs, it checks for the presence of configuration code that contains parameters for changing settings on the target computer. Settings in the configuration code determine rootkit operations such as creating, altering, and hiding system resources; providing and controlling backdoor functionality; and providing proxy services.
 
Win32/Hackdef creates mailslots on an infected computer, which function as backdoors to exchange commands and information with attackers. The Trojan creates a separate, private mailslot for each attacker to send commands to control Trojan functionality on the target computer.
 
Win32/Hackdef uses a driver to run custom code in kernel mode. This driver duplicates process tokens to obtain process-related information so that the rootkit can alter the functionality of processes as they run from memory.
 
Win32/Hackdef stores original data from multiple Windows system APIs. It infects APIs that are residing in memory locations allocated to various processes. This can include APIs from various DLLs.
 
If Win32/Hackdef infects a computer through a user account that has administrator privileges, it infects all current and future user sessions. If Win32/Hackdef infects a system through a user account that does not have administrator privileges, it infects current and future sessions of only this user.

How to Prevent Infection

Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with unknown attachments.
  • Do not respond to requests for personal information via e-mail or IM.
  • Remove unneeded network shares.
  • Use strong passwords.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Highlight a connection that you want to help protect, and click Change settings of this connection.
  4. Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
  3. Click System.
  4. Click Automatic Updates, and select Keep my computer up to date.
  5. Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
  6. If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Use caution with unknown attachments

Use caution before opening unknown e-mail or IM attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately, and run up-to-date antivirus software to check your computer for viruses.

Do not respond to requests for personal information via e-mail or IM

Microsoft and most legitimate businesses will never ask for passwords, credit card numbers, or other personal information in an e-mail or instant message. If you do receive a message requesting this kind of information, don't respond. If you think the message is legitimate, contact the company by phone or through their Web site to confirm.

Remove unneeded network shares

Malicious software can often spread over network shares. Remove unneeded network shares that are mapped to your computer.
To remove network shares in Windows XP
  1. On the Start menu, click My Computer.
  2. On the Tools menu, click Disconnect Network Drives…
  3. In the Disconnect Network Drives dialog box, click the drives to disconnect and click OK.

Use strong passwords

A strong password has at least eight characters and includes a combination of letters, numbers, and symbols. It is easy for you to remember, but difficult for others to guess. Weak passwords include any words in the dictionary, names, dates, consecutive letters or numbers, common words with symbol substitutions (for example, p@ssw0rd), and so on.

How to Tell If Your Computer Is Infected

How to Recover from Infection

Automatic Recovery
To attempt to automatically remove this threat, run one of the following removal tools:

Payload Information

Payload typeTriggerDescription
Creates files
Execution
Can drop a driver to run custom code in kernel mode.
Corrupts Data
Execution
Injects code into APIs in memory.
Compromises Security
Execution
Degrades Performance
Execution
Release information
Execution
Releases information through a backdoor and provides access to files and system resources.


© 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement