Holy Father on rootkit writing for fun, profit

The software developer behind a leading rootkit program says he is motivated by necessity, curiosity and a desire to expose weaknesses in the Windows operating system and security technology. He also isn't too worried about how others might use his software, according to an e-mail interview with IDG News Service.

While he declined to provide his real name or speak by phone, "Holy Father," author of the Hacker Defender rootkit, claims to live in the Czech Republic, where the hacker defender Web site (http://hxdef.czweb.org) is registered to a "Jaromir Lnenicka" in Prague. His online name stemmed from a desire to do "big thingz" in the computer hacking underground. On that score, he has succeeded. Written in conjunction with a member of the 29a malicious code writing group, Hacker Defender has been downloaded more than 100,000 times, by his count, and grabbed the attention of security researchers at Microsoft and other leading companies.

Rootkits are malicious programs that are designed to be invisible once they are installed on a computer's operating system. They often hide by replacing core operating system functionality with a version of the same functionality that provides remote attackers with a back door into compromised systems.

Like other hackers, Holy Father said he was spurred to create Hacker Defender by the technical challenge of writing a rootkit. However, he doesn't shy away from turning a profit on his work, and claims that demand in the malicious code writing underground is high for custom rootkits that are completely undetectable and can evade detection for long periods of time.

IDG News: What is your background? How did you get started with rootkits?

HF: Before I started with (Hacker Defender), I needed a rootkit that would hide my stuff (somewhere). There was nothing I could use, so I had to implement it myself. A simple but great idea. Eighty percent of my software is what I needed (but) wasn't able to find, or tools that are needed by the public and are not free (or) open by (their) original authors.

IDG News: Did you code viruses or Trojans previously? Do you do other kinds of software development?

HF: I code (mostly) security stuff. I can code Trojans, viruses, whatever. But I have never coded a virus or Trojan for me. It was always commercial stuff.

IDG News: Could you explain that more. Commercial for who or what?

HF: I'm the coder. This means (people) hire me to code something. I do accept or I do refuse (their) job offers; security stuff (including trojans/virus/spyware) is what I can code and usually do not refuse to make. For who? Who needs and pays.

IDG News: What was your thought or goal in designing the Hacker Defender rootkit?

HF: The main goal was to write something new -- a userland rootkit with great capabilities (e.g. you can specify names of files that are hidden) and ease of use.

IDG News: What other rootkits did you model Hacker Defender on?

HF: When (Hacker Defender) started there was just one (kernel mode rootkit) from Greg (Hoglund, co-author of "Exploiting Software: How to Break Code"), and a kernel mode rootkit is about something else, so we can say that (Hacker Defender) is the model for lots of new rootkits.

IDG News: Was there any particular functionality you were looking to add, specifically, in Hacker Defender or that you "pioneered?"