Holy Father on rootkit writing for fun, profit

Rootkit author discusses efforts to highlight weaknesses in software security

The software developer behind a leading rootkit program says he is motivated by necessity, curiosity and a desire to expose weaknesses in the Windows operating system and security technology. He also isn't too worried about how others might use his software, according to an e-mail interview with IDG News Service.

While he declined to provide his real name or speak by phone, "Holy Father," author of the Hacker Defender rootkit, claims to live in the Czech Republic, where the hacker defender Web site (http://hxdef.czweb.org) is registered to a "Jaromir Lnenicka" in Prague. His online name stemmed from a desire to do "big thingz" in the computer hacking underground. On that score, he has succeeded. Written in conjunction with a member of the 29a malicious code writing group, Hacker Defender has been downloaded more than 100,000 times, by his count, and grabbed the attention of security researchers at Microsoft and other leading companies.

Rootkits are malicious programs that are designed to be invisible once they are installed on a computer's operating system. They often hide by replacing core operating system functionality with a version of the same functionality that provides remote attackers with a back door into compromised systems.

Like other hackers, Holy Father said he was spurred to create Hacker Defender by the technical challenge of writing a rootkit. However, he doesn't shy away from turning a profit on his work, and claims that demand in the malicious code writing underground is high for custom rootkits that are completely undetectable and can evade detection for long periods of time.

IDG News: What is your background? How did you get started with rootkits?

HF: Before I started with (Hacker Defender), I needed a rootkit that would hide my stuff (somewhere). There was nothing I could use, so I had to implement it myself. A simple but great idea. Eighty percent of my software is what I needed (but) wasn't able to find, or tools that are needed by the public and are not free (or) open by (their) original authors.

IDG News: Did you code viruses or Trojans previously? Do you do other kinds of software development?

HF: I code (mostly) security stuff. I can code Trojans, viruses, whatever. But I have never coded a virus or Trojan for me. It was always commercial stuff.

IDG News: Could you explain that more. Commercial for who or what?

HF: I'm the coder. This means (people) hire me to code something. I do accept or I do refuse (their) job offers; security stuff (including trojans/virus/spyware) is what I can code and usually do not refuse to make. For who? Who needs and pays.

IDG News: What was your thought or goal in designing the Hacker Defender rootkit?

HF: The main goal was to write something new -- a userland rootkit with great capabilities (e.g. you can specify names of files that are hidden) and ease of use.

IDG News: What other rootkits did you model Hacker Defender on?

HF: When (Hacker Defender) started there was just one (kernel mode rootkit) from Greg (Hoglund, co-author of "Exploiting Software: How to Break Code"), and a kernel mode rootkit is about something else, so we can say that (Hacker Defender) is the model for lots of new rootkits.

IDG News: Was there any particular functionality you were looking to add, specifically, in Hacker Defender or that you "pioneered?"

HF: The first version (of Hacker Defender) did nothing and badly. But there was always something to add because there was nothing on the scene like this. One of those things was this absolutely new idea for a backdoor.

IDG News: Hacker Defender 1.0 has been out for a year. Do you have plans for a future version of the software? If so, how would it be different?

HF: I had plans but I become (sic) retired, so I think there won't be such time to implement new versions.

IDG News: How many copies of Hacker Defender have been downloaded?

HF: I don't know. My Web site is about anonymity and freedom. There is no counter or such, but I can guess that it is more than 100,000 from my site and lots more from different sources. I've heard that (Hacker Defender) is very very common on rooted NT boxes.

IDG News: What are people doing with Hacker Defender? Are there legitimate applications of the tool, or is it a blackhat (malicious hacking) tool only?

HF: Of course it is NOT blackhat only. I know at least one guy who use (sic) it for whitehat (benign hacking) stuff and, of course, there are lot of guys who speaks (sic) about security at conferences etc. and show (Hacker Defender) to participants. This is also legal use.

IDG News: How would you describe the community of rootkit authors? Is it similar to the virus writing community or different? How so? Is there cross over (i.e. virus writers who also do rootkits), or are they totally separate communities?

HF: I know only two rootkit communities - www.rootkit.com is the first and that on my site (http://hxdef.czweb.org/) is the second. The (virus writing) scene is very different. There are many (virus writing) groups . Of course, rootkit coders are also virus writers. The rootkit community is just a few (people) who study (operating system) kernel and implement thingz (sic) that were never implemented before. This is similar to (the virus writing) community.

IDG News: Can the whitehat development community learn anything from the rootkit development community?

HF: A lot of new developers from the times I started with (Hacker Defender) maybe they like my work and find it interesting also Greg (Hoglund) does a lot to increase public knowledge. Everyone can learn from rootkits.

IDG News: Security experts warn that spammers and virus writers are going to take pieces of what is in the rootkits -- stealth techniques and such -- and modify them for their own purposes. Do you see this happening? What are your thoughts on this phenomenon?

HF: I can't see (a) problem with this. If somebody hires me for coding such stuff I will do it. The only code that I won't support is spam. It (sucks), but virus stuff is not as bad as (people) think and if someone (writes a) virus that would hide itself or whatever it just shows how today's (antivirus products) are poor and that is good cuz they are really poor.

IDG News: How easy is it to fool current antivirus technology?

HF: Today's antivirus is good only to (protect) you against wide spreading worms. If someone (man not computer code) wants to attack you, just you or your company not in a wide range, there is no antivirus in these days that can help you, so the answer is 'Very easy,' (and that's why I can offer anti-detection service for such low prices :))

IDG News: Explain the art of "anti-detection." How do you figure out new ways to keep Hacker Defender and other tools from being detected?

HF: I don't use something special. Today's (antivirus) is poor, as I said; that means you need to change few bytes in code and that is it.

IDG News: What do security software vendors have to do to address the techniques you and others use in kernel rootkits?

HF: They know everything that they need to, and also their tools work very well. The problem is that you can always write "anti-code." I mean if somebody writes (a) virus, you can write antivirus (that's very common)...(It's) the same with rootkits. You can write a (rootkit) detector; I can write a rootkit that bypasses this detector.

IDG News: Recently, more companies have announced antirootkit programs.What are your thoughts on this?

HF: I'm pretty sure these new detectors can find (Hacker Defender), but, as you maybe know, Hacker Defender is not under public development for more than a year... But people can ask me to make a version of (Hacker Defender) that would beat these detectors.