[Dshield] Hacker Defender Rule

Ronaldo Vasconcellos ronaldo at cais.rnp.br
Wed Mar 9 09:39:04 GMT 2005

Hope it helps you:


# Hacker Defender Root Kit

#By Chris Norton 2/22/05
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE Trojan 
HackerDefender Root Kit Remote Connection Attempt Detected"; 
flow:established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 
12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes; tag: 
session, 20, packets; classtype:trojan-activity; sid:2001743; rev:2;)

Best regards,

Ronaldo C Vasconcellos
CAIS/RNP - Brazilian Research Network CSIRT

On Mon, 21 Feb 2005, Eric Peek wrote:

> Date: Mon, 21 Feb 2005 15:53:39 -0500
> From: Eric Peek <epeek at arenetworks.com>
> Reply-To: General DShield Discussion List <list at lists.dshield.org>
> To: list at lists.dshield.org
> Subject: [Dshield] Hacker Defender Rule
> Need some help figuring this one out.  I'm looking for a signature to help
> determine when someone uses the hacker defender client tool to connect to the
> infected server.  I have a pcap file that contains the data from the client to
> the server.  I did not know the password to the infected server but the client
> does a check to ensure the host does have the root kit installed before
> sending the logon info.  The server and client can work on many ports
> including 80, 443, 21, 3389 and others so the rule should not look at port
> information.
> You can find the pcap file here:
> http://www.arenetworks.com/hackerdefender.pcap

More information about the list mailing list