1. /
  2. Security Response/
  3. Hacktool

Hacktool

Risk Level 1: Very Low

Discovered:
August 17, 2001
Updated:
April 22, 2010 2:39:43 AM
Type:
Trojan
Systems Affected:
Linux, Mac OS X, Solaris, Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
Hacktool is a detection name used by Symantec to identify programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious in and of themselves, but their use may be harmful to the victims of the attacks.


Background information
One of the first mainstream Hacktools was known as AOHell, which was released in the mid 1990s. The tool provided non-technical 'hackers' the means to perform various mischievous online activities, including creating fake accounts, sending spam and phishing messages, and flooding chat rooms with useless messages, thus rendering them unusable.

In the late 1990s, a remote access application called Back Orifice (or BO) was released. Back Orifice consisted of two components: a client and a server. The server could be surreptitiously installed on an unsuspecting user's computer and remotely controlled by way of a back door operated with the client program. The remote attacker could perform a wide range of malicious and mischievous activities on the compromised computer.

Since the late 1990s there has been a huge increase in the number of programs that may be used to attack other computer systems and networks. The following sections provide more information about the types of programs that may be detected as Hacktool.


Keystroke loggers
Keystroke loggers, or keyloggers, are programs that run in the background and are able to record keystrokes made on the computer. The logged information is recorded locally for later retrieval by the attacker. Keystroke loggers generally operate indiscriminately and as such the recorded information can include anything that may be typed on the computer, including banking details, local and remote passwords, online game information, text from emails and other documents, and so on. Some keystroke loggers can be configured to begin recording only under certain pre-configured conditions, which may aid the attacker by reducing the amount of 'noise' through which he or she has to search in order to retrieve specific desired information. Keystroke loggers are likely to run with little or no indication of their presence visible to the user.


Password stealers
Password stealers are a special case of keystroke logger programs. They exist solely to record local or remote passwords typed on the computer. The retrieved passwords may be used by an attacker to assume control of an account or to allow the account to be sold on the online black market.


Password crackers
Password crackers are programs designed to bypass password protection on certain files or folders. These programs may be used to circumvent system security by cracking the system password file, or to bypass password protection present on user-created files, such as compressed or document files. Password crackers may operate by using dictionary-based attacks, by exploiting weaknesses present in certain encryption algorithms, by using the 'brute force' technique of trying every single possible password, or through some combination of these methods.


Spam tools
Spam tools are programs that may be used to help an individual generate and send bulk email messages, or spam. They may take the form of programs that generate email messages designed to evade spam filters, or programs that automate the sending of the spam itself. The messages sent using these programs may be advertising for adult products and services, or carriers for more malicious payloads including worms and Trojan horses.


Port scanners

Port scanners are programs that can be used to identify possible weaknesses in a remote system that can be accessed through a network, including over the Internet. Although their use need not be malicious, port scanners are frequently used during the preliminary information-gathering stages of a network-based attack.

Port scanners are used to probe systems to identify network services that may be vulnerable to exploitation and therefore possible compromise; they provide the facility to check for open ports on which a potentially exploitable process may be listening. While weaknesses can be identified manually by connecting to ports individually, these programs automate the task.

Modern port scanners offer several different types of probe, some more stealthy than others. A port scan may also be run over a long period of time in order to allow the scan to blend in to the background noise.

Port scanners can also be used to scan a range of IP addresses for a specific open port, which is commonly called a port sweep. Port sweeps are often used when an attacker is searching for computers vulnerable to a particular type of attack.


Vulnerability scanners
Similar to port scanners, vulnerability scanners are used to identify vulnerable systems that may be open to attack. Vulnerability scanners may allow attackers to specify or prefer certain types of vulnerabilities that, if found, would result in an easy attack.


Flooders
Message board flooders are programs that automate the posting of numerous messages to various message boards and Usenet groups. This message board spam may be used for advertising purposes or by mischievous individuals solely to annoy the legitimate members of a message board or newsgroup.

This category also includes programs designed to flood instant messaging or IRC conversations with automatically generated messages. This may be done to cause annoyance or to force a user out of a particular exchange by exhausting their bandwidth, and as such may be thought of as being a denial of service attack.


Patchers
Patchers are programs that may be used to modify executable and other files to alter their functionality. This may be done to insert malicious code or to circumvent security in some other way. A patcher may, for instance, be used to modify system drivers to allow communications to be eavesdropped upon, or may contain functionality to modify copy protection code and hence allow commercial applications to be used without a valid license.


Who creates these programs?
These kinds of programs may be created for use by computer security specialists and professionals but are also open to abuse by attackers with malicious intent. On the other hand, some of these programs are commercial tools that have been created solely to provide amateur 'hackers' with a way in which to perform attacks or perform mischievous acts without the knowledge of the underlying technical details.


What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.


How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Henry Bell
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver