Discovered: August 17, 2001
Updated: April 22, 2010 2:39:43 AM
Type: Trojan
Systems Affected: Linux, Mac, Solaris, Windows

Hacktool is a detection name used by Symantec to identify programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious in and of themselves, but their use may be harmful to the victims of the attacks.

This detection is for multiple programs, including the following types of tools:

  • Keystroke loggers
  • Password stealers
  • Password crackers
  • Spam tools
  • Port scanners
  • Vulnerability scanners
  • Flooders
  • Patchers

Programs detected as Hacktool are designed to be executed deliberately. Although not considered to be malicious in the same sense as other malware, programs that fall into this category are usually considered to be a threat by system and network administrators as their use by malicious individuals can compromise system security. The programs may also compromise the security of home or shared machines when surreptitiously installed by a rogue user.

The programs are created for use by people with a degree of technical skill, be they network security professionals or simply amateurs. Tools such as port and vulnerability scanners that are ostensibly designed to be used by 'white-hat' or ethical individuals and professionals may also be open to abuse by 'black-hat' attackers. The term 'script kiddies' also exists to describe amateur self-termed 'hackers' who lack the technical skills of their own to develop exploits and perform attacks but instead use tools developed by others, often with little understanding of how they work. Script kiddies such as these therefore are likely to make use of programs that are covered by the Hacktool detection.

If a Symantec antivirus product displays a detection alert for this threat, it means the computer is already protected and the Symantec product will effectively remove this threat from the computer.

Antivirus Protection Dates

  • Initial Rapid Release version August 17, 2001
  • Latest Rapid Release version December 14, 2019 revision 018
  • Initial Daily Certified version August 17, 2001 revision 003
  • Latest Daily Certified version November 04, 2019 revision 065
  • Initial Weekly Certified release date August 22, 2001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Technical Description

Hacktool is a detection name used by Symantec to identify programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious in and of themselves, but their use may be harmful to the victims of the attacks.

Background information
One of the first mainstream Hacktools was known as AOHell, which was released in the mid 1990s. The tool provided non-technical 'hackers' the means to perform various mischievous online activities, including creating fake accounts, sending spam and phishing messages, and flooding chat rooms with useless messages, thus rendering them unusable.

In the late 1990s, a remote access application called Back Orifice (or BO) was released. Back Orifice consisted of two components: a client and a server. The server could be surreptitiously installed on an unsuspecting user's computer and remotely controlled by way of a back door operated with the client program. The remote attacker could perform a wide range of malicious and mischievous activities on the compromised computer.

Since the late 1990s there has been a huge increase in the number of programs that may be used to attack other computer systems and networks. The following sections provide more information about the types of programs that may be detected as Hacktool.

Keystroke loggers
Keystroke loggers, or keyloggers, are programs that run in the background and are able to record keystrokes made on the computer. The logged information is recorded locally for later retrieval by the attacker. Keystroke loggers generally operate indiscriminately and as such the recorded information can include anything that may be typed on the computer, including banking details, local and remote passwords, online game information, text from emails and other documents, and so on. Some keystroke loggers can be configured to begin recording only under certain pre-configured conditions, which may aid the attacker by reducing the amount of 'noise' through which he or she has to search in order to retrieve specific desired information. Keystroke loggers are likely to run with little or no indication of their presence visible to the user.

Password stealers
Password stealers are a special case of keystroke logger programs. They exist solely to record local or remote passwords typed on the computer. The retrieved passwords may be used by an attacker to assume control of an account or to allow the account to be sold on the online black market.

Password crackers
Password crackers are programs designed to bypass password protection on certain files or folders. These programs may be used to circumvent system security by cracking the system password file, or to bypass password protection present on user-created files, such as compressed or document files. Password crackers may operate by using dictionary-based attacks, by exploiting weaknesses present in certain encryption algorithms, by using the 'brute force' technique of trying every single possible password, or through some combination of these methods.

Spam tools
Spam tools are programs that may be used to help an individual generate and send bulk email messages, or spam. They may take the form of programs that generate email messages designed to evade spam filters, or programs that automate the sending of the spam itself. The messages sent using these programs may be advertising for adult products and services, or carriers for more malicious payloads including worms and Trojan horses.

Port scanners

Port scanners are programs that can be used to identify possible weaknesses in a remote system that can be accessed through a network, including over the Internet. Although their use need not be malicious, port scanners are frequently used during the preliminary information-gathering stages of a network-based attack.

Port scanners are used to probe systems to identify network services that may be vulnerable to exploitation and therefore possible compromise; they provide the facility to check for open ports on which a potentially exploitable process may be listening. While weaknesses can be identified manually by connecting to ports individually, these programs automate the task.

Modern port scanners offer several different types of probe, some more stealthy than others. A port scan may also be run over a long period of time in order to allow the scan to blend in to the background noise.

Port scanners can also be used to scan a range of IP addresses for a specific open port, which is commonly called a port sweep. Port sweeps are often used when an attacker is searching for computers vulnerable to a particular type of attack.

Vulnerability scanners
Similar to port scanners, vulnerability scanners are used to identify vulnerable systems that may be open to attack. Vulnerability scanners may allow attackers to specify or prefer certain types of vulnerabilities that, if found, would result in an easy attack.

Message board flooders are programs that automate the posting of numerous messages to various message boards and Usenet groups. This message board spam may be used for advertising purposes or by mischievous individuals solely to annoy the legitimate members of a message board or newsgroup.

This category also includes programs designed to flood instant messaging or IRC conversations with automatically generated messages. This may be done to cause annoyance or to force a user out of a particular exchange by exhausting their bandwidth, and as such may be thought of as being a denial of service attack.

Patchers are programs that may be used to modify executable and other files to alter their functionality. This may be done to insert malicious code or to circumvent security in some other way. A patcher may, for instance, be used to modify system drivers to allow communications to be eavesdropped upon, or may contain functionality to modify copy protection code and hence allow commercial applications to be used without a valid license.

Who creates these programs?
These kinds of programs may be created for use by computer security specialists and professionals but are also open to abuse by attackers with malicious intent. On the other hand, some of these programs are commercial tools that have been created solely to provide amateur 'hackers' with a way in which to perform attacks or perform mischievous acts without the knowledge of the underlying technical details.

What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360 or Symantec Endpoint Protection . In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.

How can I find out more?
Advanced users can submit a sample to Threat Expert to obtain a detailed report of the system and file system changes caused by a threat.


Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.


You may have arrived at this page either because you have been alerted by your Symantec product about this risk, or you are concerned that your computer has been affected by this risk.

Before proceeding further we recommend that you run a full system scan . If that does not resolve the problem you can try one of the options available below.

If you are a Norton product user, we recommend you try the following resources to remove this risk.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resources provide further information and best practices to help reduce the risk of infection.

If you are a Symantec business product user, we recommend you try the following resources to remove this risk.

Identifying and submitting suspect files
Submitting suspicious files to Symantec allows us to ensure that our protection capabilities keep up with the ever-changing threat landscape. Submitted files are analyzed by Symantec Security Response and, where necessary, updated definitions are immediately distributed through LiveUpdate™ to all Symantec end points. This ensures that other computers nearby are protected from attack. The following resources may help in identifying suspicious files for submission to Symantec.

Removal Tool

If you have an infected Windows system file, you may need to replace them using from the Windows installation CD .

How to reduce the risk of infection
The following resource provides further information and best practices to help reduce the risk of infection.
Protecting your business network

The following instructions pertain to all current Symantec antivirus products.

1. Performing a full system scan
How to run a full system scan using your Symantec product

2. Restoring settings in the registry
Many risks make modifications to the registry, which could impact the functionality or performance of the compromised computer. While many of these modifications can be restored through various Windows components, it may be necessary to edit the registry. See in the Technical Details of this writeup for information about which registry keys were created or modified. Delete registry subkeys and entries created by the risk and return all modified registry entries to their previous values.

Writeup By: Henry Bell