Hacktool is a detection name used by Symantec to identify programs that may be used by hackers to attack computer systems and networks. These programs are not generally malicious in and of themselves, but their use may be harmful to the victims of the attacks.Background information
One of the first mainstream Hacktools was known as AOHell, which was released in the mid 1990s. The tool provided non-technical 'hackers' the means to perform various mischievous online activities, including creating fake accounts, sending spam and phishing messages, and flooding chat rooms with useless messages, thus rendering them unusable.
In the late 1990s, a remote access application called Back Orifice (or BO) was released. Back Orifice consisted of two components: a client and a server. The server could be surreptitiously installed on an unsuspecting user's computer and remotely controlled by way of a back door operated with the client program. The remote attacker could perform a wide range of malicious and mischievous activities on the compromised computer.
Since the late 1990s there has been a huge increase in the number of programs that may be used to attack other computer systems and networks. The following sections provide more information about the types of programs that may be detected as Hacktool.Keystroke loggers
Keystroke loggers, or keyloggers, are programs that run in the background and are able to record keystrokes made on the computer. The logged information is recorded locally for later retrieval by the attacker. Keystroke loggers generally operate indiscriminately and as such the recorded information can include anything that may be typed on the computer, including banking details, local and remote passwords, online game information, text from emails and other documents, and so on. Some keystroke loggers can be configured to begin recording only under certain pre-configured conditions, which may aid the attacker by reducing the amount of 'noise' through which he or she has to search in order to retrieve specific desired information. Keystroke loggers are likely to run with little or no indication of their presence visible to the user.Password stealers
Password stealers are a special case of keystroke logger programs. They exist solely to record local or remote passwords typed on the computer. The retrieved passwords may be used by an attacker to assume control of an account or to allow the account to be sold on the online black market.Password crackers
Password crackers are programs designed to bypass password protection on certain files or folders. These programs may be used to circumvent system security by cracking the system password file, or to bypass password protection present on user-created files, such as compressed or document files. Password crackers may operate by using dictionary-based attacks, by exploiting weaknesses present in certain encryption algorithms, by using the 'brute force' technique of trying every single possible password, or through some combination of these methods.Spam tools
Spam tools are programs that may be used to help an individual generate and send bulk email messages, or spam. They may take the form of programs that generate email messages designed to evade spam filters, or programs that automate the sending of the spam itself. The messages sent using these programs may be advertising for adult products and services, or carriers for more malicious payloads including worms and Trojan horses.
Port scanners are programs that can be used to identify possible weaknesses in a remote system that can be accessed through a network, including over the Internet. Although their use need not be malicious, port scanners are frequently used during the preliminary information-gathering stages of a network-based attack.
Port scanners are used to probe systems to identify network services that may be vulnerable to exploitation and therefore possible compromise; they provide the facility to check for open ports on which a potentially exploitable process may be listening. While weaknesses can be identified manually by connecting to ports individually, these programs automate the task.
Modern port scanners offer several different types of probe, some more stealthy than others. A port scan may also be run over a long period of time in order to allow the scan to blend in to the background noise.
Port scanners can also be used to scan a range of IP addresses for a specific open port, which is commonly called a port sweep. Port sweeps are often used when an attacker is searching for computers vulnerable to a particular type of attack.Vulnerability scanners
Similar to port scanners, vulnerability scanners are used to identify vulnerable systems that may be open to attack. Vulnerability scanners may allow attackers to specify or prefer certain types of vulnerabilities that, if found, would result in an easy attack.Flooders
Message board flooders are programs that automate the posting of numerous messages to various message boards and Usenet groups. This message board spam may be used for advertising purposes or by mischievous individuals solely to annoy the legitimate members of a message board or newsgroup.
This category also includes programs designed to flood instant messaging or IRC conversations with automatically generated messages. This may be done to cause annoyance or to force a user out of a particular exchange by exhausting their bandwidth, and as such may be thought of as being a denial of service attack.Patchers
Patchers are programs that may be used to modify executable and other files to alter their functionality. This may be done to insert malicious code or to circumvent security in some other way. A patcher may, for instance, be used to modify system drivers to allow communications to be eavesdropped upon, or may contain functionality to modify copy protection code and hence allow commercial applications to be used without a valid license.Who creates these programs?
These kinds of programs may be created for use by computer security specialists and professionals but are also open to abuse by attackers with malicious intent. On the other hand, some of these programs are commercial tools that have been created solely to provide amateur 'hackers' with a way in which to perform attacks or perform mischievous acts without the knowledge of the underlying technical details.What can I do to minimize the risks?
As a general rule, users should always run up-to-date antivirus software with real-time protection such as Norton Antivirus, Norton Internet Security, Norton 360
or Symantec Endpoint Protection
. In addition, a firewall -- or better still, an Intrusion Prevention System (IPS) -- will help to block back channel activities initiated by these types of malicious programs. Program controls such as those found in Symantec Endpoint Protection can also help to prevent unknown programs such as these from executing in the first place.How can I find out more?
Advanced users can submit a sample to Threat Expert
to obtain a detailed report of the system and file system changes caused by a threat.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":