The initialization file used by Ghost contained only the IP address and listening port of the remote controller, but as Hacker Defender has shown, initialization files can be quite intricate. These files can be both helpful and devastating. The helpfulness of a customizable initialization interface is self-evident, but the ability to ruin an otherwise successful installation should be addressed.
Virus prevention software uses the principle of a signature to match the contents of files and data transmissions. Every successful rootkit will one day have not one but many signatures in every major anti-virus signature database. To prevent this possibility, you may wish to add wildcard characters that will be ignored by the rootkit, as is done with Hacker Defender. Alternately, you may wish to encrypt the contents with an obscure algorithm. However, the only foolproof solution is to limit the information within the initialization file to data that must be allowed to exist in everyday files and everyday data transmissions. This will guarantee the absence of a signature in anti-virus databases.
As an example, the numbers 010, 018, 000, 001, and 80 must be allowed to pass through all filtering software. Preventing the transmission of these numbers would cripple every conceivable network; the occurrence is simply too likely. However, the combination “010.018.000.001:00080” is much less likely to occur. This is still too common to use as a blocking signature, but something like “Controller address: 010.018.000.001, Controller port: 00080” is not.
Post-installation file corruption and file erasure are also considerations when using configuration files. The approach taken by the rootkit presented in this book avoids this possibility, provided the initialization file is deleted after initial use.