The hacker defender rootkit is able to use every open tcp socket on the system to allow remote access by hooking socket operations. If an specific tcp packet is received then hacker defender will negotiate access with the remote user and the computer will not notice that there is an stablished tcp connection.
Due to that feature its possible for a remote user to send those packets, and detect if the system is infected.
When lastest version of hacker defender rootkit was published, rkdscanner detected a high number of computers, from users and univerities infected. Anyway this tool is usefull on penetration tests to defect if remote computer have been previously compromised by known versions of hacker defender.
At this time, the source code of that rootkit is publicy available
so modified versions of the rootkit can answer to different packets but default installations, done by most people, can be detected.
Rkdscanner will scan the selected ip range for most used open ports (80, 445, 3389,5900, ... ) and try to detect a the rootkit is listening there.
(Windows executable + Source code)