HBGary INC. working on secret rootkit project. Codename: “MAGENTA”crowdleaks.org | Jan 7th 2011 2:29 PM
In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.
Crowdleaks.org cannot confirm how far into development this project went. However we do know by looking at the following email that the Magenta Rootkit proposal was forwarded from Greg Hoglund at HBGary to Ray Owen, President of Farallon Research LLC.
received: by 10.147.181.12 with HTTP; Fri, 7 Jan 2011 14:29:25 -0800 (PST)
date: Fri, 7 Jan 2011 14:29:25 -0800
subject: Fwd: Magenta Rootkit (for Ray)
from: Greg Hoglund
content-type: multipart/mixed; boundary=000e0cd3ea788d10dc0499492677
Attachments: MAGENTA.docx (13878 bytes)
Farallon Research LLC is privately held government contractor based in Gatos, CA. Their website offers no insight into who they are or what they do other than an “About Us” page which simply states: “The mission of Farallon Research LLC is to connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government.”
In the following message we can see that Shawn Bracken, Principal Research Scientist at HBGary, attached and sent the initial Magenta Rootkit proposal to Greg Hoglund.
———- Forwarded message ———-
From: Shawn Bracken
Date: Fri, Jan 7, 2011 at 11:07 AM
Subject: Magenta Rootkit (for Ray)
To: Greg Hoglund
Attached is the requested rootkit proposal � let me know what you think.
Principal Research Scientist
(916) 459-4727 x 106
In the attached word document (MAGENTA.docx) we find:
Description: Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combination’s to queue one or more additional activation APC’s into.
When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled. The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.
- New breed of rootkit – There isn’t anything like this publicly
- Extremely small memory footprint – (4k or less)
- Almost impossible to remove from a live running system
o Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.
o Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context
- Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.
- Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.
o HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()
Project Development Phases:
HBGary recommends using at least a two phase project to build out Magenta. In Phase-1 HBGary would build a fully functional prototype for Windows XP – Service Pack 3 (X86). This would allow an end-to-end proof of concept prototype to be developed and demonstrated. Phase-2 would purely consist of porting the Magenta rootkit to all current flavors of Microsoft Windows (x86 & x64)
Crowdleaks.org cannot confirm that the Magenta Rootkit proposal was even accepted but given HBGary’s involvement in Stuxnet research, it’s a chilling proposal that was likely taken seriously by HBgary INC. and probably not the first of its kind.
Shared from Read It Later