HBGary INC. working on secret rootkit project. Codename: “MAGENTA”
In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.
Crowdleaks.org cannot confirm how far into development this project went. However we do know by looking at the following email that the Magenta Rootkit proposal was forwarded from Greg Hoglund at HBGary to Ray Owen, President of Farallon Research LLC.
From: Greg Hoglund To: Ray.owen@farallon-research.com Date: Fri, 7 Jan 2011 14:29:25 -0800 Subject: Fwd: Magenta Rootkit (for Ray)
Full headers
—–
mime-version: 1.0
received: by 10.147.181.12 with HTTP; Fri, 7 Jan 2011 14:29:25 -0800 (PST)
in-reply-to: <000001cbae9e$31149790$933dc6b0$@com>
references: <000001cbae9e$31149790$933dc6b0$@com>
date: Fri, 7 Jan 2011 14:29:25 -0800
delivered-to: greg@hbgary.com
message-id:
subject: Fwd: Magenta Rootkit (for Ray)
from: Greg Hoglund
to: Ray.owen@farallon-research.com
content-type: multipart/mixed; boundary=000e0cd3ea788d10dc0499492677
Attachments: MAGENTA.docx (13878 bytes)
Farallon Research LLC is privately held government contractor based in Gatos, CA. Their website offers no insight into who they are or what they do other than an “About Us” page which simply states: “The mission of Farallon Research LLC is to connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government.”
In the following message we can see that Shawn Bracken, Principal Research Scientist at HBGary, attached and sent the initial Magenta Rootkit proposal to Greg Hoglund.
———- Forwarded message ———-
From: Shawn Bracken
Date: Fri, Jan 7, 2011 at 11:07 AM
Subject: Magenta Rootkit (for Ray)
To: Greg HoglundG,
Attached is the requested rootkit proposal � let me know what you think.
Cheers,
-SB
Shawn BrackenPrincipal Research Scientist
HBGary, Inc.
(916) 459-4727 x 106
shawn@hbgary.com
In the attached word document (MAGENTA.docx) we find:
Description: Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combination’s to queue one or more additional activation APC’s into.
When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled. The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.
Key Features:
- New breed of rootkit – There isn’t anything like this publicly
- Extremely small memory footprint – (4k or less)
- Almost impossible to remove from a live running system
o Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.
o Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context
- Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.
- Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.
o HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()
Project Development Phases:
HBGary recommends using at least a two phase project to build out Magenta. In Phase-1 HBGary would build a fully functional prototype for Windows XP – Service Pack 3 (X86). This would allow an end-to-end proof of concept prototype to be developed and demonstrated. Phase-2 would purely consist of porting the Magenta rootkit to all current flavors of Microsoft Windows (x86 & x64)
Crowdleaks.org cannot confirm that the Magenta Rootkit proposal was even accepted but given HBGary’s involvement in Stuxnet research, it’s a chilling proposal that was likely taken seriously by HBgary INC. and probably not the first of its kind.
[...] that would be, I encountered an intriguing article just written up at the front page of Crowdleaks: HBGary INC. working on secret rootkit project. Codename: “MAGENTA”. Following is an [...]
[...] http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-codename-magenta/ [...]
[...] avec cette diffusion des mails, des petits secrets pas très avouables se font jour. Et ils risquent d’impliquer les agences gouvernementales [...]
[...] at http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-codename-magenta/ Posted by ahuxley211 at 5:24 pm Tagged with: HBGary, MAGENTA, rootkit, [...]
[...] Burcu S. Bakioglu shared Crowdleaks: HBGary INC. working on secret rootkit project. Codename: “MAGENTA”. [...]
[...] por el grupo de activistas que os comentábamos ayer. De los correos electrónicos publicados ayer se filtra que HBGary se encontraba en fase de desarrollo de un nuevo tipo de rootkit para Windows, indetectable y casi [...]
[...] por el grupo de activistas que os comentábamos ayer. De los correos electrónicos publicados ayer se filtra que HBGary se encontraba en fase de desarrollo de un nuevo tipo de rootkit para Windows, indetectable y casi [...]
[...] [...]
[...] proposta, encontrada entre dados vazamentos pelo site de jornalismo colaborativo Crowdleaks, explica como o código malicioso seria capaz de permanecer no sistema de tal forma que seria muito [...]
[...] proposta, encontrada entre dados vazamentos pelo site de jornalismo colaborativo Crowdleaks, explica como o código malicioso seria capaz de permanecer no sistema de tal forma que seria muito [...]
[...] los correos electrónicos publicados ayer se filtra que HBGary se encontraba en fase de desarrollo de un nuevo tipo de rootkit paraWindows, indetectable y casi [...]
[...] HBGary Execs Run For Cover As Hacking Scandal Escalates – “Rarely in the history of the cybersecurity industry has a company become so toxic so quickly as HBGary Federal. Over the last week, many of the firm’s closest partners and largest clients have cut ties with the Sacramento startup. And now it’s cancelled all public appearances by its executives at the industry’s biggest conference in the hopes of ducking a scandal that seems to grow daily as more of its questionable practices come to light….” See also: HBGary INC. working on secret rootkit project. Codename: “MAGENTA” [...]
[...] proposta, encontrada entre dados vazamentos pelo site de jornalismo colaborativo Crowdleaks, explica como o código malicioso seria capaz de permanecer no sistema de tal forma que seria muito [...]
[...] According to Crowdleaks.org, HBGary may have been developing a new Windows rootkit (code name: Magenta) that is undetectable and impossible to [...]
[...] large companies, however, the broader private sector* also has a key role in preventing e-crime and computer security incidents and ensuring that appropriate risk management strategies are adopted to protect key business [...]
[...] research might give a bad guy an edge that they didn’t have before. Take, for example, the document describing their “Magenta” project. It could be that this meta-information about that project (feature list and a [...]
[...] HBGary INC. working on secret rootkit project. Codename: “MAGENTA” (crowdleaks) [...]
[...] email that caused the issue but the intellectual property in business relationships as well as the internal project based IP that every company will [...]
I think this article is a little too much hyperbole. Really — what sec researcher or teenage hacker wanna-be ISN’T working on the undetectable root kit? How many has Julian Assange experimented with in his time? Way overblown.. any sec firm would have jobs like this.. very common.
hyperbole?!
If teenagers try to develop something like this i don’t know. Do YOU?
But look at the clients of HBGarry! Look at the people addressed to in the emails! Did you read this article, mpineiro?
I guess you didn’t or simply didn’t understand.
When GOVERNMENTS and its secret services are working on and using such rookits, it is well different to teenagers. The results of government-financed (taxes!) projects, made by highly paid professionals, must be also a bit more effective then those of any genial teenager, don’t u think?
[...] Original Page: http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-codename-magenta/ [...]
[...] Magenta rootkit [...]
[...] proposta, encontrada entre dados vazamentos pelo site de jornalismo colaborativo Crowdleaks, explica como o código malicioso seria capaz de permanecer no sistema de tal forma que seria muito [...]
[...] to be marketed to government agencies for spying and propaganda purposes. One rootkit, code named Magenta, was touted by HBGary as “almost impossible to remove”. Additionally it was revealed that HBG [...]
I’ve found it alarming the news on spyware and virus problems has not been keeping up with the threat. It seems like several years since spyware or virus software gained from any kind of awareness greatly. I’m wondering in the event that’s why problems continue and folks tend to be falling victim to infections and spyware.