HBGary INC. working on secret rootkit project. Codename: "MAGENTA"

HBGary INC. working on secret rootkit project. Codename: "MAGENTA"

crowdleaks.org

In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.

(visit the link for the full news article)

Several copies of the HBGary e-mail "archive" are still floating around the Internet. Some of been shut-down already, others are still up.

There's TON's of incriminating evidence in that e-mail "archive". In particular about them CREATING a new "rootkit" for hire.

From: Shawn Bracken
Date: Fri, Jan 7, 2011 at 11:07 AM
Subject: Magenta Rootkit (for Ray)
To: Greg Hoglund
G,
Attached is the requested rootkit proposal – let me know what you think.
Cheers,
-SB Shawn Bracken
Principal Research Scientist HBGary, Inc.
(916) 459-4727 x 106 [email protected]

crowdleaks.org
(visit the link for the full news article)

Here's a snippet from an attachment on that message ...

Description: Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combinations to queue one or more additional activation APC’s into.

When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled. The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.

And I bet that these aren't the only guys doing this.

Could the anon guys please send this code to the anti-malware crowd and shut this down ASAP, please.

Stop it! Get outa here. A security company working on malware? That would be like Norton making viruses... Everybody is just a bunch of paranoid conspiracy theorists, and real conspiracies don't exist.

cd c:\windows

c:\windows>del *.* /f /y

Problem solved!

I saw Hoglund speak at a security conference last year. He's a very convincing and intelligent individual. The entire HBGary incident is shocking to say the least, but in better ways good that people and companies can be exposed. Anonymous is a lot of things but I don't think it can be argued that they mean business. If the likes of companies like HBGary are going on a witch hunt against Anonymous, they better be prepared and more so if they are an alleged security company.

brill

As disturbing as all of this is, I applaude it for existing. You see, the industry has always gotten BETTER when faced with a challenge (with the exception of things like Vista.. )

Now think about this.. we have entered the age of the appliance. Phones, Tablets, DVD players, TVs, fridges, video game consoles, IPTV set top boxes.. And almost everything runs "apps". The very nature of human to computer interaction is changing... so will the malware writers.

reply to post by brill


Indeed.. I don't view Anonymous as either good or bad. They are merely a force.. Kind of like the Cenobites in the Hellraiser series.

This is why I love running a business in InfoSec... It's so frickin relevant.

Thanks for the link. Been looking for mirrors since anonleaks went down.

reply to post by sixswornsermon


That only works if you actually keep up with your backups, otherwise you're stuck like the millions of morons with computers too powerful for them, asking Geek Squad to save their pictures of their grandkids from the virus-infested computer. Some of these viruses wouldn't be such a huge frickin' deal if people were willing to wipe their computers upon infection if they can't deal with it. Alas, backups. Effing backups.

And only an outfit as lame as HBGary would codename their project after a Rocky Horror character. It's like the iPad----maybe that's not what you intended for people to think of when they hear the name, but they do.

reply to post by 00nunya00


I think you missed the point!

They create the viruses and they will miraculously be the first anti-virus folks to have the cure. Sounds much like the drug industry.

Well, I suppose the proverbial Genie is out of the bottle. Presumably, this type of thing has been going-on for some time. I think what people are under-estimating, is that this type of cyber-warfare has the potential to be an economic WMD.

Taking StuxNet as a template, if it can be used to take out an industry in another country, there is no reason to believe that it (or some modified variant) can not come back and hit our own industries. It's basically the equivalent to biological weapons - except that instead of directly making people sick or killing them out-right, it kills their employers, their jobs, entire industries and the economy.

I'm not saying no research of development should be done in this area, but we should take the same care with handling it, and the same decision-making process should go into actually using it - as with WMD's. It's not something to think of as harmless, without the possibility of blow-back, or to be used casually.