Democratic Underground Latest Greatest Lobby Journals Search Options Help Login
Google

HBGary INC. working on secret rootkit project. Codename: MAGENTA

Printer-friendly format Printer-friendly format
Printer-friendly format Email this thread to a friend
Printer-friendly format Bookmark this thread
This topic is archived.
Home » Discuss » General Discussion Donate to DU
 
kpete Donating Member (1000+ posts) Send PM | Profile | Ignore Mon Feb-14-11 12:04 PM
Original message
http://crowdleaks.org/hbgary-inc-working-on-secret-root... /

HBGary INC. working on secret rootkit project. Codename: MAGENTA
This article was written by laurelai warningmbrrootkithuntin

In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.

Crowdleaks.org cannot confirm how far into development this project went. However we do know by looking at the following email that the Magenta Rootkit proposal was forwarded from Greg Hoglund at HBGary to Ray Owen, President of Farallon Research LLC.

Key Features:

* New breed of rootkit There isnt anything like this publicly

* Extremely small memory footprint (4k or less)

* Almost impossible to remove from a live running system

o Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.

o Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context

* Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.

* Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.

o HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()


WOW MORE:
http://www.dailykos.com/story/2011/02/14/944364/-HBGary...
Printer Friendly | Permalink |  | Top
formercia Donating Member (1000+ posts) Send PM | Profile | Ignore Mon Feb-14-11 12:12 PM
Response to Original message
1. Fedware
Edited on Mon Feb-14-11 12:12 PM by formercia
If you have sensitive data, never connect that computer to the Internet, because this is what the Internet was meant to be. Do you think the Department of Defense would have allowed public access to the Internet out of the kindness of their hearts?
Printer Friendly | Permalink |  | Top
 
dixiegrrrrl Donating Member (1000+ posts) Send PM | Profile | Ignore Mon Feb-14-11 12:40 PM
Response to Original message
2. And if you do not use Windows???
Printer Friendly | Permalink |  | Top
 
DU AdBot (1000+ posts) Click to send private message to this author Click to view 
this author's profile Click to add 
this author to your buddy list Click to add 
this author to your Ignore list Thu Nov 15th 2018, 08:31 PM
Response to Original message
Advertisements [?]
 Top

Home » Discuss » General Discussion Donate to DU

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators


Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.

Home  |  Discussion Forums  |  Journals |  Store  |  Donate

About DU  |  Contact Us  |  Privacy Policy

Got a message for Democratic Underground? Click here to send us a message.

© 2001 - 2011 Democratic Underground, LLC