HBGary's rootkit project Magenta

HBGary is a technology security company. Two distinct but affiliated firms carry the name: HBGary Federal, which sells its products to the US Federal Government, and HB Gary, Inc. Its other clients include information assurance companies, computer emergency response teams, and computer forensic investigators.

But as it seems HBGary is working on a rootkit project named Magenta. This is what HBGary proposed.

HBGary proposed:

Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call).

Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combinations to queue one or more additional activation APC’s into.

When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled.

The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.
source: http://hbgary.anonleaks.ru/greg_hbgary_com/16406.html

This article shows more info on the Magenta project:

HBGary INC. working on secret rootkit project. Codename: “MAGENTA” This article was written by laurelai warningmbrrootkithuntin

In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.

Crowdleaks.org cannot confirm how far into development this project went. However we do know by looking at the following email that the Magenta Rootkit proposal was forwarded from Greg Hoglund at HBGary to Ray Owen, President of Farallon Research LLC.

 From: Greg Hoglund To: [email protected] Date: Fri, 7 Jan 2011 14:29:25 -0800 Subject: Fwd: Magenta Rootkit (for Ray)

 Full headers
 —–
 mime-version: 1.0
 received: by 10.147.181.12 with HTTP; Fri, 7 Jan 2011 14:29:25 -0800 (PST)
 in-reply-to: <000001cbae9e$31149790$933dc6b0$@com>
 references: <000001cbae9e$31149790$933dc6b0$@com>
 date: Fri, 7 Jan 2011 14:29:25 -0800
 delivered-to: [email protected]
 message-id:
 subject: Fwd: Magenta Rootkit (for Ray)
 from: Greg Hoglund
 to: [email protected]
 content-type: multipart/mixed; boundary=000e0cd3ea788d10dc0499492677
 Attachments: MAGENTA.docx (13878 bytes)

Farallon Research LLC is privately held government contractor based in Gatos, CA. Their website offers no insight into who they are or what they do other than an “About Us” page which simply states: “The mission of Farallon Research LLC is to connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government.”

In the following message we can see that Shawn Bracken, Principal Research Scientist at HBGary, attached and sent the initial Magenta Rootkit proposal to Greg Hoglund.

 ———- Forwarded message ———-
 From: Shawn Bracken
 Date: Fri, Jan 7, 2011 at 11:07 AM
 Subject: Magenta Rootkit (for Ray)
 To: Greg Hoglund

 G,

 Attached is the requested rootkit proposal � let me know what you think.

 Cheers,

 -SB
 Shawn Bracken

 Principal Research Scientist
 HBGary, Inc.
 (916) 459-4727 x 106
 [email protected]

In the attached word document (MAGENTA.docx) we find:

Description: Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combination’s to queue one or more additional activation APC’s into.

When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled. The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.

Key Features:

 * New breed of rootkit – There isn’t anything like this publicly

 * Extremely small memory footprint – (4k or less)

 * Almost impossible to remove from a live running system

o Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.

o Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context

 * Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.

 * Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.

o HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()

Project Development Phases:
HBGary recommends using at least a two phase project to build out Magenta. In Phase-1 HBGary would build a fully functional prototype for Windows XP – Service Pack 3 (X86). This would allow an end-to-end proof of concept prototype to be developed and demonstrated. Phase-2 would purely consist of porting the Magenta rootkit to all current flavors of Microsoft Windows (x86 & x64)

Crowdleaks.org cannot confirm that the Magenta Rootkit proposal was even accepted but given HBGary’s involvement in Stuxnet research, it’s a chilling proposal that was likely taken seriously by HBgary INC. and probably not the first of its kind.
Written by Laurelai: http://www.dailykos.com/story/2011/02/14/944364/-HBGary-INC-working-on-s...

More info:
[1] http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-coden...
[2] http://www.amazon.com/Rootkits-Subverting-Windows-Greg-Hoglund/dp/032129...
[3] http://www.google.co.uk/search?q=rootkit+paradox
[4] http://hbgary.anonleaks.ru/greg_hbgary_com/16406.html
[5] http://www.usenix.org/event/leet08/tech/full_papers/king/king_html/
[6] http://www.phrack.com/issues.html?issue=55&id=5#article
[7] http://blogs.forbes.com/andygreenberg/2011/02/15/hbgary-execs-run-for-co...
[8] http://en.wikipedia.org/wiki/Russian_Business_Network
[9] http://threatpost.com/en_us/blogs/hbgary-emails-sweet-valentine-social-e...

 

Published by:

CWZ's picture

Name
Reza Rafati

Information
I am the founder of Cyberwarzone.com and I focus on sharing and collecting relevant cyberconflict news., The goal of Cyberwarzone is to provide the world a portal with global cyberwar information. The effort in getting this cyberwarfare information is hard. But as the internet is growing we need to get an global cyberwar & cybercrime monitoring system., By the people and for the people. We will be gathering information about Cybercrime, Cyberwarfare and hacking. LinkedIn: http://www.linkedin.com/pub/reza-rafati-%E2%99%82/1a/98b/197

Country
The Netherlands

My website
Cyberwarzone.com

Twitter:
http://twitter.com/#!/cyberwarzonecom