http://crowdleaks.org/hbgary-inc-working-on-secret-rootkit-project-codename-magenta/HBGary INC. working on secret rootkit project. Codename: “MAGENTA”
This article was written by laurelai warningmbrrootkithuntin
In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.
Crowdleaks.org cannot confirm how far into development this project went. However we do know by looking at the following email that the Magenta Rootkit proposal was forwarded from Greg Hoglund at HBGary to Ray Owen, President of Farallon Research LLC.
Key Features:
* New breed of rootkit – There isn’t anything like this publicly
* Extremely small memory footprint – (4k or less)
* Almost impossible to remove from a live running system
o Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.
o Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context
* Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.
* Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.
o HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()
WOW MORE:
http://www.dailykos.com/story/2011/02/14/944364/-HBGary-INC-working-on-secret-rootkit-project-Codename:-%E2%80%9CMAGENTA%E2%80%9D