It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Some features of ATS will be disabled while you continue to use an ad-blocker.
(visit the link for the full news article)
In the new emails released by Anonymous we discover that HBGary Inc. may have been working on the development of a new type of Windows rootkit that was undetectable and almost impossible to remove.
From: Shawn Bracken
Date: Fri, Jan 7, 2011 at 11:07 AM
Subject: Magenta Rootkit (for Ray)
To: Greg Hoglund
Attached is the requested rootkit proposal – let me know what you think.
-SB Shawn Bracken
Principal Research Scientist HBGary, Inc.
(916) 459-4727 x 106 email@example.com
Description: Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combinations to queue one or more additional activation APC’s into.
When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled. The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.