Secret rootkit project. Codename: “MAGENTA”

Noticed it yesterday when searching through -http://hbgary.anonleaks.ru which is now down But http://crowdleaks.org offers a similar facility

Yes 64 Bit too

 

Yeah, i read that from the HBGARY thread, i wonder what was that rootkit about

Screw those dudes, owned by Anons for GOOD! RAWWWR

 

Who will also go after anyone and everything with connections to their enemies, whether said connections had anything to do with said enemies actions. Don't lump true freedom fighters and agenda-driven criminals together in the same category, just because they talk the same. Anonymous is on your side, until you disagree with them. Don't be naive.

 

I knew my post would bring some comments

 

Comments are good if you learn something

 

Would Sandboxie be able to stop soomething like this?

 

Under "Key Features":

* New breed of rootkit – There isn’t anything like this publicly

* Extremely small memory footprint – (4k or less)

* Almost impossible to remove from a live running system

Umm..what's "new" here? It also seems to load a driver (if I read right). Drivers are a no-no under Sandboxie, so that should be its death sentence right there. Otherwise, I'm not seeing anything here besides the ever abused "0 day" term that would be tacked on, that's any different from any other rootkit. There's really not much to see here.

 

sandboxie maybe protect you if the vector is web browser, but if the vector make use of unknown windows vulnerabilities its game over

 

Not really. Let's say you download an infected program. You run it in Sandboxie, the infection wants to install a driver. Drivers aren't allowed to install in Sandboxie (unless you screw with the settings, then of course you're on your own), so it's game over for the infection. Let's say it doesn't need a driver (this particular one seems to, as do a lot of rootkits). You again install the infection in Sandboxie, and, again, if you've set it to do so (and you always should for testing files/programs), Sandboxie deletes the contents afterward, along with the infection. Game over again.

Proper use of Sandboxie isn't limited by attack vector. It will do its job no matter how the infection got there. You, as a user, on the other hand, make all the difference in the world. If you run the rootkit outside of Sandboxie, well then sure, without extra protection, your goose is cooked.

 

its not what i meant, you can't sandbox the entire windows, if the rootkit make use of e.g. LAN, or windows file system, think like stuxnet

 

There is still the potential for sandbox/virtualization awareness which could result in the RK remaining hidden with the user getting no warning that it is malware when they move to install or run the program outside the box...

SBIE and virtualization by themselves are not a silver bullet so make sure you have a layered defense in place just in case the "candy" is spiked...

Mike

 

Completely agree, and, eventually we'll see more "sandbox aware" malware. There is no such thing as a silver bullet, unfortunately.