Secret rootkit project. Codename: “MAGENTA”

Discussion in 'malware problems & news' started by CloneRanger, Feb 17, 2011.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Noticed it yesterday when searching through -http://hbgary.anonleaks.ru which is now down :( But http://crowdleaks.org offers a similar facility ;)

    Yes 64 Bit too :eek:
     
  2. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    Yeah, i read that from the HBGARY thread, i wonder what was that rootkit about :eek:

    Screw those dudes, owned by Anons for GOOD! RAWWWR
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Who will also go after anyone and everything with connections to their enemies, whether said connections had anything to do with said enemies actions. Don't lump true freedom fighters and agenda-driven criminals together in the same category, just because they talk the same. Anonymous is on your side, until you disagree with them. Don't be naive.
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,468
    I knew my post would bring some comments :p
     
    Last edited: Feb 18, 2011
  5. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Comments are good if you learn something ;)
     
  6. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    Would Sandboxie be able to stop soomething like this?
     
  7. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Under "Key Features":

    * New breed of rootkit – There isn’t anything like this publicly

    * Extremely small memory footprint – (4k or less)

    * Almost impossible to remove from a live running system

    Umm..what's "new" here? It also seems to load a driver (if I read right). Drivers are a no-no under Sandboxie, so that should be its death sentence right there. Otherwise, I'm not seeing anything here besides the ever abused "0 day" term that would be tacked on, that's any different from any other rootkit. There's really not much to see here.
     
  8. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    sandboxie maybe protect you if the vector is web browser, but if the vector make use of unknown windows vulnerabilities its game over
     
  9. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Not really. Let's say you download an infected program. You run it in Sandboxie, the infection wants to install a driver. Drivers aren't allowed to install in Sandboxie (unless you screw with the settings, then of course you're on your own), so it's game over for the infection. Let's say it doesn't need a driver (this particular one seems to, as do a lot of rootkits). You again install the infection in Sandboxie, and, again, if you've set it to do so (and you always should for testing files/programs), Sandboxie deletes the contents afterward, along with the infection. Game over again.

    Proper use of Sandboxie isn't limited by attack vector. It will do its job no matter how the infection got there. You, as a user, on the other hand, make all the difference in the world. If you run the rootkit outside of Sandboxie, well then sure, without extra protection, your goose is cooked.
     
  10. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    its not what i meant, you can't sandbox the entire windows, if the rootkit make use of e.g. LAN, or windows file system, think like stuxnet
     
  11. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    There is still the potential for sandbox/virtualization awareness which could result in the RK remaining hidden with the user getting no warning that it is malware when they move to install or run the program outside the box...

    SBIE and virtualization by themselves are not a silver bullet so make sure you have a layered defense in place just in case the "candy" is spiked...

    Mike
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Completely agree, and, eventually we'll see more "sandbox aware" malware. There is no such thing as a silver bullet, unfortunately.
     
Loading...
Thread Status:
Not open for further replies.