Magenta: HBGary Federal's Cyberoffense Failure

Monday, February 21, 2011

J. Oquendo


Cyberoffense is and has been in full swing for longer than many have acknowledged so as Heath Ledger quipped in Batman "why so serious?"

Crowdleaks recently posted some interesting leaked messages from the HBGary ordeal which documents and details the "possibility" that HBGary was involved with creating an undetectable, full command and control, rootkit labeled Magenta. [1]

This news definitely piques my interest as Greg Hoglund is a well known security expert, published author of "Rootkits - Subverting the  Windows Kernel" [2] and he is also the owner of HBGary. If anyone has the capability of "unloading" holy hell via undetectable C&C botnets/malware or rootkits, he would be my public enemy number one, so "why so serious" you ask, read on.

Imagine for a moment the following: you are the project manager of a company or government agency which has decided to walk the thin line by creating a program capable of dishing out "cyberoffensive" attacks.

You sought the best and brightest in the industry to undertake this project and for a fee, those best and brightest delivered the digital equivalent of say the "Ebola" virus. Only this particular virus or worm is completely undetectable.

"Why so serious?", for starters, at some point in time, the heuristics of an ever-changing backdoor would eventually run out rendering the backdoor detectable. Now I can argue about detectability but it has been done very eloquently already under the "Rootkit Paradox" [3].

Therein lies the problem, depending on who detected the malicious software, there is nothing to stop someone from reversing that same payload for malicious purposes. Imagine that, poisoning the party who poisoned you.

To offer a parallel explanation in non-computing terms, imagine that the scientists who study viruses such as Anthrax, Ebola and other deadly viruses decided to release one of these viruses as a bioweapon.

This weapon is now available to anyone capable of seeing an anomaly, reverse engineering the virus, re-sending the virus or adding their own potent mixes to make it worse or better yet, more stealthy. Had the weapon never been released, there would be less fear of more potent bioweapons or that other nefarious entities would end up using these same bioweapons for malicious purpose.

What's good for the goose, is almost always good for the gander; you get what you ask for. In trying to understand this Magenta theory, I hope that others are not fooled for a second into thinking that an anomaly would go undetected, I am almost sure the creators of Stuxnet, Aurora and countless other C&Cs thought similarly.

So why so serious? As most countries, businesses and governments struggle to get security into full-swing, we now see or hear about business jumping into the "dark" realm of counterattacking. For those who work in any kind of provider space (ISPs, NSPs, MSSPs, MSPs) we don't want these types of nightmares running amok in our environments as the potential fallout can be catastrophic.

So here is what HBGary proposed: [4]

Magenta would be a new breed of windows based rootkit, which HBGary refers to as a multi-context rootkit. Magenta is a 100% pure assembly language implemented rootkit. The magenta rootkit body is injected into kernel memory via the DriverEntry() partial-load technique. Once loaded into kernel memory, Magenta would automatically identify an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call).

Once the APC fires in the new process context, the body of the rootkit will be executed. Finally, At the completion of each APC activation, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combinations to queue one or more additional activation APC’s into.

When Activated, the Magenta rootkit will be capable of searching for and executing imbedded command and control messages by finding them wherever they may exist in physical memory on the compromised host. This is ideal because it’s trivial to remotely seed C&C messages into any networked windows host – even if the host in question has full windows firewalling enabled.

The Magenta payload will also contain imbedded capabilities for injecting these C&C payloads directly into user-mode processes. This will allow injectable C&C payloads to be written to perform user-mode tasks on the compromised host.

Key Features:

New breed of rootkit – There isn’t anything like this publicly

Extremely small  memory footprint - (4k or less)

Almost impossible to remove from a live running system

Once the injected Magenta rootkit body is loaded into kernel memory, it will be fire-and-forget. You can delete the original .sys file used to load it if you wish.

Any physical memory based tools that would allow you to see the current location of Magenta body would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context

Elegant/powerful C&C message system. There is a near endless amount of ways to get a small seeded C&C message into the physical memory of a networked computer even with zero credentials.
Invisible to kernel mode defense components that rely on the PsSetLoadImageNotifyRoutine() notification routine to detect/analyze/block drivers.

HINT: PsSetLoadImageNotify() callbacks only get called for drivers who returned TRUE in their DriverEntry()

Project Development Phases:

HBGary recommends using at least a two phase project to build out Magenta. In Phase-1 HBGary would build a fully functional prototype for Windows XP – Service Pack 3 (X86). This would allow an end-to-end proof of concept prototype to be developed and demonstrated. Phase-2 would purely consist of porting the Magenta rootkit to all current flavors of Microsoft Windows (x86 & x64)

Impressive to a degree but certainly nothing new. Other exploit developers have tinkered in this arena and even more extreme workspaces before [5]. So why so serious? From my personal perspective, with budgets at an all time high and my taxes getting higher time and time again, I am having a hard time swallowing the notion that at some point in time, some agency deemed it ok to unleash digital/electronic e-hell on me via the aftermath of a "rootkit" gone wrong.

Greg Hoglund, this isn't 1999 anymore [6] and anonymous has proven that to you by making your company toxic. [7] All for what? Tracking down anonymous users? When you think about that needle in the haystack, it makes little practical sense. Sure you might have been able to track a dozen or two, but the reality is, there are and were far too many people involved to begin with that the task as a whole was insane.

Aside from that, there is a high possibility because of the structure of IP, to falsely implicate someone which could lead to false arrests. Irrelevant? Maybe, unless your door was the one that was kicked down. (Joe Job anyone?)

I have zero idea why staff at HBGary chose to go after who knows how many random users, it doesn't make much business sense let alone technological sense. I will end this by saying that some of the actions of HBGary if true, makes some HBGary employees no better than the those in the RBN [8].

Sad because I had a lot of respect for many in that company and enjoyed learning from their writings. Even more sad to know is that, for such sensitive discussions between sensitive officials, neither they, nor HBGary used PGP which could have saved them from the possible upcoming nightmare. [9]



Possibly Related Articles:
Viruses & Malware
malware Botnets Rootkits HBGary Federal Cyber Offense Magenta
Post Rating I Like this!
Ann O'Nymous Interesting bits, but what is your point ?
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.