Unmasked - Ars Technica [29]
DARPA did not apparently choose to fund the plan.
Grey areas
The ideas got ever more grandiose. Analyzing malware, HBGary’s main focus, wasn’t enough to keep up with the hackers; Hoglund had a plan to get a leg up on the competition by getting even closer to malware authors. He floated an idea to sniff Russian GSM cell phone signals in order to eavesdrop on hackers’ voice calls and text messages.
“GSM is easily sniffed,” he wrote to Barr. “There is a SHIELD system for this that not only intercepts GSM 5.1 but can also track the exact physical location of a phone. Just to see what’s on the market, check [redacted]… these have to be purchased overseas obviously.”
The note concluded: “Home alone on Sunday, so I just sit here and sharpen the knife.”
Barr, always enthusiastic for these kinds of ideas, loved this one. He wanted to map out everything that would be required for such an operation, including “personas, sink holes, honey nets, soft and hard assets… We would want at least one burn persona. We would want to sketch out a script to meet specific objectives.
And, he noted, “We will likely ride in some grey areas.”
Back to basics
In January 2011, Barr had moved on to his research into Anonymous—research that would eventually do his company in. Over at HBGary, Hoglund continued his pursuit of next-gen rootkits. He had hit on a new approach that he called “Magenta.”
This would be a “new breed of Windows-based rootkit,” said a Magenta planning document, one that HBGary called a “multi-context rootkit.”
The Magenta software would be written in low-level assembly language, one step up from the ones and zeroes of the binary code with which computers do their calculating. It would inject itself into the Windows kernel, and then inject itself further into an active process; only from there would the main body of the rootkit execute.
Magenta would also inject itself routinely into different processes, jumping around inside the computer’s memory to avoid detection. Its command-and-control instructions, telling the rootkit exactly what to do and where to send the information, wouldn’t come from some remote Internet server but from the host computer’s own memory—where the control instructions had been separately injected.
“This is ideal because it’s trivial to remotely seed C&C messages into any networked Windows host,” noted Hoglund, “even if the host in question has full Windows firewalling enabled.”
Nothing like Magenta existed (not publicly, at least), and Hoglund was sure that he could squeeze the rootkit code into less than 4KB of memory and make it “almost impossible to remove from a live running system.” Once running, all of the Magenta files on disk could be deleted. Even the best anti-rootkit tools, those that monitored physical memory for signs of such activity, “would only be of limited use since by the time the responder tried to verify his results Magenta will have already moved to a new location & context.”
Hoglund wanted to build Magenta in two parts: first, a prototype for Windows XP with Service Pack 3—an old operating system but still widely installed. Second, if the prototype generated interest, HBGary could port the rootkit “to all current flavors of Microsoft Windows.”
Shortly thereafter, Anonymous broke into HBGary Federal’s website, cracked Barr’s hashed password using rainbow tables, and found themselves in a curious position; Barr was also the administrator for the entire e-mail system, so they were able to grab e-mail from multiple accounts, including Hoglund’s.
A world awash in rootkits
The leaked e-mails provide a tantalizing glimpse of life behind the security curtain. HBGary