According to Crowdleaks, HBGary has been working on a very advanced rootkit for the government codenamed Magenta. This development effort was revealed among the many emails recently posted to RapidShare by the group “Anonymous”. Magenta is a new breed of windows based rootkit, which HBGary refers to as a “multi-context” rootkit.
It is virtually undetectable, 100% assembly language and is injected into kernel memory where it seeks out an active process/thread context to inject itself into via an APC (Asynchronous Procedure Call). Once the APC fires in the new process context, the body of the rootkit is executed. Finally, magenta will move itself to a new location in memory and automatically identify one or more new activation PROCESS/THREAD combination’s to queue one or more additional activation APC’s into. It intends to move around in memory a lot.
The Magenta rootkit will search for and execute imbedded command and control messages by finding them in physical memory on the compromised host. It is apparently “trivial to remotely seed C&C messages into any networked windows host” even with full firewalling enabled.
I realize that HBGary does contract development work, and has expertise in the malware industry, but if this allegation is true, their credibility is in doubt and their products must be viewed as suspect. I hesitate to label them a malware developer, but if it smells like fish, it probably is sushi.