Stolen HBGary e-mails indicate it was planning a "new breed of rootkit"

The company distributed the idea to a consultancy that caters to the U.S. government

E-mails stolen by hactivist group Anonymous indicate that the security company it targeted was proposing to make a “new breed of rootkit” and that it passed along the plan to a technology firm that caters to the federal government.

The latest in security: Hot products from RSA 2011

An attachment to one of the stolen HBGary Federal e-mails calls for creating a rootkit that would find and execute command and control messages as would a compromised machine in a botnet, according to a copy of the e-mail posted by crowdleaks.org.

The document lists the virtues of the proposed Magenta Rootkit: "New breed of rootkit - There isn't anything like this publicly/ Extremely small memory footprint - (4k or less)/Almost impossible to remove from a live running system".

The founder of HBGary (the parent company of HBGary Federal) Greg Hoglund, sent a copy of the Magenta proposal to the president of Farralon Research, Ray Owen, according to the posted e-mails. Farralon posted this brief description of itself on its Web site: "The mission of Farallon Research LLC is to connect advanced commercial technologies and the companies that develop them with the requirements of the U.S. government."

As the stolen HBGary e-mails come to light, hints about the way the firm conducts business have come out, including an apparent plan to gather data about union organizers identified as opponents of the U.S. Chamber of Commerce. Methods used to gather the information include scraping Facebook data, which violates Facebook's terms of use.

The chamber and other security firms mentioned in the e-mails about the plan to make public statements deploring the proposal.

Beyond the revelations from the stolen e-mails, HBGary Federal has pulled out of the RSA Conference in San Francisco, saying it's in the best interest of its employees and the conference.

The company had a leased booth on the show floor, but shut it down after it was vandalized Sunday night. HBGary left behind a sign to explain its departure: "HBGary individuals have received numerous threats of violence including threats at our tradeshow booth.

"In an effort to protect our employees, customers and the RSA Conference community, HBGary has decided to remove our booth and cancel all talks," the company's message reads.

The company's CEO Aaron Barr was to have revealed the names of people who make up Anonymous at the Security B-Sides conference, also being held in San Francsico this week. Barr dropped out of that conference last week after Anonymous hacked into HBGary Federal's network and stole thousands - estimates are as high as 77,000 - e-mails and posted them on the Web.

Worst moments in network security history

Anonymous said in Web posts that it had done so as a preemptive strike against HBGary Federal's plan to out its members. Anonymous posted information contained in the e-mails about what HBGary Federal had discovered about Anonymous and ridiculed it as being inaccurate and incomplete.

Anonymous became the target of HBGary after the secret group launched attacks against the Web sites of businesses that tried to quash Wikileaks posts of stolen U.S. State Department diplomatic cables. HBGary Federal e-mails indicate the firm proposed selling information about the identities of Anonymous members to the FBI.

HBGary Federal has posted the same message on its Web site that it placed in its RSA booth, and it indicates that it plans to fight back. The message reads in full: "A group of aggressive hackers known as "Anonymous" illegally broke into computer systems and stole proprietary and confidential information from HBGary, Inc. This breach was in violation of federal and state laws, and stolen information was publicly released without our consent.

"In addition to the data theft, HBGary is continuing to work intensely with law enforcement on this matter and hopes to bring those responsible to justice.

"Thank you to all of our employees, our customers and the security community for your continued support.

"HBGary, Inc."

Hacked and now vandalized, HBGary pulls out of RSA

Insider Tip: 12 easy ways to tune your Wi-Fi network
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies