Difference between revisions of "DarkMegi rootkit - sample (distributed via Blackhole)"
Jump to navigation
Jump to search
m (1 revision imported) |
Revision as of 16:24, 7 February 2015
(Publication) Google search: [1]
| DarkMegi rootkit - sample (distributed via Blackhole) | |
|---|---|
| |
| Botnet | |
| Malware | DarkMegi |
| Botnet/malware group | |
| Exploit kits | Blackhole |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / WEDNESDAY, APRIL 18, 2012 |
| Editor/Conference | Contagio |
| Link | http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr (contagiodump.blogspot.fr Archive copy) |
| Author | Mila |
| Type | |
Abstract
“ This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share, I will link to.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR988,
editor = {Contagio},
author = {Mila},
title = {DarkMegi rootkit - sample (distributed via Blackhole)},
date = {18},
month = Apr,
year = {2012},
howpublished = {\url{http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr}},
}