DarkMegi rootkit - sample (distributed via Blackhole)
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
| DarkMegi rootkit - sample (distributed via Blackhole) | |
|---|---|
| |
| Botnet | DarkMegi |
| Malware | |
| Botnet/malware group | |
| Exploit kits | Blackhole |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 2012-04-18 |
| Editor/Conference | Contagio |
| Link | http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr (contagiodump.blogspot.fr Archive copy) |
| Author | Mila Parkour |
| Type | Blogpost |
Abstract
“ This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.
Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share, I will link to.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR988,
editor = {Contagio},
author = {Mila Parkour},
title = {DarkMegi rootkit - sample (distributed via Blackhole)},
date = {18},
month = Apr,
year = {2012},
howpublished = {\url{http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr}},
}