DarkMegi rootkit - sample (distributed via Blackhole)

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

DarkMegi rootkit - sample (distributed via Blackhole)
DarkMegi rootkit - sample.png
Botnet DarkMegi
Botnet/malware group
Exploit kits Blackhole
Distribution vector
Operation/Working group
Date 2012 / 2012-04-18
Editor/Conference Contagio
Link http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr (contagiodump.blogspot.fr Archive copy)
Author Mila Parkour
Type Blogpost


This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.

Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share, I will link to.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR988,
   editor = {Contagio},
   author = {Mila Parkour},
   title = {DarkMegi rootkit - sample (distributed via Blackhole)},
   date = {18},
   month = Apr,
   year = {2012},
   howpublished = {\url{http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr}},