DarkMegi rootkit - sample (distributed via Blackhole)

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

DarkMegi rootkit - sample (distributed via Blackhole)
DarkMegi rootkit - sample.png
Botnet DarkMegi
Malware
Botnet/malware group
Exploit kits Blackhole
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-04-18
Editor/Conference Contagio
Link http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr (contagiodump.blogspot.fr Archive copy)
Author Mila Parkour
Type Blogpost

Abstract

This is a "DarkMegie" rootkit sample, kindly donated by Hendrik Adrian. Just like described in the McAfee article "Darkmegi: This is Not the Rootkit You’re Looking For" by Craig Schmugar, it is anything but quiet and stealthy. In fact, it makes so many system changes that it is hard to cover it all in a quick post.

Indeed, it drops the rootkit components in drivers with the incredible padding to 25MB and generates a lot of traffic. Unfortunately, I did not have time yet to sort out the mess and purpose of all files that this malware creates so I am just posting it here along with sandbox results for you to analyze. If you write a detailed analysis, please share, I will link to.

Bibtex

 @misc{Parkour2012BFR988,
   editor = {Contagio},
   author = {Mila Parkour},
   title = {DarkMegi rootkit - sample (distributed via Blackhole)},
   date = {18},
   month = Apr,
   year = {2012},
   howpublished = {\url{http://contagiodump.blogspot.fr/2012/04/this-is-darkmegie-rootkit-sample-kindly.html contagiodump.blogspot.fr}},
 }