Just a demo

Some of this work was clearly for demonstration purposes, and much of it was probably never deployed in the field. For instance, HBGary began $50,000 of work for General Dynamics on "Task C" in June 2009, creating a piece of malware that infiltrated Windows machines running Microsoft Outlook.

The target user would preview a specially crafted e-mail message in Outlook that took advantage of an Outlook preview pane vulnerability to execute a bit of code in the background. This code would install a kernel driver, one operating at the lowest and most trusted level of the operating system, that could send traffic over the computer's serial port. (The point of this exercise was never spelled out, though the use of serial ports rather than network ports suggest that cutting-edge desktop PCs were not the target.)

Once installed, the malware could execute external commands, such as sending specific files over the serial port, deleting files on the machine, or causing the infamous Windows "blue screen of death." In addition, the code should be able to pop open the computer's CD tray and blink the lights on its attached keyboards—another reminder that Task C was, at this stage, merely for a demo.

General Dynamics would presumably try to interest customers in the product, but it's not clear from the e-mails at HBGary whether this was ever successful. Even with unique access to the innermost workings of a security firm, much remains opaque; the real conversations took place face-to-face or on secure phone lines, not through e-mail, so the glimpses we have here are fragmentary at best. This care taken to avoid sending sensitive information via unencrypted e-mail stands in stark contrast with the careless approach to security that enabled the hacks in the first place.

But that doesn't mean specific information is hard to come by—such as the fact that rootkits can be purchased for $60,000.

Step right up!

Other tools were in use and were sought out by government agencies. An internal HBGary e-mail from early 2010 asks, "What are the license costs for HBGary rk [rootkit] platform if they want to use it on guardian for afisr [Air Force Intelligence, Surveillance, and Reconnaissance]?"

The reply indicates that HBGary has several tools on offer. "Are you asking about the rootkit for XP (kernel driver that hides in plain sight and is a keylogger that exfiltrates data) or are you asking about 12 Monkeys? We've sold licenses of the 1st one for $60k. We haven't set a price on 12 Monkeys, but can."

The company had been developing rootkits for years. Indeed, it had even developed a private Microsoft Word document outlining its basic rootkit features, features which customers could have (confirming the e-mail listed above) for $60,000.

That money bought you the rootkit source code, which was undetectable by most rootkit scanners or firewall products when it was tested against them in 2008. Only one product from Trend Micro noticed the rootkit installation, and even that alert was probably not enough to warn a user. As the HBGary rootkit document notes, "This was a low level alert. TrendMicro assaults the user with so many of these alerts in every day use, therefore most users will quickly learn to ignore or even turn off such alerts."

When installed in a target machine, the rootkit could record every keystroke that a user typed, linking it up to a Web browser history. This made it easy to see usernames, passwords, and other data being entered into websites; all of this information could be silently "exfiltrated" right through even the pickiest personal firewall.

But if a target watched its outgoing traffic and noted repeated contacts with, say, a US Air Force server, suspicions might be aroused. The rootkit could therefore connect instead to a "dead drop"—a totally anonymous server with no apparent connection to the agency using the rootkit—where the target's keyboard activity could be retrieved at a later time.

But by 2009, the existing generic HBGary rootkit package was a bit long in the tooth. Hoglund, the rootkit expert, apparently had much bigger plans for a next-gen product called "12 monkeys."