• Welcome to the new Internet Infidels Discussion Board, formerly Talk Freethought.

Malware that even an anti virus provider cant deal with

Loren Pechtel said:
While you can't disinfect the drive you can see the infection--the drive itself can't do any evil, it has to infect a file. AV software can see that infected file.

Think there's malware in that drive that's dropping <x> into the filesystem?

Set up a virtual machine, encrypt the drive image. From within the virtual machine copy that drive image to the suspect drive. Now compare them.

Different (other than a few bytes that will change), you've got an evil drive. Same? I couldn't have done what you suspect.

Somebody would have blown the whistle.
Click to expand...
NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?
 
barbos said:
Jayjay said:
If NSA can do it, so can Russia, or China, or Iran, or ...

Whether it was illegal or not, or if some number of terrorists were caught, this news is good enough reason to take security seriously and build measures against this type of attack. I'd be very interested to know how Kaspersky lab actually figured it out, and were the hard drive manufacturers aware of it.
Click to expand...
The thing I noticed is how unimaginative and dumb some of their methods were in this particular case.
They apparently thought there were 2 actual users which were worthy enough to be ignored.
They had spent shitload of CPU to run through dictionary to find out that the word is "unegistered"
Then they continued for the second hash instead of trying "unegistered" in different languages, that's pretty dumb if you ask me.

Anyhow, nothing is new here. US admitted using it against Iran, and in this particular case targeted certain high value individuals only, not every single person in the world. I can't really trash NSA for that. On the other hand they knew that if they start infecting every hard drive then it would be discovered in a week or so.
Hard drive manufacturers were probably not aware of it.
Click to expand...

Costin Raiu, Director, Global Research & Analysis Team for Kapersky Labs, who has over 19 years of experience in anti-virus technologies and security research, who helped uncover the scheme, says this:

Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.

...

Their incredible skills and high tech abilities, such as infecting hard drive firmware on a dozen different brands, are unique across all the actors we have seen and second to none. As we discover more and more advanced threat actors, we understand just how little we know. It also makes us reflect about how many other things remain hidden or unknown.
Click to expand...

http://arstechnica.com/security/201...-nsa-hid-for-14-years-and-were-found-at-last/

barbos says some of their methods are unimaginative and dumb. Hmm, whose opinion do I trust in these matters?
 
barbos said:
Jarhyn said:
The answer to all this is assume all drives that can be infected are, and flash them.
Click to expand...
Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing) :)
Click to expand...

It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.

In the grand scheme of things, storage is cheap.
 
tupac chopra said:
How ironic that the NSA is pushing us towards open source
Click to expand...

While I agree open source is the way we should operate the vast majority of systems, certain things should not be 'open'. Certain software requires that the private key for certain transactions be part of the software, or at least local to the system.

Second, this problem isn't fixable by open source. Drive firmware can't be directly read or dumped without special hardware, and when it's dumped it's already in machine code. While that can be disassembled, you can do that to almost any code, even closed sources.

Open source is not a quality of a compiled program, and in the end of the day, it's actually likely that open source will breed unwarranted trust in certain systems, because the source may say one thing, and the compiled distributed binaries may say something entirely different. If the differences are subtle enough, they'll be less likely to be detected because more people will trust the code.

In this case, having unknown source is a benefit because interested parties will trust it less. The only thing open source reveals are exploits, which are arguably also easier to find in the machine code.
 
barbos said:
Loren Pechtel said:
While you can't disinfect the drive you can see the infection--the drive itself can't do any evil, it has to infect a file. AV software can see that infected file.

Think there's malware in that drive that's dropping <x> into the filesystem?

Set up a virtual machine, encrypt the drive image. From within the virtual machine copy that drive image to the suspect drive. Now compare them.

Different (other than a few bytes that will change), you've got an evil drive. Same? I couldn't have done what you suspect.

Somebody would have blown the whistle.
Click to expand...
NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?
Click to expand...

Unless they had some way of ensuring the infected drives only went to the guys they wanted to spy on one sooner or later would end up in the hands of someone with the skill to figure it out and who would catch it in a security sweep.


While it's certainly technically possible (and something I've heard of a proof-of-concept of a while back) it's something they would have to use with great care to keep it from being exposed.
 
Loren Pechtel said:
barbos said:
NSA exploits are not directed at people with your level of sophistication. They are directed at ordinary people and islamic terrorists. People who can defeat NSA are already working for them, are you working for NSA?
Click to expand...

Unless they had some way of ensuring the infected drives only went to the guys they wanted to spy on one sooner or later would end up in the hands of someone with the skill to figure it out and who would catch it in a security sweep.
Click to expand...
Yes, that's what the article appears to be saying. Selling infected drives at BestBuy to everybody would not have gone unnoticed for more than a couple of months.
 
Jarhyn said:
barbos said:
Unless flashing part of the firmware was infected as well (to prevent you from killing by flashing) :)
Click to expand...

It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.

In the grand scheme of things, storage is cheap.
Click to expand...
What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
 
barbos said:
Jarhyn said:
It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.

In the grand scheme of things, storage is cheap.
Click to expand...
What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
Click to expand...

No. Embedded systems by definition do something on the system. It's trivial to flash the drive with a firmware that does a task that proves it was flashed away successfully. If no report, then drive is evil. If report, flash with benign non-vulnerable firmware and disable future flashing.
 
Several requests for thread merge -- done. :)
 
Jarhyn said:
barbos said:
What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
Click to expand...

No. Embedded systems by definition do something on the system. It's trivial to flash the drive with a firmware that does a task that proves it was flashed away successfully. If no report, then drive is evil. If report, flash with benign non-vulnerable firmware and disable future flashing.
Click to expand...
It will flash and perform the task fine, But virus would still be copied on a new version as well.
I doubt NSA bugs were flashproof but it can be done.
 
barbos said:
Jarhyn said:
It would still reveal that the drive is infected. The point isn't necessarily to fix the problem, the point is to reveal the infection, Recover the data to a non-vulnerable media, and then scrap the evil drive, if it can't be cleaned.

In the grand scheme of things, storage is cheap.
Click to expand...
What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
Click to expand...

And how do you propose it lie dormant for a few months? The closest thing it has to the ability to tell time is the time-used information in the SMART status--it has no perception of time turned off and no means of obtaining the actual time.
 
barbos said:
Jarhyn said:
No. Embedded systems by definition do something on the system. It's trivial to flash the drive with a firmware that does a task that proves it was flashed away successfully. If no report, then drive is evil. If report, flash with benign non-vulnerable firmware and disable future flashing.
Click to expand...
It will flash and perform the task fine, But virus would still be copied on a new version as well.
I doubt NSA bugs were flashproof but it can be done.
Click to expand...
No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.
 
Loren Pechtel said:
barbos said:
What I meant is that precautionary flashing of the new drive may be pointless.
As for revealing then HD malware could lay dormant for a few months before activating itself.
Click to expand...

And how do you propose it lie dormant for a few months? The closest thing it has to the ability to tell time is the time-used information in the SMART status--it has no perception of time turned off and no means of obtaining the actual time.
Click to expand...
Actually it does have such perception, OS tells it time.
But it does not really need that, it can simply wait for 2 months of ON time or 100 Power_Cycle_Counts :) Then infect your OS and then switch off completely by flashing itself an original and legitimate firmware That way nobody will find a trace, unless of course you were specifically waiting for virus act up.
 
Last edited:
Jarhyn said:
barbos said:
It will flash and perform the task fine, But virus would still be copied on a new version as well.
I doubt NSA bugs were flashproof but it can be done.
Click to expand...
No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.
Click to expand...
I would not bet on it.
Flashing is done by previous firmware itself. And there is not much need for a virus to analyze anything.
New firmware is usually pretty much the same as old one.
 
barbos said:
Jarhyn said:
No, it wouldn't. Viruses aren't magic; there needs to be somewhere for a virus to be copied to, and drive firmware doesn't execute on the main CPU. It can proffer itself if requested by the boot loader, but if the drive isn't loaded by the boot loader, it's SOL. All it takes in flashing the firmware is putting a firmware that has a Goldberg machine of code on it. No nsa virus can possibly analyze code, and replicate an action whose intent is unknown and unknowable, without stepping on the mass of code that it's trying to inject to. Once the firmware is flashed, you just nuke the contents of the drive. the beauty of all this is that it can be accomplished entirely from other media, or even a portable image like a bootable CD. There's literally nothing the drive can do to keep itself from getting douched out, save block firmware flashes, and that isn't an option.
Click to expand...
I would not bet on it.
Flashing is done by previous firmware itself. And there is not much need for a virus to analyze anything.
New firmware is usually pretty much the same as old one.
Click to expand...

Have you not been reading my posts?

Step one: write a firmware containing a series of function calls that evaluates to 'twitch drive arm every few thousand revolutions, and change revolution speeds up and down'. Most of it could be written with randomly interspersed no-op instructions just to bloat it to fully eat the firmware, plus a similarly large and circuitous call structure for the flash code. Flash the drive with it using a portable image (to prevent contamination of the OS from being launched by its containing drive). If the drive reports as expected, it can't not be flashed entirely and successfully. Then flash it to a known good image with no additional flash capabilities.

Part of the utility of putting a virus like this into the firmware is so you can make the drive do stuff it isn't supposed to. If you put your own firmware on the drive... You can make it do things it isn't supposed to. And if it doesn't do the right arbitrary thing, it's evil.

Your lack of imagination in solving a problem does not mean such solutions do not exist.
 
Jarhyn, I am not following your nonsense, sorry.
I suspect that you have no clue what you are talking about.

Hard drives have an actual CPU inside which runs firmware code.
Firmware code is in flash chip which is much bigger than the code it contains. You can hide a lot there.
 
You must log in or register to reply here.
Back
Top Bottom