No announcement yet.

M A L B E R G by bascule

  • Filter
  • Time
  • Show
Clear All
new posts

  • M A L B E R G by bascule

    M A L B E R G
    by bascule
    - - - - -


    I hate Tom. Really I do. I mean, he's a "nice" guy and all, but really he's just a douche and I want nothing to do with him. Or I wouldn't, except his clients have deep pockets. They'd never hire me directly, but they love Tom, his goody goody demeanor, and they especially love his certificates saying he's ethical, and sworn by oath to do no harm. Normally I'd say f*ck that sh*t, but Tom is willing to hire me under the table whenever he gets stuck... so much for his certificate and solemn oath. And this time was serious... from the phone call I had with him I'm pretty sure this is the most desperate he's ever been, which was painfully obvious despite his pathetic attempts to cover it up.

    Being the typical douche he was, Tom had arranged to meet me in a family-friendly chain restaurant. At least they had booze, and Tom was buying. As I entered the restaurant, I saw him waving me down frantically. Jackass. Yes I see you, now stop it already. Seriously? I walked over to Tom's booth and sat down. He was looking unwell. His skin had the pallor of marble, his veins more a dark gray than blue. And yet he wrenched out a smile, looked at me, and did a pathetic job of pretending everything was all right.

    The waitress showed up and I ordered a beer and a shot. "You're buying, right?" I said, trying to take the edge off. Tom twitched and twisted out a very creepy smile, nodding to the waitress. Tom's demeanor changed instantly after the waitress left... he bent over and looked as if he wanted to whisper a secret.

    "Listen," Tom said, summoning his inner sales guy, "I've got something very interesting for you to look at. It's the most powerful malware I've ever seen. As far as I can tell it infects everything... drives, CPUs, microcontrollers, flash memory, you name it. In fact we can't even analyze it because it infects our systems too fast once we connect it to practically anything."

    "That's because you suck balls," I said to Tom. I mean really I just hated the guy. The insult didn't even seem to register with him though. He was still sweating just like before, with his teeth gnashing in the middle of his creepy ass crooked fake smile.

    I guess he has nothing to say then. I decide to shift from insult to inquiry. "Who's your client?" I ask.
    Tom rocks back and forth, still flashing the ridiculous grin. "C'mon, you know I'm not going to be able to tell you that"

    "You know I'm going to find out anyway," I replied.

    "Do you think you're up to this or not?" Tom asked.

    "I'm sure I can do a hell of a lot better than you," I replied.

    "So you want the job then?" Tom said, his grin drooping into a look of anxiety.

    "Well Tom, let me put it this way. I hate you, and I'm here, so what does that tell you?"

    A knock at the door of my lab. Wait 30 seconds. Go outside. Check the mailbox. A padded manilla envelope.

    Inside was an SSD... a drive that contained the malware which was driving Tom insane. Step one when receiving a drive from a mystery source was to make a copy. I began wondering if this drive was capable of infecting my drive cloner, then dismissed the idea. Tom hadn't really given me a good idea about what types of systems the drive was capable of infecting... just sounded like he was prattling off nonsense and didn't really have any clue.

    I grab a cable and plug the infected drive into my Lightpeak cloner. Nothing happens. So far so good, I guess? I check the drive capacity... 1 petabyte. I rummage through my drive collection, finding a 1 petabyte drive I can sacrifice. I attach the recipient drive to the cloner and push the clone button.

    F*ck. Well there it goes. The display on my cloner is dead. Yet the activity lights on my SSDs continue to blink. Weird. I sit starring curiously at the blinking activity lights, wondering what the hell is going on. Then they stop. Whatever it was doing, it's done now, I guess. And what the crap... "i told u i was hardcore" on the display. Really?

    I pop the casing off the SSD, examine the printed circuit board and look for appropriate solder points. The drive controller seems like a likely attack point, and that's exactly what I need to monitor and hopefully get control of. I grab my soldering supplies, sit down, and get to work, scraping traces and soldering on wires. I hook the wires to my debugging board and begin stepping the drive through its boot sequence. And it isn't doing anything out of the ordinary. What the hell?

    With the drive still hooked up to my debugging board, I attach it to a Lightpeak passthrough box that allows me to monitor the traffic from the drive. I hook it up to a honeypot motherboard... I have a bunch of them sitting around for analyzing particularly virulent malware like this. I boot the honeypot system...

    Nothing. I don't get it. When I started my cloner the drive went nuts. Now it's attached to a honeypot board and it won't do anything. A few ideas circulate through my head, but the underlying one is that this drive can somehow sense I am snooping on its traffic. I decide to test that, unhooking the Lightpeak passthrough and hooking the drive directly into the honeypot.

    The activity light on the drive goes nuts and I begin to intercept large amounts of data through my debugging board. I see all of the commands the controller is issuing but unfortunately I didn't solder directly onto the signal line and can't see the actual data moving between the drive and the honeypot. I mean, that's what I wanted to use the Lightpeak passthrough for.

    What the crap? The display on my laptop just went dead. I really hope this doesn't mean what I think it means. Did this malware seriously manage to infect my laptop through the debugging board and my solder points on its printed circuit board? And there's the confirmation... "i told u i was hardcore" Was this malware written by some crazy 13 year old kid?

    I power down everything. F*ck this thing. It's got to be the drive controller that's infected. I go nuts with my soldering iron, painstakingly unsoldering the surface mount chip beneath a magnifying glass. I solder leads in place of the drive controller connections, hooking them up to a breadboard and in turn an FPGA.

    A half hour later I've downloaded a pristine image of the drive controller and burned it onto my FPGA. I boot it with a fresh firmware image, and it begins communicating with the drive. So far so good. I attempt to dump the contents...

    It works. F*ck yea.


    Wow. Tom's drinking. Yes ladies and gentlemen, our little teetotaler has decided to forego the light beer and appears to be sipping on some scotch... and vodka. Scotchka? Wow. Like really... does he not realize the vibe of desperation he's sending out here? Apparently not. I sit down in the booth in front of him.

    He looks up from his drink into my eyes. There's a look of total desperation on his face. Bloodshot eyes open wide... painfully wide. Droopy, purple bruised bags under his eyes. And throughout it all that creepy smile that I can't get out of my head. I wait for him to say "I used to be an alcoholic, you know?" But his grin shifts, and for a brief moment he looks genuinely happy.

    "You got it, right?" he asks with a near giggle.

    "Oh," I begin, for dramatic effect, "I got it all right." I toss the bag of money he gave me onto the table in plain sight, and the SSD, which I politely enclosed in an anti-static bag.
    Tom's jaw drops briefly before he frantically snatches the money and SSD off the table, then begins frantically examining the SSD inside the anti-static bag.

    "You... you broke it!" he exclaims.

    "Yeah, sorry about that," I say, "here's the money for the drive." I open my wallet and begin tossing cash on the table. "And here's an extra thousand for your trouble." I grab a big wad of cash and add it to the small pile which has already accumulated.

    Tom doesn't know what to do with the rest of the money. He's just in a total state of shock. Wow, I'm really f*cking this guy. I'm almost sorry for him. Maybe he should've told me where he got this drive first.

    "Sorry if it's not in the same shape it was when you got it to me," I say. "The data's still there, you just need to hook it up to a working drive controller. But hey, I got rid of the malware for you, and I'm not even charging you"

    Tom bunches his fingers into a fist, raises his hand, and pounds it on the table. It's one of the more bizarre gestures I've ever seen a human make. And for the first time in pretty much ever I see him when he isn't smiling. He looks as if he's practically snarling at me.

    "I'll kill you," he growls. "Seriously. I'll kill you."

    "No you won't," I reply. But I'm worried. I'm genuinely worried Tom might try to kill me. At least, I was worried until Tom's eyes welled up with tears.

    I stand up as I watch Tom bury his face in his arms, crying atop the pile of money I scattered on the table. How pathetic.


    I'm a fan of obfuscation, but whoever created this malware has taken the concept to the next level. After analyzing the machine instructions used by this malware, it shows a high propensity for hard-to-understand, infrequently used legacy opcodes. In other words, whoever created it obfuscated it in a way to make it as intentionally as hard to understand as possible.

    I'd like to think I'm fairly good at reversing malware but this seriously had me confused. Fortunately there's plenty of other data I pulled off this drive to mine... and my job has been made especially easy by something, apparently the malware, decrypting many of the files on the drive.

    Right away I learn it's from the NSA. That certainly explains why Tom was freaking the f*ck out about it. None of the documents I find are particularly sensitive... mostly boring administrivia. There's also other encrypted volumes on the drive, ones the malware or whatever decrypted the other documents either didn't bother with or couldn't get through. A cursory examination of them shows I can't really do anything with them either.

    I keep looking and don't find much else... pretty much all I can find is that the drive originated at the NSA, which means that the malware either originated at the NSA, or someone attacked the NSA with it.

    I notice the drive has a complete OS install on it and appears bootable. F*ck it, I think, I'll just boot it and see what happens. I set up a new VM, load the drive image, and boot it. Shortly thereafter my display goes black...then displays "i told u i was hardcore." Goddamn it! Maybe this would've been a good time to use a separate physical computer rather than a VM. What the hell was I thinking? I pull out my phone to call a friend. My phone's display is black and it won't wake up... oh wait, it says "i told u i was hardcore". F*ck, it got my phone too.

    I pull the plug on my desktop. I can't tell what's been infected at this point. I do have some laptops that are off. I grab one of them, an ancient one without built in WiFi, or that matter, any sort of RF components whatsoever. Sometimes old technology comes in useful.

    For sh*ts and grins I hook it up to the serial port on my ancient router. Hey, look at that, a good old command line interface. I pull up some stats on the traffic and something on my network is going nuts. I attempt a traffic dump, and the network traffic goes dead. What. the. hell?

    Garbage appears on my serial console. I stare at the laptop confused for a moment as a random bilge of characters are displayed on the screen amidst a cacophony of beeps. The entire screen freezes with some sections of the text on the screen blinking, then, "i told u i was hardcore".


    My phone is infected. My computers are infected. I've left them all behind. I'm kind of confused as to how to operate...

    So here I am, at a friend's house, randomly knocking on the door in the middle of the night. Fortunately he's awake, and invites me in. Fred is a nice guy... one of the kind who never gets laid, and has probably never even made out with a girl in his life. He's all kinds of wicked smart though, and fun to hang out with. He's also probably the only person I know that can help me with some malware this absurd.

    "You want something to drink?" he asks, rummaging around his kitchen.

    "Whiskey," I say tiredly.

    "Scotch okay?" he asks, pulling out a rocks glass.

    "I don't f*cking care at this point," I say. "Give me booze."

    He returns from the kitchen with a glass of booze as requested. I grab it and take a small sip. It's delicious.

    "So what destroyed your phone exactly?" he asks, picking up on a few remarks I made earlier about my mysterious presence in the middle of the night.

    "Oh, just about the craziest malware I've ever seen..." I say.

    I proceed to tell him the story, about the drive I got from Tom, about the malware destroying everything it touches, about how it's eerily aware of when I'm trying to snoop its traffic, like when I was trying to read the data off the Lightpeak passthrough, or dump the traffic directly off the router.

    "It's a heisenbug!" he exclaims.

    "What the hell is that?" I ask.

    "Well, Heisenberg was one of the physicists involved in early quantum mechanics," he begins. "He created the uncertainty principle, which states..."

    "Yeah I know who Heisenberg is," I interrupt. "So you're just trying to give a stupid name to malware that behaves differently when its communications are being snooped."

    "Sure," he says. "It needs a name... heisenware... heisenvirus... malberg..."

    "No really," I say, "it doesn't need a name. And you really need to get laid."

    Fred ignores my remark completely and continues his line of inquiry. Yeah, this guy ain't never getting laid.

    "So," he asks, "how do you think the drive sensed that it was being snooped over Lightpeak?"

    "Well," I say, "I had it plugged into my passthrough box. It acts as a Lightpeak host, and has another interface that acts like a Lightpeak device. I have total control over all the traffic passing between the interfaces and can manipulate it however I want."

    "But that's overkill for just a simple traffic dump. You're not trying to manipulate the traffic. You're just trying to read it"

    "I'd like to be able to manipulate the traffic if possible," I say, "but I'd be content with just a simple dump."

    "So I've got an idea," he says, "how about we try to snoop just the fiber link? I think your whole passthrough box is too obtrusive, and that's how the malware detected it was being snooped."

    "That's a good idea," I say, "except I don't have anything to generically snoop a fiber optic link."

    "I do!" exclaims Fred.


    We reach my house again with the fiber optic analyzer and some pristine laptops in tow. Tom is slouched over on my doorstep, a bottle of vodka in one hand, a gun in the other. He attempts to half-assedly brandish the firearm for a split second. I dash over and disarm him. He lets it go. It was there for show. He never intended to use it anyway. I tuck it into my belt.

    He looks up at me. The grin is back. Except this time it means he truly hates me. Despises me. I guess I was a little rough on him.

    "You f*cked up dude," he says flashing his teeth wildly. "You f*cked up bad. Real bad"

    "And you're piss drunk," I say. He tries to stand up, pointing at me the entire time.

    "Was it not implied," he began, drunkenly stumbling around, "was it not implied that it might be bad for this ridiculous ass malware to get onto the f*cking Internet? Cuz guess what... it wasn't on the Internet before you. Oops, did I fail to mention that? Well dude, you f*ccccked up."

    Humiliation sets in. The drunk is right. Why the hell did I boot a VM of that malware which proceeded to instantly take over my entire computer? I just didn't think about it, I guess.

    "This is some serious sh*t, man." he says, grabbing my shirt. "We're talking about malware so bad it can completely destroy modern human society."

    The lights go out.
    "Haters, gonna hate"