Announcement

Collapse
No announcement yet.

NSA BIOS bug: anyone know how to find it?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • NSA BIOS bug: anyone know how to find it?

    First: If this is the wrong forum, very sorry. Figured Technical talk would be about right.

    Second: I have not done enough research on how to do this, but this may be my best option to get pointed in the right direction before I spend hours chasing a wild goose.

    Just read about the NSA "preloading" retail laptops, etc. with their BIOS "bug". E.G. the whole Dell thing. While I know that MBR infections are a bit rare and BIOS infections are like winning the infected lottery, this NSA "bug" disturbs me on so many levels. So, does anyone in the community know (or know of a member who researches) someone who may know how to identify this on the machine? I'm afraid these "BIOS scanners" out there probably don't have the capability, nor definition update to even remotely find the bug. I'm not so much concerned (yet) as to how to get rid of it, but only to find and identify it.

    So, if anyone can share any advice, correct me in any misconceptions, or get me on the right path, I would greatly appreciate it.

    PS. This post got duplicated. Don't know how it did, but sorry. Please dev/null and call me a giant F*cktard

    SOG
    Last edited by ShadesofGray; January 1, 2014, 13:54.

  • #2
    Re: NSA BIOS bug: anyone know how to find it?

    while i can't speak about the NSA claims specifically (heh, you know, i'd get fired from my super sekret .gov job) i will tell you that most "bios" sort of packages are handled simply by means of forcing their way into your O/S after it has been installed, etc For example, a popular utility for schools and companies to use is CompUTrace... this relies on there being a windows installation present, and it simply adds itself as an executable, etc.

    so, if and when any NSA executable is identified, it would be rather trivial to kill the process, then nuke the exe (then replace it with a blank file that prevents re-install)
    "I'll admit I had an OiNK account and frequented it quite often… What made OiNK a great place was that it was like the world's greatest record store… iTunes kind of feels like Sam Goody to me. I don't feel cool when I go there. I'm tired of seeing John Mayer's face pop up. I feel like I'm being hustled when I visit there, and I don't think their product is that great. DRM, low bit rate, etc... OiNK it existed because it filled a void of what people want."
    - Trent Reznor

    Comment


    • #3
      Re: NSA BIOS bug: anyone know how to find it?

      Thanks Deviant. CompUTrace I've heard quite a lot of for their lojacking. I've been ransacking Google for more info on the whole story. Seems to have been found in Dell servers with RAID BIOS configs. So, with the media reporting that the NSA "preloaded" laptops with "hardware/spyware" (guess they're not sure which), it could be anywhere. NICs, MBRs on HDD's with the OS preloaded. My best guess would still be a BIOS modification (since the Dell server issue was from BIOS) like a rootkit/bootkit, but cleverly hidden and nearly undetectable.

      I'm looking at a VMware BIOS extractor to play around with like Resource Hacker. This is all according to info on EXFiLTRATED using Resource Hacker and IDA Pro to modify BIOS. Still, if it extracts the BIOS image, the .exe is an unknown and surely the NSA would bury it deep. Also, if the NSA is doing this, I would think it would use a port, and I nmap myself all the time . But that doesn't mean much. Wireshark should show some sort of anomaly if it was, but I don't sit there and follow every stream.

      I might try extracting the BIOS copy to see what it comes up with. Just have way too many machines and not enough time to modify each one.

      Edit: Just saw this: http://arstechnica.com/information-t...eillance-magic



      Sorry, my "train of thought" is a wreck when written.
      Last edited by ShadesofGray; January 1, 2014, 19:49.

      Comment


      • #4
        Re: NSA BIOS bug: anyone know how to find it?

        Originally posted by ShadesofGray View Post
        Thanks Deviant. CompUTrace I've heard quite a lot of for their lojacking. I've been ransacking Google for more info on the whole story. Seems to have been found in Dell servers with RAID BIOS configs. So, with the media reporting that the NSA "preloaded" laptops with "hardware/spyware" (guess they're not sure which), it could be anywhere. NICs, MBRs on HDD's with the OS preloaded. My best guess would still be a BIOS modification (since the Dell server issue was from BIOS) like a rootkit/bootkit, but cleverly hidden and nearly undetectable.

        I'm looking at a VMware BIOS extractor to play around with like Resource Hacker. This is all according to info on EXFiLTRATED using Resource Hacker and IDA Pro to modify BIOS. Still, if it extracts the BIOS image, the .exe is an unknown and surely the NSA would bury it deep. Also, if the NSA is doing this, I would think it would use a port, and I nmap myself all the time . But that doesn't mean much. Wireshark should show some sort of anomaly if it was, but I don't sit there and follow every stream.

        I might try extracting the BIOS copy to see what it comes up with. Just have way too many machines and not enough time to modify each one.

        Edit: Just saw this: http://arstechnica.com/information-t...eillance-magic



        Sorry, my "train of thought" is a wreck when written.

        Are you asking about "BadBIOS" or about this http://www.spiegel.de/international/...-a-940969.html

        If about "BadBIOS" most people are on the side of "evidence is probably valid, but conclusions are probably not." Keyword search with google, or news.google.com "BadBios" or hashtag on twitter. I'm in a minority, of those that have spoken on this, accepting the possibility of things claimed (technically) accept a complex combination of all is unlikely, but am open to hard evidence and testing of these claims by many more people in parallel.

        As for Der Spiegel, if you can't read German, consider using: http://translate.google.com
        You can paste the Der Spiegel URL into the form and ask to translate, and get a link to a page through google that will attempt to translate it to English.
        Also, related: http://www.spiegel.de/netzwelt/netzp...-a-941153.html and http://www.youtube.com/watch?v=vILAlhwUgIU
        Last edited by TheCotMan; January 2, 2014, 01:44.

        Comment


        • #5
          Re: NSA BIOS bug: anyone know how to find it?

          Thanks Cotman. I'm starting to rethink the BadBIOS, especially since the recent RSA acoustical cryptanalysis. Makes me wonder.

          I'm going off this report: http://www.youtube.com/watch?v=PeHUDfe5oIU and the correlation with those finding NSA BIOS bugs in Dell/HP servers (sucks cause I have 2 Proliants). I suppose it's the Der Speigel TAO report, and the Dec 31st Snowden release.
          I see tweets of more findings on servers (i.e. Daveaitel and DT's tweets), but the "preloaded laptops" and the Dell server issue, may have some similarity and I'm thinking BIOS. It could be two separate issues and I'm confusing the two. The Ars Tech article mentions mobo taps, so there is no telling
          Preloading laptops/desktops prior to retail sale, it would make sense to me that they would have done the same by adding a bug in the BIOS. But could it be similar as those found in the Dell servers? This is what I'm trying to find. It could be the HDDs, but BIOS bugging would make more sense to me.

          Missed Hamburg for the 30c3 this year, but hopefully I can get some answers at Schmoo. Thankfully I spent two years as a German exchange student in HS, so I do well with German. Almost got killed by the Turkish mafia there, but long story:-)

          Had 2 work today. Two crackheads (in the literal sense) bought some laptop I rebuilt. Claimed it came with the malware when they bought it. Was funny when I rattled off the IE History, dates and their passwords and login data they set up :-) Priceless reaction.

          Sorry, My "train of thought" is a wreck when written.

          Comment


          • #6
            Re: NSA BIOS bug: anyone know how to find it?

            It also looked like they were going after the remote management port on the Dell systems. That makes sense because of who would be targeted.

            DEF CON is so small we don't use the management more, and on some supermicro servers you can set a jumper to disable it entirely.

            While I haven't tested this next bit, I don't have the time right now, if your BIOS supports it you could try to "Enable boot sector virus protection". I've got that option on some SuperMicro system, but not others, as well as on some Tyan motherboards, but not others. Anyway the deal is you turn it off to install operating systems, and turn it on after you don't want any more modifications to the boot sector.

            From what I can gather that would help on some of the attacks, but I don't think it would on the hard drive bios reflash ones - that has nothing to do with the boot sector but instead with the reserved portions - and the only way to wipe them out is with the "Enhanced Secure Erase" ATA command - assuming it hasn't been tampered with.
            PGP Key: https://defcon.org/html/links/dtangent.html

            Comment

            Working...
            X