On 24/12/15 3:21 AM, Andrew McGlashan via luv-main wrote:
On 24/12/2015 1:26 AM, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
... the drives are IDE...
Some /possibly/ useful links?
http://www.coreboot.org/
http://www.openfirmware.info/Welcome_to_OpenBIOS
ta for the thought - worth checking for checksum tools
On 24/12/15 8:38 AM, Glenn McIntosh via luv-main wrote:
On 24/12/15 01:26, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Booting a DVD live-image of ubuntu, invocations of
firefox are intercepted and come up as "JON recovery system"
or some such. The attack vector may have been the old XP
system on the harddrive, but equally it may have been one
of the ubuntu images.
You might need to provide more details about the network context (home
network, work network?) It is also a possibility that the router
firmware is having issues (for example, there is a JON recovery system
associated with D-Link routers), and it might not be malware.
Saw those references. For my case, dismissed as bogus camouflage
because firefox from XP boot still pretends to behave normally.
The only router in this segment of the LAN is a pc running openbsd.
Between the client (HD=XP/DVD=Ubuntu) and telstra are an ether hub,
the unix router which pretends to behave normally, another ether hub,
and a little ASDL router which is being used solely as an ASDL-modem
for the unix router.
There is no D-Link device in that chain.
If something upstream of the PC is differentially rerouting HTTP
by operating system, then this security breach is more complex
than previously described and more specifically targeted at my
local environment. I have not dismissed this. I am working on
the simpler explanation first.
On 24/12/15 11:52 AM, Trent W. Buck via luv-main wrote:
Douglas Ray via luv-main
<[email protected]> writes:
We have a PC with firmware malware on - at least - both DVDs.
Er, are you saying the microcontroller on the DVD drive's circuit board
is infected? (As opposed to the infected component being on the
without pretending to know whether the firmware is on eeprom
within the microcontroller, or external to it - yes.
motherboard, or on a DVD *disc*, or...)
How did you determine this?
Circumstantial, and I haven't eliminated motherboard firmware, however:
1. different results for DVD-booted firefox vs harddisk
2. the drive sounds different. It has a low-frequency shudder which
wasn't there before.
3. I have the same firefox-interception symptom from different DVDs
with different OSs, which previously pretended to work flawlessly.
"jon recovery system" appears to originate from the httpd in D-Link
firmware for router appliances. If you remove all NICs from the
"infected PC", do the symptoms go away?
Good thought. Will get back to you.
On 24/12/15 12:08 PM, Russell Coker wrote:
Why would someone go to the immense effort of creating malware that
can either intercept filesystem access to give a different version of
the application files or modify the OS kernel to change the
application in memory and then do something obvious like give a bogus
web site? Are you sure your dlink router isn't broken?
My solution to secure web shopping was to recommend my non-technical
family boot from DVD and go directly to the site they want to deal with.
Disabling firefox from DVD breaks precisely that usage.
I suspect that intercepting a single app may be the most you could hope
to squeeze into firmware storage and still have a functioning system.
(I wouldn't be surprised if the firmware component is just the intercept,
which then passes off to something on the hard disk.)
Interestingly, this happened about a week after we started electronic
banking with a secure-id style key generator for two-factor authentication.
I am so glad we opted for the security token!
On 24/12/15 1:02 PM, Tony White via luv-main wrote:
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf
Yes, interesting.
Thanks to all. Am seeing if the manufacturer will come up with any
useful diagnostics.
Douglas Ray
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
