What A Spy Agency badBIOS Attack Looks Like (and Wikileaks/Harrison, lock porn, volts, spying, MafiaLeaks)

Robert Clayton Dean — I mean, Dragos Riu — has an excellent interview up at ThreatPost.

It’s so good I’m gonna put the URL right here so you can get it downloading while you read the summary: https://threatpost.com/dragos-ruiu-on-the-badbios-saga/102823

(My more detailed notes (typos and all!) are at the bottom, for those with no time to listen.)

In an nutshell, this is such a textbook nation-state intelligence agency attack that, if it turns out to be a hoax, it would all but finger Dragos as having himself “turned.” Or defected. Or something.

Want to know what it feels like to fight big boys? The kind armed with a Texas-sized multistage rootkit, a New York in-your-face attitude, and a Chicago mobster’s love of eradicating the evidence?

Well, here’s your chance to live vicariously!

Pay close attention when he explains WHY they didn’t panic and wipe their traces and leave as soon as he found them. They were afraid he’d get the malware code and do a forensic analysis… so the intruder remained on his system to ensure a) even his forensic machines were infected and b) every time he tried to extract a sample it turned mysteriously harmless.

This may go a long, long way to explaining why other researchers have found the files he posted have mysteriously turned out to be clean —
assuming, of course, Dragos himself wasn’t being deceived by “make this file look suspicious” tactics like JMA et al have suggested for the counter-spy playbook.

Most telling is that the first time “they” started pulling back was when Dragos started tweeting about the ultrasound thing. Hit a nerve, did he?

Also — potentially — fascinating is the ancillary activity other researchers have observed. Specifically, mysterious deletions that, while they may have been Dragos himself, could also have gotten a particularly PRISMtastic intruder overly twitchy. (I myself remember wondering why the one tweet got deleted.) Was this Dragos afraid someone would take his replies as further evidence of “paranoia”? Or should we be cueing the X-files theme and donning sunglasses to protect ourselves from the APT equivalent of the Neuralzyer? (Relevant comments quoted just above my notes.)

Of course, there’s a badBIOS parody Twitter account now. https://twitter.com/veryBadBIOS

Wikileaks/Harrison: Well, one of my guesses about Harrison was wrong. She may not have liked the one German journalist, but she evidently has nothing against Germans in general. She arrived in Germany on Saturday afternoon from Russia (did her own visa there expire?) and plans to hang out in Berlin indefinnitely.

(Apparently Berlin has more spies than any other city in Europe… is this Wikileaks’ effort to restore some balance?)

All this also begs the question, who’s playing witness to prove Snowden isn’t secretly passing secrets to the FSB, or meeting them in their underground lair to plot out the next move in a grand campaign to break Europe away from the US? http://wikileaks.org/Statement-by-Sarah-Harrison-on.html

Lock porn: perhaps the sexiest lock pick in existence right now. Droool. https://twitter.com/Safetechnician/status/398075261679583232/photo/1 https://twitter.com/Safetechnician/status/398075857270763520

Experiments with voltage gradients in a partially conductive medium, YouTube dumbass style. https://www.youtube.com/watch?v=dcrY59nGxBg

The solution to mass surveillance is more surveillance? Some similar ideas have been appearing in the German media as well. “In case of attack — create a police state!” http://www.zdnet.com/eu-justice-chief-europe-should-have-its-own-spy-agency-to-counter-nsa-snooping-7000022818/

MafiaLeaks starts up in Italy. https://www.mafialeaks.org

https://plus.google.com/103470457057356043365/posts/bop8ufrMp7s
Dragos, why did you delete your replies? I have e-mail notifications from 4 replies on this thread at 5:28, 5:43, 5:44, 5:46 UTC which are no longer present.

“Well isn’t that fun. They used to be qute different code there between the 64k and the 300k sections, and now they are the same in that upload. Wonder if I have any copies elsewhere…. :-)”

“There were actually two differing 300k sections, which are also not there anymore.”

“Anyone care to explain how that happened?”

“As I mentioned, extracting and posting forensic evidence from these attackers is often tricky, it has a habit of disappearing.” Pierre Bourdon
Gestern um 12:56

A tweet saying “That interesting, my variant disk section upload has been cleaned up and the different code sections aren’t there anymore. #badbios ” was also deleted.

weren’t too destructive
just looking around
but very aggressive

openbsd boxes in single user mode changing files while they’re not supposed to be on the network

can’t figure out how they get in
can’T figure out how to get rid of them
so try some guerrilla warfare
let’s try disabling components
see how their trojan reacts when we start blocking bits
don’t know the original objective
might have become more about forensic data about their stuff they were getting into all the boxes
weren’t seeming to get much out of it
started disabling components
c&c channel

started deleting what they stored on disk
couple times managed to trigger reinstalls by them
trouble getting data out of he box
but had eyes and ears and brains

alarming stuff
over the summer
identified more and more
started blockin gthings
removing wlan cards, bluetooth, etc
editing registry keys

putting rootkit where they can’t install files
saw registry kees where they’re accessing
see how they like that
required operator intervnetion
stated seeing more intelligent responses
seeing registry keys being changed

we know were owned
they know we know
this is very agressive
cat and mouse games

got really weirded out
ibm thinkpad
removed everything including gps card
stripped this down
ibms actually one of the better ones
got down to the microphone and speaker and cpu

radio is really far fetched
so was a bit of relief when remote control stopped as soon as microphone and speakers registry keys changing 1-2 times a second
stopped as soon as we pulled speakers/audio

a lot of time we think audio capture just to hear what we’re seeing but heard this high pitched tone

so thought well record the audio
most people filter that out as noise
colleague looked at it and found lots of odd spectral artefacts at 35khz bit rate matched the packets on the procmon
about the same bit rate

so then we said hmm
looks like we have confirmation
started getting opnions on twitter
spun into left field
tinfoil hat magnet as well

not like that was the first thing I#d tried
more the second last thing we tried

what do you, at this point, we can get intro attirubtion later what do you think the goal of these guys was
look like the audio channel was off radar shell link
might have been sending powershell commands
a little like telnet
execute binaries on system

their packet was big
haven’t been able to isolate it
watch them reinstall and download a bunch of times
not a one or two packet exploit
a fairly substantial rootkit and development effort

how much has malware evolved

whole thing seems to be modular
goes out over the network and downloads chunks
all encrypted
as we started poking around with process monitor
saw them add countermeasures on their systems
seem to lose control of registry entries

not usually the case in this incident

have seen this thing evolve a little bit

as to the specifics
blowing conjecture out my butt like everybody else at this point

have you figured ou thw their getting on to these boxes?

smoking gun came
started building isolated systems
$350 cheap media pcs
not a big deal if they get compromised
run thos estandalone

don’t even share usb devices because what we found a month ago thought something USB related

one point doing forensics on IBM
trying to extract firmware information onto memory key
pulled it out, seemtd to have been bricked
plugged into a clean system, wouldn’t even show up on consle looked electrically dead

plugged it into an infected system that was on the network
poof, up come our files, all our stuff on the memory key, minus the forensic files, which was interesting but this key seemed to work just fine
so left in there a little bit
pulled it out
reinserted into one of the forensic systems

in about a minute or two the system just rebooted spontaneously after plugging this thing in whoaaa that’s not good
after booting up, started seeing the telltale signs of an infection, refused to boot CDs

this resurrected lazarus key just took out one of our forensics system only by blugging it in

one of the other effects we noticed
they owned our gateway, so they could do whatever they want to our dns there was some blocking going on
one of the blocked sites was flashboot.ru
which has flash reprogramming software

turns out there’s out there’s only about 10 different chipsets in all flash deices on the planet all are pretty much reprogrammable
you can download your own firmware and do what you want pretty much unauthenticated

this is the point where we’re at conjecture
have some smoking gun keys

conjecture is these guys are very clever, reprogrammed the firmware controller, attack the bios, whatever

in terms of trying to figure out who these guys are
we’re pretty much focused on technical stuff
can drive yourself crazy
down that road is paranoid schitzophrenia
our goal is to clean up these computers and get back to business and save the geopolitics stuff for the people that are talking about that to someone else

breakthrough parts
gotta thank rob graham and folks at errata
first reaction many people had was “ultrasound, that’s impossible!” even though we’ve had papers from MIT in 2003

errata guys were freakin amazing
worked out proof of concept, spectral sensitivity
power of crowdsourcing

one gentleman was always testing if ultrasound could bounce off hallway into another room and succeeded

other question
how do you go about your daily business knowing you have intruders on your network i don’t know
you can ask how they felt in soviet russia or east germany when the stasi was monitoring feels a little creepy, twitch look over your shoulder
are they looking
you do the usual, pgp encrypt, try to do all that

glaring flaw in all our security models
once your client’s owned, that’s it
there’s not much you can do
had to come up with strategies knowing we didn’t have much way of keeping stuff from these guys set up forensics systems completely isolated
even run off batteries incase of weird powerline voltage stuff

when we want do so something important
do it off the internet, old style

everyone assumes you have a network connection
even burning a cd becomes a task that takes hours of your time it’s not fun

trying to do anything these days without the internet is really difficult

so this is your company’s network, that you’re talking about here yeah, my coworkers, my roommate
one the same thing
typical small company

funny thing is when we started talking about USB ultrasound thing first time we saw them back off
they pulled out of a bunch of boxes as soon as we started sniffing down that road that’s a positive thing

got a date with a beagle usb analyzer in tokyo
after this incident they#re gonna sell a truckload of them
gonna take alook at what’s going in and out

trevor goodspeed’s looks like another good one of those
use python scrypts to look what’s going back and forth
could be a useful kit for every corporate security department on the market beagle’s a little more expensive, like $7000
one of the attendees on the conference has one

some other folks come forward with prototype analzers
been very useful for finding other folks with bits of cool tech

pacsec coming up next week
on my way to the airport

even though everyone seems to be jumping up and down getting excited about this still gotta get our ducks in a row
righ tnow still have our magnifying glasses out before we can make a presentation

Advertisements
%d bloggers like this: