malware infected firmware?

[MonDie]

I just read this WIRED article about how malware implanted in the firmware of computer components would be especially persistent.

 

http://www.wired.com/2015/02/nsa-firmware-hacking/

The document (.pdf) is essentially a wish list of future spy capabilities the NSA hoped to develop for its so-called Persistence Division, a division that has an attack team within it that focuses on establishing and maintaining persistence on compromised machines by subverting their firmware, BIOS, BUS or drivers.

How commonly does malware infect the firmware of computer components or networking devices? How would one go about identifying or eliminating such malware?

[StringJunky]

I just read this WIRED article about how malware implanted in the firmware of computer components would be especially persistent.

 

http://www.wired.com/2015/02/nsa-firmware-hacking/

 

How commonly does malware infect the firmware of computer components or networking devices? How would one go about identifying or eliminating such malware?

Reinstall the firmware. Better, if a computer contains mission critical information don't network it; manually load screened information to it. Even if you transfer malware it can't 'talk' back to Command and Control if it's not networked.

[Enthalpy]

"How commonly" is hard to tell because antivirus don't scan firmware and few users are aware of such malware. At least one modem software, common to several models, is known as a practical target since R. Snowden revealed it.

 

The Bios can be infected too. It's reasonable to make copies of sound firmware versions in advance.

[MonDie]

"How commonly" is hard to tell because antivirus don't scan firmware and few users are aware of such malware. At least one modem software, common to several models, is known as a practical target since R. Snowden revealed it.

 

How difficult would it be for a common hacker to implement the same malware?

Would the reset button remove it?

[StringJunky]

 

How difficult would it be for a common hacker to implement the same malware?

Would the reset button remove it?

No. You have to reflash the the affected hardware with new clean firmware. The firmware-software resides in the device and is what 'talks' to the operating system; it physically independent in operation.

Edited May 4, 2015 by StringJunky

[MigL]

Up until just a few years ago you needed to actually set a jumper on the board to enable 'flashing' of the ROM.

Today, a soft switch is usually set in flash memory to enable writing.

More convenient, but also more vulnerable.

[MonDie]

I'm searching for how to reflash the modem, but with no luck yet. I'll have to check whether it's vulnerable.

 

Can I reflash the harddrive and BIOS even if I never made an image prior? How about buses? And what's this about persistent driver malware?

[StringJunky]

I'm searching for how to reflash the modem, but with no luck yet. I'll have to check whether it's vulnerable.

 

Can I reflash the harddrive and BIOS even if I never made an image prior? How about buses? And what's this about persistent driver malware?

What is the nature of your anxiety?

[MonDie]

What is the nature of your anxiety?

 

I strongly suspect that our desktop computer or its network has been infected with persistent malware, and I want to be sure it's removed from my laptops before I use my alternative connection.

Perhaps the boot partition is infected, but doesn't even that get rewritten during a Linux reinstall? Maybe I should just zero the drives from a Ubuntu Live boot next time.

sudo dd if=/dev/zero of=/dev/sd*

I think I've heard of BIOS rootkits.

The BIOS is in part of the motherboard, not the harddrive.

[StringJunky]

 

I strongly suspect that our desktop computer or its network has been infected with persistent malware, and I want to be sure it's removed from my laptops before I use my alternative connection.

Perhaps the boot partition is infected, but doesn't even that get rewritten during a Linux reinstall? Maybe I should just zero the drives from a Ubuntu Live boot next time.

sudo dd if=/dev/zero of=/dev/sd*

I think I've heard of BIOS rootkits.

The BIOS is in part of the motherboard, not the harddrive.

Have you installed software from outside the official Ubuntu-endorsed repositories?

Edited May 5, 2015 by StringJunky

[MonDie]

Have you installed software from outside the official Ubuntu-endorsed repositories?

 

Another user may have long ago, but I've reinstalled multiple times since then, even disabling the wifi. If our network remained infected, however, a man-in-the-middle could replace an official download with a corrupted one. That's why we use checksums. The last time I tried to install the HP printer software, it suddenly warned that the checksum failed, then asked me to log in as root. But I could even be using a corrupted .iso image for the installation, a day zero attack.

 

Although doubtful, maybe we're just getting infected repeatedly with the same malware. Teaching parents to browse safely is like teaching a dog to purr.

Edited May 5, 2015 by MonDie

[StringJunky]

I think you would be better served, and more quickly sorted, joining Bleeping Computer and asking in the Security forum.

[MonDie]

Thank you for the suggestion, but the topic is persistent malware that infects firmware. I want to know whether there's malware in use that could infect the firmware of networking devices or computer components.

Apparently the NSA can infect harddrive firmware, but even if I were worried about government monitoring, it would be an exercise in futility. The government can get anyone to turn over information at their request. Even HushMail will comply! Plus, I would think that a trained government professional would be keen to hide their presence!

[StringJunky]

Thank you for the suggestion, but the topic is persistent malware that infects firmware. I want to know whether there's malware in use that could infect the firmware of networking devices or computer components.

Apparently the NSA can infect harddrive firmware, but even if I were worried about government monitoring, it would be an exercise in futility. The government can get anyone to turn over information at their request. Even HushMail will comply! Plus, I would think that a trained government professional would be keen to hide their presence!

Read this Kapersky article, then extrapolate that across all devices, and you'll see widespread firmware-malware infection can't be done in an epidemic manner. Really, just a proof-of-concept idea by a few researchers. Add linux into the mix and I'd say the risk is miniscule. All I'd focus on is the boot partition and OS partitions. Nuke the drive with zeros and reinstall the OS.

Edited May 5, 2015 by StringJunky

[MonDie]

Excellent article with respect to the topic at hand. Apparently harddrive firmware is not a realistic concern for most of us.

 

Apparently "Erase Disk" does erase and overwrite the boot partition. Anyway, the Dell BIOS appear to be very outdated, but my hard-reset using the RTCRST jumper (Dell's CMOS jumper) didn't seem to work, as I still have v A09 BIOS, whereas I saw "A04" written on the mainboard.

 

However a BIOS infection might take particular skill. I'm starting to think that repeated infeciton is a good alternative hypothesis to persistent malware. I found this interesting.

http://jeremiahgrossman.blogspot.mx/2008/04/intranet-hack-targeting-at-2wire-dsl.html

"This type of intranet CSRF hack is super easy to pull off since you only need to place specially-crafted URLs inside of an HTML image tag and post it to any public website. MySpace, WebMail, blogs, message boards, etc. [...]"

The same person could infect us repeatedly through email or such. I have long suspected that this was personal, and I have my suspects.

[MonDie]

How about BadUSB? It actually fits my symptoms startlingly well... I'm afraid.

 

http://www.wired.com/2014/07/usb-security/

 

Their central finding is that USB firmware, which exists in varying forms in all USB devices, can be reprogrammed to hide attack code.

[...] Unless the IT guy has the reverse engineering skills to find and analyze that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

 

---

[...] Nohl and Lell describe a grab bag of evil tricks it can play. [...] replace software being installed with a corrupted or backdoored version [...] impersonate a USB keyboard [...] silently hijack internet traffic [...] man-in-the-middle, secretly spying on communications [...]

 

---

Any time a USB stick is plugged into a computer, its firmware could be reprogrammed by malware on that PC, with no easy way for the USB device’s owner to detect it. And likewise, any USB device could silently infect a user’s computer. “It goes both ways,”

And unlike harddrive firmware.

The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer.

And this new malware has been on the loose for more than half of a year!

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

 

Apparently a patch was immediately released, but it only works for 3.0 USB devices, and it's only preemptive, preventing anything from writing to the firmware. I wonder what other patches have been released since then.

http://www.wired.com/2014/10/unpatchable-usb-malware-now-patchsort/

 

Fortunately, as far as I can tell, unless it infects some form of non-volatile RAM for persistence, a harddrive erase followed by USB abstinence should be sufficient.

Edited May 13, 2015 by MonDie

[MonDie]

http://thehackernews.com/2014/01/firmware-vulnerability-allows-man-in.html

SD cards aren't safe either. Apparently hackers already knew that the firmware on flash memory devices could be rewritten. What's new is that attack code can be hidden there.

[MonDie]

Apparently there's a conflict in that, while the right code will prevent firmware hacks, some people enjoy hacking it just to make custom changes. In fact, Huang and xobs found the software to hack their SD cards very easily. https://youtu.be/r3GDPwIuRKI?t=18m24s

 

One source suggested a switch, like the write protection switches on some flashdrives, but to protect the firmware. Then your threat needs to have physical access, but somebody could easily hand you a corrupted device without you knowing. Perhaps manufacturers will implement a separate, read-only chip to hash the microcontroller's firmware and warn of alterations. Whatever. I'm sure much smarter people are working on it.

Edited May 15, 2015 by MonDie

[MonDie]

Is it always this way, or is this a sudden surge of vulnerabilities?

 

Apparently most BIOS firmware is currently vulnerable regardless of whether you download the regular, manufacturer-signed BIOS updates.
http://www.wired.com/2015/03/researchers-uncover-way-hack-bios-undermine-secure-operating-systems/

they were able to uncover vulnerabilities in 80 percent of the PCs they examined, including

---

An attacker could compromise the BIOS in two ways—through remote exploitation by delivering the attack code via a phishing email or some other method, or through physical interdiction of a system.

---

Their malware, dubbed LightEater, uses the incursion vulnerabilities to break into and hijack the system management mode [...] to do certain functions with high-level system privileges that exceed even administrative and root-level privileges, Kovah notes.

Edited May 16, 2015 by MonDie

[3blake7]

You asked specifically about networking devices. I use to work in the web hosting industry and most of the commercial Cisco networking devices you can't even flash the firmware unless you hook up a laptop to the console port. If it was flashed somehow through like a console plug that's left plugged in then it wouldn't go unnoticed since the switch or router would have an outage and basically throw a bunch of alerts that would be investigated.

 

As far as a home router, it's unlikely they would know what kind of router you have. If they had that information, well, anyone that breaks in your house, already has you hacked way more easily than a pure internet approach. Consumer routers are so many and so diverse. They only last like a year before having to be replaced. Almost all are closed-source so creating a working firmware would require reverse engineering the factory firmware. There are routers that have this done already, like DD-WRT and OpenWRT. It's possible they could get the source code for that, modify it to say, create a backdoor into your network. However, they would need access to your intranet before they could flash your router and if they had that access they could create a backdoor without all that trouble. Most routers have uPnP on and if not, they could probably log into your routers using the default login and just open up a port for themselves.

 

I think it's an unrealistic fear, unless you're Iran. Keep your firmware up-to-date and check your md5sum.

Do you let people connect to the same VLAN with their mobile devices?

Edited May 19, 2015 by 3blake7

[MonDie]

It's not on topic, but I'll post links regarding this UPnP vulnerability.

What is UPnP? http://compnetworking.about.com/od/homenetworking/g/bldef_upnp.htm

How it's insecure. http://www.howtogeek.com/136160/new-security-hole-found-in-wi-fi-routers-disable-upnp-to-protect-yourself/

 

Thank you, 3blake7.