On 24/12/15 3:21 AM, Andrew McGlashan via luv-main wrote:
On 24/12/2015 1:26 AM, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
... the drives are IDE...
Some /possibly/ useful links?
ta for the thought - worth checking for checksum tools On 24/12/15 8:38 AM, Glenn McIntosh via luv-main wrote:
On 24/12/15 01:26, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. You might need to provide more details about the network context (home network, work network?) It is also a possibility that the router firmware is having issues (for example, there is a JON recovery system associated with D-Link routers), and it might not be malware.
Saw those references. For my case, dismissed as bogus camouflage because firefox from XP boot still pretends to behave normally. The only router in this segment of the LAN is a pc running openbsd. Between the client (HD=XP/DVD=Ubuntu) and telstra are an ether hub, the unix router which pretends to behave normally, another ether hub, and a little ASDL router which is being used solely as an ASDL-modem for the unix router. There is no D-Link device in that chain. If something upstream of the PC is differentially rerouting HTTP by operating system, then this security breach is more complex than previously described and more specifically targeted at my local environment. I have not dismissed this. I am working on the simpler explanation first. On 24/12/15 11:52 AM, Trent W. Buck via luv-main wrote:
Douglas Ray via luv-main <luv-main@luv.asn.au> writes:
We have a PC with firmware malware on - at least - both DVDs. Er, are you saying the microcontroller on the DVD drive's circuit board is infected? (As opposed to the infected component being on the without pretending to know whether the firmware is on eeprom within the microcontroller, or external to it - yes. motherboard, or on a DVD *disc*, or...)
How did you determine this?
Circumstantial, and I haven't eliminated motherboard firmware, however: 1. different results for DVD-booted firefox vs harddisk 2. the drive sounds different. It has a low-frequency shudder which wasn't there before. 3. I have the same firefox-interception symptom from different DVDs with different OSs, which previously pretended to work flawlessly.
"jon recovery system" appears to originate from the httpd in D-Link firmware for router appliances. If you remove all NICs from the "infected PC", do the symptoms go away? Good thought. Will get back to you.
On 24/12/15 12:08 PM, Russell Coker wrote:
Why would someone go to the immense effort of creating malware that can either intercept filesystem access to give a different version of the application files or modify the OS kernel to change the application in memory and then do something obvious like give a bogus web site? Are you sure your dlink router isn't broken?
My solution to secure web shopping was to recommend my non-technical family boot from DVD and go directly to the site they want to deal with. Disabling firefox from DVD breaks precisely that usage. I suspect that intercepting a single app may be the most you could hope to squeeze into firmware storage and still have a functioning system. (I wouldn't be surprised if the firmware component is just the intercept, which then passes off to something on the hard disk.) Interestingly, this happened about a week after we started electronic banking with a secure-id style key generator for two-factor authentication. I am so glad we opted for the security token! On 24/12/15 1:02 PM, Tony White via luv-main wrote:
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd...
Yes, interesting. Thanks to all. Am seeing if the manufacturer will come up with any useful diagnostics. Douglas Ray