We have a PC with firmware malware on - at least - both DVDs. I don't know if it's worth recovering the system, but I definitely want to find diagnostics for identifying infections and vectors on the rest of the LAN. Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. It is a medion PC, article number 10002328, and there are firmware updates at the manufacturer. I'm unsure how to securely install, given that the DVDs are compromised, and I have no way to verify the cardreader or motherboard BIOS or harddrive. (I could map/update the bootsector of the harddrive, but I haven't checked what may be available to work with the firmware.) Would putting the infected DVD drives on another system, sans media, risk infecting the new system? Conversely, let's say I swap in a new DVD drive and boot a putatively clean DVD - if the BIOS is corrupted do I risk just re-infecting the new DVD drive? Merry Christmas to all Douglas Ray
On 24/12/2015 1:26 AM, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Ugh, sorry, not sure I've got answers that might be useful for you. So.... we have *trustworthy* computing at work once again. The infection could be at the BIOS level of the PC, it could be that somehow the DVD drive's firmware has been infected -- how would you really know? DVD drives are very, very cheap these days. It could be bad USB playing games; if that is the case, then perhaps USB sticks and drives also have problems (potentially). Are the DVD drives connected via USB or SATA? It would have to be an old system if XP might be part of the problem and even older if you are using IDE drives (optical or other).
I don't know if it's worth recovering the system, but I definitely want to find diagnostics for identifying infections and vectors on the rest of the LAN.
The trouble may be that at some time in the future, it will be very hard to get motherboards that are free and open enough to rely upon. What about the possibility of installing a different motherboard firmware? Perhaps core-boot? I don't know. If the equipment is too old, then doing anything much will likely be a waste and replacing with newer (if not brand new) gear might be the best way to go. Some /possibly/ useful links? http://www.coreboot.org/ http://www.openfirmware.info/Welcome_to_OpenBIOS http://www.rtcmagazine.com/articles/view/103517 [Open Source Firmware - Coreboot for x86 Architecture Boards] Cheers A.
On 24/12/15 3:21 AM, Andrew McGlashan via luv-main wrote:
On 24/12/2015 1:26 AM, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
... the drives are IDE...
Some /possibly/ useful links?
ta for the thought - worth checking for checksum tools On 24/12/15 8:38 AM, Glenn McIntosh via luv-main wrote:
On 24/12/15 01:26, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. You might need to provide more details about the network context (home network, work network?) It is also a possibility that the router firmware is having issues (for example, there is a JON recovery system associated with D-Link routers), and it might not be malware.
Saw those references. For my case, dismissed as bogus camouflage because firefox from XP boot still pretends to behave normally. The only router in this segment of the LAN is a pc running openbsd. Between the client (HD=XP/DVD=Ubuntu) and telstra are an ether hub, the unix router which pretends to behave normally, another ether hub, and a little ASDL router which is being used solely as an ASDL-modem for the unix router. There is no D-Link device in that chain. If something upstream of the PC is differentially rerouting HTTP by operating system, then this security breach is more complex than previously described and more specifically targeted at my local environment. I have not dismissed this. I am working on the simpler explanation first. On 24/12/15 11:52 AM, Trent W. Buck via luv-main wrote:
Douglas Ray via luv-main <luv-main@luv.asn.au> writes:
We have a PC with firmware malware on - at least - both DVDs. Er, are you saying the microcontroller on the DVD drive's circuit board is infected? (As opposed to the infected component being on the without pretending to know whether the firmware is on eeprom within the microcontroller, or external to it - yes. motherboard, or on a DVD *disc*, or...)
How did you determine this?
Circumstantial, and I haven't eliminated motherboard firmware, however: 1. different results for DVD-booted firefox vs harddisk 2. the drive sounds different. It has a low-frequency shudder which wasn't there before. 3. I have the same firefox-interception symptom from different DVDs with different OSs, which previously pretended to work flawlessly.
"jon recovery system" appears to originate from the httpd in D-Link firmware for router appliances. If you remove all NICs from the "infected PC", do the symptoms go away? Good thought. Will get back to you.
On 24/12/15 12:08 PM, Russell Coker wrote:
Why would someone go to the immense effort of creating malware that can either intercept filesystem access to give a different version of the application files or modify the OS kernel to change the application in memory and then do something obvious like give a bogus web site? Are you sure your dlink router isn't broken?
My solution to secure web shopping was to recommend my non-technical family boot from DVD and go directly to the site they want to deal with. Disabling firefox from DVD breaks precisely that usage. I suspect that intercepting a single app may be the most you could hope to squeeze into firmware storage and still have a functioning system. (I wouldn't be surprised if the firmware component is just the intercept, which then passes off to something on the hard disk.) Interestingly, this happened about a week after we started electronic banking with a secure-id style key generator for two-factor authentication. I am so glad we opted for the security token! On 24/12/15 1:02 PM, Tony White via luv-main wrote:
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd...
Yes, interesting. Thanks to all. Am seeing if the manufacturer will come up with any useful diagnostics. Douglas Ray
Douglas Ray via luv-main <luv-main@luv.asn.au> writes:
My solution to secure web shopping was to recommend my non-technical family boot from DVD and go directly to the site they want to deal with.
Disabling firefox from DVD breaks precisely that usage.
You might like https://en.wikipedia.org/wiki/TAILS I haven't used it myself, but I hear mostly good things about it. (My employer used to have a similar for-money product, but we axed it around 2004 because it was too hard to market.)
I'm declaring this (unsatisfactorily) resolved. It was a malfunctioning router, not a D-Link, but a NetComm NF2 which spontaneously de-programmed itself. NetComm were unable to confirm whether the "jon recovery system" webpage was a known feature in their router. It's not in the manual. I guess NetComm outsourced the hardware or firmware to the same group that made the D-Link. I had no luck re-flashing it. It does a little spurt of http, no tftp, and stalls. If the "jon recovery system" were an autofallback after f/w checksum failure, and the flash had a permanent failure, that could give this behaviour. thanks again for the previous responses. Douglas Ray On 25/12/15 3:29 AM, Douglas Ray via luv-main wrote:
On 24/12/15 3:21 AM, Andrew McGlashan via luv-main wrote:
On 24/12/2015 1:26 AM, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
... the drives are IDE...
Some /possibly/ useful links?
ta for the thought - worth checking for checksum tools
On 24/12/15 8:38 AM, Glenn McIntosh via luv-main wrote:
On 24/12/15 01:26, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. You might need to provide more details about the network context (home network, work network?) It is also a possibility that the router firmware is having issues (for example, there is a JON recovery system associated with D-Link routers), and it might not be malware.
Saw those references. For my case, dismissed as bogus camouflage because firefox from XP boot still pretends to behave normally.
The only router in this segment of the LAN is a pc running openbsd.
Between the client (HD=XP/DVD=Ubuntu) and telstra are an ether hub, the unix router which pretends to behave normally, another ether hub, and a little ASDL router which is being used solely as an ASDL-modem for the unix router.
There is no D-Link device in that chain.
If something upstream of the PC is differentially rerouting HTTP by operating system, then this security breach is more complex than previously described and more specifically targeted at my local environment. I have not dismissed this. I am working on the simpler explanation first.
On 24/12/15 11:52 AM, Trent W. Buck via luv-main wrote:
Douglas Ray via luv-main <luv-main@luv.asn.au> writes:
We have a PC with firmware malware on - at least - both DVDs. Er, are you saying the microcontroller on the DVD drive's circuit board is infected? (As opposed to the infected component being on the without pretending to know whether the firmware is on eeprom within the microcontroller, or external to it - yes. motherboard, or on a DVD *disc*, or...)
How did you determine this?
Circumstantial, and I haven't eliminated motherboard firmware, however: 1. different results for DVD-booted firefox vs harddisk 2. the drive sounds different. It has a low-frequency shudder which wasn't there before. 3. I have the same firefox-interception symptom from different DVDs with different OSs, which previously pretended to work flawlessly.
"jon recovery system" appears to originate from the httpd in D-Link firmware for router appliances. If you remove all NICs from the "infected PC", do the symptoms go away? Good thought. Will get back to you.
On 24/12/15 12:08 PM, Russell Coker wrote:
Why would someone go to the immense effort of creating malware that can either intercept filesystem access to give a different version of the application files or modify the OS kernel to change the application in memory and then do something obvious like give a bogus web site? Are you sure your dlink router isn't broken?
My solution to secure web shopping was to recommend my non-technical family boot from DVD and go directly to the site they want to deal with.
Disabling firefox from DVD breaks precisely that usage.
I suspect that intercepting a single app may be the most you could hope to squeeze into firmware storage and still have a functioning system. (I wouldn't be surprised if the firmware component is just the intercept, which then passes off to something on the hard disk.)
Interestingly, this happened about a week after we started electronic banking with a secure-id style key generator for two-factor authentication. I am so glad we opted for the security token!
On 24/12/15 1:02 PM, Tony White via luv-main wrote:
https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd...
Yes, interesting.
Thanks to all. Am seeing if the manufacturer will come up with any useful diagnostics.
Douglas Ray _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On 24/12/15 01:26, Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images.
You might need to provide more details about the network context (home network, work network?) It is also a possibility that the router firmware is having issues (for example, there is a JON recovery system associated with D-Link routers), and it might not be malware. Glenn -- sks-keyservers.net 0x6d656d65
Douglas Ray via luv-main <luv-main@luv.asn.au> writes:
We have a PC with firmware malware on - at least - both DVDs.
Er, are you saying the microcontroller on the DVD drive's circuit board is infected? (As opposed to the infected component being on the motherboard, or on a DVD *disc*, or...) How did you determine this?
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images.
As another poster suggested, "jon recovery system" appears to originate from the httpd in D-Link firmware for router appliances. If you remove all NICs from the "infected PC", do the symptoms go away?
On Thu, 24 Dec 2015 01:26:53 AM Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs.
Do you have a reference for DVD firmware malware?
I don't know if it's worth recovering the system, but I definitely want to find diagnostics for identifying infections and vectors on the rest of the LAN.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images.
A google search on "JON recovery system" gives results about corrupted routers from D-Link. Apparently if your firmware is corrupted in such a router it will give you a "JON recovery system" web page to allow you to fix things. Why would someone go to the immense effort of creating malware that can either intercept filesystem access to give a different version of the application files or modify the OS kernel to change the application in memory and then do something obvious like give a bogus web site? Are you sure your dlink router isn't broken? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Hi all, This may be a little off topic but it might be illuminating if you have not seen it before. https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pd... best wishes Tony White On 24/12/2015 12:08, Russell Coker via luv-main wrote:
On Thu, 24 Dec 2015 01:26:53 AM Douglas Ray via luv-main wrote:
We have a PC with firmware malware on - at least - both DVDs. Do you have a reference for DVD firmware malware?
I don't know if it's worth recovering the system, but I definitely want to find diagnostics for identifying infections and vectors on the rest of the LAN.
Booting a DVD live-image of ubuntu, invocations of firefox are intercepted and come up as "JON recovery system" or some such. The attack vector may have been the old XP system on the harddrive, but equally it may have been one of the ubuntu images. A google search on "JON recovery system" gives results about corrupted routers from D-Link. Apparently if your firmware is corrupted in such a router it will give you a "JON recovery system" web page to allow you to fix things.
Why would someone go to the immense effort of creating malware that can either intercept filesystem access to give a different version of the application files or modify the OS kernel to change the application in memory and then do something obvious like give a bogus web site?
Are you sure your dlink router isn't broken?
participants (6)
-
Andrew McGlashan -
Douglas Ray -
Glenn McIntosh -
Russell Coker -
Tony White -
trentbuck@gmail.com