
NSA's BIOS Backdoor a.k.a. God Mode Malware - notastartup
http://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/?Print=Yes
======
xSwag
Why is this website not banned yet? They're very well known plagiarists.

[http://attrition.org/errata/charlatan/infosec_institute/](http://attrition.org/errata/charlatan/infosec_institute/)

~~~
jacquesm
It appears this article is a confirmation of that.

[https://sites.google.com/site/pinczakko/nsa-bios-
backdoor-a-...](https://sites.google.com/site/pinczakko/nsa-bios-backdoor-a-k-
a-god-mode-malware---part-1)

It took a while to find the original, it's a PDF rather than a web page and it
was plagiarized within days of being published, google picked up on the
plagiarized copy before it ever saw the original by the looks of it.

~~~
pascal_cuoq
I am not sure how you get from the PDF to the confirmation. The first page of
the PDF says it is from “Infosec Institute” and “Darmawan Salihun”. If you
want to show plagiarism, should you not be linking to a version that has the
same contents but with different authors?

------
greenyoda
It's interesting that this malware only targets certain models of Dell
PowerEdge servers with particular RAID controllers. Since the average
terrorist isn't likely to be using one of these, it would seem that the
purpose of this malware is for spying on businesses or government agencies.

~~~
thrownaway2424
Are you well-acquainted with the census of popular server hardware among
terrorists organizations? If so, please elaborate. If not, tell us what could
possibly lead you to write such a comment.

~~~
coolj
I get the impression that most violent terrorist groups are rather low-tech
and are not using _any_ server hardware. If you're aware of terrorists
routinely operating DCs or co-locating servers, feel free to correct my
understanding.

~~~
cLeEOGPw
I wouldn't be surprised if ISIS would use more advanced and up to date server
hardware than most corporations.

------
userbinator
Here's another reason why using a free BIOS like Coreboot is a great idea - if
malware attempts to reflash it with an infected copy of presumably the
original proprietary BIOS, it will be very, _very_ obvious.

Another "tamper detection" idea, if you're OK with using proprietary BIOS
and/or Coreboot isn't supported, is to add a small piece of code to the
existing BIOS that simply hashes the ROM contents and prints out a human-
readable string to the boot screen based on that. If it goes missing or
changes, then you can suspect something happened. Of course, the trick is to
_not_ have everyone doing this with the same code, or backdoors will just
detect and spoof it. I modded the BIOS of an old machine I have to do this, it
prints out "Customised by {my handle}".

~~~
pdkl95
This is an interesting idea, but don't try and expect humans to notice some
random string (i.e. fingerprint, checksum). Instead, using something like
OpenSSH's "randomart"[1]. It can be made such that any small change makes a
totally different blob pattern (BIG bonus points for using COLOR!).

Possibly, this could even be chained into the background of the main OS load
sequence, such that you see something like a Perlin-style colorful noise
pattern during the longest part of the boot sequence. This could even hash
other parts of the loader besides the BIOS, too.

The idea being that you (probably) won't notice if

    
    
        801EF9B138222F39EB2907634BC7FD47F9151919
    

changes to

    
    
        40AE7CE2796FB14526ABB92B67BC0F1423B85B96
    

Almost everybody would notice if the boot sequence wallpaper that you've seen
for months/years

[http://cs263.markaoyama.com/img/p5_abs_perlin_5_gens.PNG](http://cs263.markaoyama.com/img/p5_abs_perlin_5_gens.PNG)

changes into

[http://cs263.markaoyama.com/img/p5_perlin_5_gen.PNG](http://cs263.markaoyama.com/img/p5_perlin_5_gen.PNG)

(images taken from a very brief GIS of random Perlin noise articles)

There are many alternatives. The key here is to engage the human visual
system. Proof of why this work: the popularity of font-lock-mode.

[1] [http://superuser.com/questions/22535/what-is-randomart-
produ...](http://superuser.com/questions/22535/what-is-randomart-produced-by-
ssh-keygen)

~~~
halfcat
TBH, I don't think this would be very effective at all. I manage hundreds of
servers for businesses, and if I ever see a Dell splash screen it's purely by
accident. With basically everyone using virtualization, it's a long time
between reboots for physical servers to begin with. And when I do need to
reboot the physical server, I'm usually sitting at home in my underwear, not
looking at the console. We can manage most of the BIOS-level settings through
Dell-provided tools, so even when we change BIOS settings, we don't go into
the BIOS.

In my IT experience, anything requiring manual human checking basically
doesn't get done after the first handful of iterations. If it needs to be
reliable, it needs to be automated. My best guess is, you can install a
package from Dell to enable BIOS info to be pulled via WMI (Dell OMCI I
think). You can set all of your BIOS asset tags to some unique value (per
machine) and if it changes, your monitoring software will see it and alert
you. I'm not sure how easy this would be to spoof though. It might be trivial.

Fortunately, most of the models they mention have been out of warranty for
some years now, and most businesses choose to upgrade to a supported model.
For businesses who chose not to upgrade to supported models, it's usually a
reflection of the immature management in charge of the business, meaning they
make poor decisions in many areas, so a BIOS hack is way down the list of
potential problems for them.

~~~
pdkl95
> In my IT experience, anything requiring manual human checking basically
> doesn't get done

I fully agree - that why I like this idea; it doesn't rely on humans actively
doing something, and instead engages the subconscious. Because our brain is
constantly making predictions about everything we perceive, we tend to notice
(without trying) if something subtly violates those predictions. We see this
effect when people describe how they felt something was "off" or "wrong"
before some big event. They probably _did_ see something important, but not
enough to recognize it or parse it consciously.

Engaging the warning system that our fight-or-flight reflexes - which is very
effective at processing _visual_ sense input - is probably one of the more
practical ways of getting past in this "humans won't bother" category.

Also, a visual-hash isn't really trying to be perfect anyway. It's just a
trick that would be very easy to implement. It won't get anywhere _close_ to
catching all attacks. It would probably catch more than our current strategy
of doing nothing. When you start from 0, any improvement helps. The only
reason _not_ to do this kind of scheme would be if it raised the costs, but I
doubt that would be a problem given how much headroom we have in modern
hardware.

------
DiThi
If the page author reads this: I find the delayed sidebar animation very
annoying. Also so distracting I'd say the "Want to learn more?" boxes are less
effective this way.

~~~
kbaker
Haha, same here, I nuked it with a display:none to #sidebar because it was so
annoying and I wanted to finish the article.

------
anonbanker
So, I was making the correct determination when requiring that all server and
desktop hardware puchased by my companies originate from BRICS nations.
Avoiding dell/cisco/juniper/hp for networking equipment, and opting for Custom
RK3188 and AllWinner A23-based routers/switches and desktop thin clients
running (Debian/Angstrom) linux are gonna throw more than one wrench in any
surveillance plans.

I wonder how many exploits the Five Eyes have for Tahoe-LAFS running on LVM
disks. I'm betting on very few.

~~~
lobotryas
Isn't this changing the devil you know for one you don't? Instead of
potentially having NSA spy on your org, you have potential of China and Russia
doing the spying?

Or is there solid evidence that these countries aren't engaging in the same
stuff as the NSA?

~~~
oafitupa
Engineers have to work with what they have.

Do you disagree that he made the right decision?

Is there solid evidence that these countries are engaging in the same stuff as
the NSA?

~~~
lobotryas
Yes, I disagree. If there's an almost guaranteed chance that my org will be
spied on, I would rather have the US do the spying. Unlike a BRICS country, at
least the US has the occasional Snowden to shed light on things. The resulting
scandal may do little to change the status quo, but it'll lead to a discussion
and maybe a civil suit my company can win.

I have never heard of a similar public leaker from Russia or China (I imagine
those people just quickly get disappeared).

As for BRICS country spying, we have some very solid evidence that China is
engaging in cyber espionage of both US military and corporate targets.

~~~
smm2000
If you are working on US based consumer web site, spying by NSA could be much
more harmful than spying by China or Russia for vast majority of users. NSA is
known to provide leads to police that then reconstructed evidence to exclude
any links to NSA and still arrest/harass the person. There are people who are
not national security risk in US jails because of NSA (mostly drug busts).
BRICS countries have zero interest whether you smoke dope in your free time
and won't rat you out to local police.

PS. I am not arguing that they should not be in jail. Just that NSA used semi-
legal (waterboarding!=torture kind) methods to obtain initial leads.

~~~
ohashi
What if dissidents are using your service because it's outside their country
of origin and they get disappeared because of it?

~~~
smm2000
As I said it's better to be located outside of country where majority of your
users are. If your service targets american market, you can minimize risk to
majority of your users by locating service outside of US. Dissident
disappearing is mostly red herring - people disappear in US too (Guantanomo).

------
PhantomGremlin
In "the good old days" before the race to the bottom that value-engineered
every penny of cost out of a product, motherboards and expansion cards had
onboard hardware jumpers or switches that protected the ROM from modification.
It was impossible to update the BIOS without opening the case and physically
moving the jumper.

But that jumper cost money, and perhaps more importantly confused half the
sysadmins and users out there. So the jumper is gone. Any program that knows
the magic output sequence can overwrite the firmware. We're relying on
security through obscurity to save us.

And if I'm Dell, I'm thinking: Hey, what about HP? What about IBM? Why single
me out? Most if not all of these computers are vulnerable to similar attacks.

------
skrzyp
Nothing suprising, just take a look at the Intel iAMT ;)

~~~
Spooky23
Forget about AMT, it's a major pain to enable even if you need to. The
Computrace "Laptop LoJack" application is trivial to activate has been
embedded in most major OEM bios for years.

[http://www.absolute.com/en/partners/bios-
compatibility.aspx](http://www.absolute.com/en/partners/bios-
compatibility.aspx)

It's capable of phoning home, deleting or replacing files on the operating
system and wiping out the system. It can persist across re installations of
support operating systems. When combined with AMT features it can permanently
brick the device as well.

~~~
userbinator
Reading this sentence from the article reminded me of Computrace:

 _because even a rudimentary NTFS driver would require at least several tens
of kilobytes of space when compressed_

The Computrace option ROM is a little over 20KB (compressed), yet it contains
much of the functionality of the NSA backdoor described in the article -
including write-support drivers for FAT/FAT32/NTFS.

[http://securelist.com/analysis/publications/58278/absolute-c...](http://securelist.com/analysis/publications/58278/absolute-
computrace-revisited/)

So the reason for using the RAID controller's option ROM may be for stealth
instead of size restrictions, and it also means that, if the NSA can tell
Absolute what to do, they already have a BIOS-level backdoor into nearly
everyone's machines.

------
jokoon
I could never work in computer security

