
Major torrent sites are offline thanks to mysterious cyber attacks - Mz
http://bgr.com/2016/12/27/extratorrent-down-pirate-bay-proxy-ddos-attack/
======
tr1ck5t3r
Theres some malware circulating which from what I have seen and its loaded by
the bios at boot up. Sansdisk memsticks seem to work well with this code, it
then proceeds to rewrite the make and model number of some Western Digital
Hard Disks but not all and have not got it to work with Samsung or Fujitsu or
Toshiba or IBM branded HD's. All the branded and unbranded CD/DVD/Blueray
devices also work with this code again writing the make and mode of the
device. Thing is you can only see this by pausing the bios of old pc's made in
the early 00's, the new bio's with SATA are too quick displaying this info,
its like a subsecond flash on the screen.

It also appears to load some of its code into cache controllers on various
block devices where possible which then gets loaded by some Linux distro's
during boot up by SquashFS looking inode's and metadata cache entries. For
Window's systems you have the Microsoft System Reserved partition which
stripes your hard disk hiding the malware that distributes malware. The
Windows MSR also report's itself as being 128MB in size when its actually alot
bigger than that, but various OS's hide this, but early bioses which let you
run it at command line (so count out your branded PC's like HP & Dell) will
show you the partition is alot larger than it really is.

Once compromised you can say bye bye to your system, I only found this by
inserting an infected sansdisk mem stick in an old PC made in 2004 which uses
ribbon cables (EIDE) and pausing the bios during boot up which you cant do on
most new systems that use SATA.

I also have an infected file purporting to be a PDF file which also infects
the machine. Your clue your system is infected is when you start seeing
Input/Output errors when using things like DD to blank block devices and then
finding the DD fail's or there is data on the block device still is another
clue. It also seems to alter firewall rules letting itself out as well, and
the code seems to be embedded in the Linux core so you cant see this using a
Linux hex editor, you'll need an older dos hex editor, the linux hex editors
will pretend you have reached the end of the file. Tested with Ubuntu 12.04,
14.04 and 16.04, Parted Magic & Kali to name just a few. When using the Pixel
desktop from the RaspberryPi Foundation infected hardware stops the taskbar
from appearing which is another clue. Other clues to suggest you may have an
infected system, is your CD/DVD may start flashing the drive lights on your
computer case at boot up more or longer than normal before your bios screen
appears. This only appears to be on PC's made from components, Dell & HP dont
react, but so far old Dell bios'es in computers made in the early 00's have
destroyed themselves, but then the computers & software made in the early 00's
were more secure than todays offering.

I also cant help but wonder if the 2007 Dirty Cow exploit has created the
opportunity to introduce code that works with this firmware/malware. Its
something I've spent about 6 years on sofar as I kept finding my systems were
getting hacked but couldnt see how.

Funnily enough all the brands I can buy at my nearest major high street
retailer seem to be the ones that work best with this malware. Is there a
modern day equivalent of the Phoebus cartel in operation today? Time will
tell.

~~~
Grangar
Wow, what? Do you have a link to more info?

~~~
jungletek
Or, like, any sort of evidence to back up your claims?

------
glasz
one data center i work with was under attack yesterday (CET). they said it's
been malicious ipsec packets directed at their routers and had to update their
firmwares. not sure which vendor, i _think_ they're using juniper.

