#BadBios, aka #BadlyDoneDamageControl

Sunday, 27 October, Year 5 d.Tr. | Author: Mircea Popescu

00011011 kabelmast.wordpress.com/badbios-and-lotsa-paranoia-plus-fireworks
00101011 You know, I think that's a disinformation job.

00011011 Probably. Though I confess the basic idea is plausible - because I've tried it personally.
00101011 "Any" ?

00011011 The basic idea, of a usb stick that violates the standard to a productive end. Most of them have reprogrammable micros, too. There are about five major chipset makers.
00101011 Strangely enough, Dragos is a rare Romanian name.

00011011 Any idea where the fellow came from? I mean, more specifically than country.
00101011 No, which is why the suspicion. He's too organised in his language to come out of nowhere, yet apparently he has. "Unsafely ejecting memory sticks from infected systems bricks them for clean ones," << this for instance is easy to test.

00011011 Funnily, if his discovery were genuine, I could solve his mystery. I've got a x86-64 ICE right here on my desk. Basically a stock CPU with a logic analyzer probe.
00101011 That's the other disadvantage of the out of nowhere guy. If genuine, he has very difficult access to "infrastructure" so to speak.

00011011 http://paste.lisp.org/display/139662 every wild claim possible. Including the old Holy Grail of radio exfiltration using stock hardware.
00101011 Right. Listen, basically this has the shoddy hands of twenty-something us counter-ops all over it.

00011011 Also notice he's recommending the idiot winblows bios dumper 'copernicus', a freeware (closed source) tool that is being heavily advertised.
00101011 That's exactly it. The bone structure, as conceptual osature of the whole thing, could never bear the load of the proposed muscles, and moreover certain features are clearly borrowed from frogs. This can't be a beast, it has to be a boogaboo.

00011011 Amusingly, any one of the items on the list is quite plausible, but it reads like a cryptozoological catalogue.
00101011 Yeah. You have to be young to believe in this kitchen sink approach to fiction writing. I guess by today nobody expects the old school approach of having humanities experts give input on supposed technical writing. Which is a case of "specialisation" being implemented as complete reduction to barbarism.

00011011 Plus nobody seems to suggest solving the mystery conclusively with a logic probe.
00101011 It IS possible they don't know it exists. "Know" in the sense of easy familiarity.

00011011 Where are the, well, engineers?
00101011 The engineers weren't motivated enough to participate in this project, and besides they're ideologically dubious.

00011011 Still trying to find where he says he got the sample.
00101011 The only valuable nugget I detach is that the US is really afraid of sticks for some reason. Notwithstanding the historical use to great success (Osama etc) I fail to see why. Perhaps because they really imagine Schneier's cloud approach to life could be promoted instead.

00011011 More prosaic explanation: it's a shill for mitre (vendor pushing 'copernicus'). Might be high time for a thorough reversing job of the latter. Every dragos post seems to bring up copernicus, without fail.
00101011 Perhaps. Do you see a problem with my publishing of this convo ?
00011011 Publish away. I regard anything transmitted as plaintext as public anyway.

At least, that's how we feel about it.

Category: Trilterviuri
Comments feed : RSS 2.0. Leave your own comment below, or send a trackback.

4 Responses

  1. Say what?

  2. As you know I have been following this on my blog and have been careful to prefix my suspicions on its authenticity on each posting I have made. The SDR claim is very hard to believe. BIOS persistent malware isn't new - I don't want to repeat what I have said a few times both on my blog and on Schneier's but the first good example of such a thing was actually the commercial tracking software Computrace that ensured its persistence with a small BIOS module. The module had crude NTFS support and checked for computrace on the machine. If it wasn't already there it would rename a windows service that is executed on boot to another name (rpcnet.exe > rpcnetp.exe) and then inject its code into rpcnet.exe. The code is a simple shim that loads itself and then executes the real rpcnet.

    So there's no doubt this stuff can be done. Given how prolific they are targeting Phoenix would be the best bet. It is easy enough to dump the existing bios to a file (so you don't need to know what it is) add your module with the same tools that you would use to add a boot logo or say etherboot to the ROM and then flash it. But the level of complexity this Dragos is on about seems ridiculous.

    The Russians are good, but not that good.

    I would love to be proven wrong though as it would be very cool.

  3. Mircea Popescu`s avatar
    Mircea Popescu 
    Wednesday, 30 October 2013

    Just about.

  1. [...] Mircea over at Trilema seems to believe that this is all bunk. At this point it is difficult to conclusive say but as they [...]

Add your cents! »
    If this is your first comment, it will wait to be approved. This usually takes a few hours. Subsequent comments are not delayed.