It is incredible, even the most generous estimation of the NSA's capabilities before the Snowden disclosures now look conservative. This is the stuff conspiracy theories are made of.
UR = UNITEDRAKE ("Regin", basically?). And that'd probably be rmgree5@nsa.gov: that's the format their addresses are in.
This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".
By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?
The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (ยต)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.
Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?
Detecting an infected hard drive in software would be the usual malware arms race: you find some characteristic of it, they improve the firmware.
But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).
Of course to be thorough you would have to check pretty much the firmware of every component of the computer.
The malware might remain quiescent unless the examination techniques mimic a computer that is booting.
I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.
Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.
Had a family member that worked for SPEA (test equipment manufacture). Said different government organizations would bring in boards with massively parallel sets of chips and input/output on them, like nothing they ever saw in any other field. They were expressly forbidden to take pictures of them.
Between that and the massive data centers they are building I'm guessing they have rather impressive capabilities.
This particular set of exploits has little to do with collecting information. This seems to be directly related to command and control operations, including over systems that aren't connected to the internet.
There are a pretty scary set of discovered exploits.
AlyssaRowan|11 years ago
This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".
By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?
The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (ยต)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.
Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?
wongarsu|11 years ago
But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).
Of course to be thorough you would have to check pretty much the firmware of every component of the computer.
unknown|11 years ago
[deleted]
kw71|11 years ago
The malware might remain quiescent unless the examination techniques mimic a computer that is booting.
I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.
Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.
final|11 years ago
Nobody is innocent. The government has enemies both internal and external.
sumitviii|11 years ago
pixl97|11 years ago
Between that and the massive data centers they are building I'm guessing they have rather impressive capabilities.
relaunched|11 years ago
There are a pretty scary set of discovered exploits.
danielayoub|11 years ago
rodgerd|11 years ago