|
Generally booting up BartPE with McAfee some recent definitions will cure most viruses or spyware but I haven't had to do this recently for anyone. This sounds insane. 
|
#
¿
Dec 16, 2008 01:27
|
|
|
|
| # ¿ May 20, 2024 23:53 |
|
|
Install Windows posted:The key thing is that this is pretty much impossible to spread on a wide basis, due to the fact you have to know very specific hardware attributes in order for it to function on a wide range of target computers. Hell, the sound thing for one simply won't work in places where there's sufficient environmental noise, or sufficiently poor quality speakers. Audio networking is actually a surprisingly robust technique that has significant commercial applications/implementations. I'm sure it's not perfect, but it's pretty good. http://www.engadget.com/2012/06/13/yamaha-and-fuji-tv-make-infosound-apps/ https://sonicnotify.com/ http://lisnr.com/ You can of course trade off bandwidth for reliability if necessary. Operating in low-SNR environments is a firmly established problem. This virus isn't uploading HD video, it's probably dial up speeds at best. Like Yamaha Infosound: 80 bits per second, with a range of 33 feet. It's more than enough to get nuclear_program_timetable.xls to the right people. It is indeed a very technically impressive exploit if this guy's right. The virus is apparently integrated at basically all levels from probably the firmware level to the UEFI BIOS all the way up to the operating system, across a variety of hardware, across a variety of operating systems, across any available communications channels (IP, bluetooth, audio networking) including some very unusual modes. I can't look at that and not think "state sponsored". I mean think about the act of reconstituting itself after a BIOS flash. There has to be some bare metal firmware exploit to get the audio packets (he speculates the peripheral controller), which probably then find another active infection and get a copy of the BIOS virus, which then probably reloads an OS hack. That's pretty analogous to the OS bootstrapping procedure right there. And there's probably many similar solutions, like the high-level program maintaining a database of exploits to help bootstrap the BIOS/bare metal across various communications channels (hence the "acts like it's connected to the internet" bit). Paul MaudDib fucked around with this message at 16:26 on Nov 1, 2013 |
|
#
¿
Nov 1, 2013 15:40
|
|
|
There's a slightly less hyperbolic explanation here, with a few slightly different takes on Dragos' analysis and thoughts on the practicality. I kind of disagree on his analysis that the relatively known nature of the exploits themselves means it's not a state-sponsored virus. It's not the exploits themselves that are terribly new, it's the fact that they're all tied up in an extremely persistent top-to-bottom rootkit that can target incredibly broad swaths of hardware/software and is obviously espionage-oriented given that it's designed to jump airgaps and stuff. I mean sure people build botnets all the time, but you generally don't write an OpenBSD virus to do it. At a minimum it's probably an industrial espionage tool. And yeah, it would be somewhat trickier since you'd be working at the bare-metal level. You can't exactly just pop open Audacity inside the audio chipset, but signal processing is the whole reason we have audio chips in the first place. The BIOS isn't the only point of vulnerability here, you could also attack the peripherals themselves, or perhaps the southbridge. Paul MaudDib fucked around with this message at 21:20 on Nov 1, 2013 |
|
#
¿
Nov 1, 2013 20:49
|
|
|
I hope whoever wrote it put a killswitch on it, so on some arbitrary day it melts away into the ether 
|
|
#
¿
Nov 1, 2013 23:21
|
|
|
Khablam posted:Not only is what is described physically impossible, but WHY it is impossible is explained diligently in the actual article, such that people "in on it" can snicker to themselves at their cleverness. i.e. it's a pretty basic troll. quote:So it turns out that annoying high frequency whine in my soundsystem isn't crappy electrical noise that has been plaguing my wiring for years. It is actually high frequency ultrasonic transmissions that malware has been using to communicate to airgapped computers... one "ghost" located at least. And now we know how the "hypervisor" functions, its probably stored in the realtek firmware, and thats one of the ways it survives reinstalls and BIOS reflashing. Off to find tools to dump the RealTek audio chips, and to try to find clean firmware to compare it to. Haven't ruled out video firmware yet, either. I suppose there's multiple ways you could take that. A, dude's faking it (how would audio frequency transmissions cause a signal in a stereo?), B, he actually has had a schizophrenic break, C, he's right or it's in some other local chip. He does claim to have released some files that differed on a clean install. Although it could be something like a different driver set. quote:
Paul MaudDib fucked around with this message at 01:34 on Nov 2, 2013 |
|
#
¿
Nov 2, 2013 01:19
|
|
|
I dunno, you could probably do a low-level bootstrapper that communicates via sound. It obviously couldn't be the initial infection vector but it's plausible that it could be used to reload the virus after you try to remove it. Yeah, it sounds stupid when you call it "whalesong" but one of the most common ways to dump firmware from hardware that doesn't really want you to dump it is to blink an LED, and then you turn it to binary with a phototransistor. This is basically just that in reverse with a sound chipset and some softmodem code, which I'm sure there's plenty of floating around from the dialup era. And from the initial experiments people are doing, the "cheap hardware is not capable of ultrasound" argument kinda falls apart. A 20khz low pass filter doesn't mean it instantly provides infinity dB suppression at 20.0001khz. Here's a cheap netbook playing a 20khz tone to a nearby MacBook Air with music playing in the background.  That's just a carrier, but you can very probably find some way to modulate that slowly at a minimum. He found a ceiling of about 24khz with the setup, so there's something like 4-6khz of bandwidth there, which is quite a bit. The narrower you pack your signal, the slower the datarate gets, but you also get more bang for your wattage. 1khz is considered a very wide bandwidth signal on HF radio, for example PSK31 operates in 31.25 hz bandwidth and 25 watts can propagate globally. A whole SSB voice channel is only 2.5khz. You don't need megabits per second in every situation, and it's actually a detriment to the range and reliability of transmission. It seems like a weird "gotcha" for a security researcher to burn his reputation on. Individually the elements are plausible. ACPI rootkits exist, there are several hypervisor rootkits, and firmware viruses exist. I'm sure people have done stranger things than writing a virus for an audio chipset or a southbridge controller or something, and sure, if a security researcher of 15 years claims that he has a hypervisor rootkit that uses those as a stealth re-loader I'll entertain the thought. It's really only the tight integration and the big toolbox you'd need to successfully target a meaningful amount of hardware/software that seems implausible here, and you could fix that by throwing money at it. "AHA! That software could exist but it would be really expensive and have to be really well written!" isn't much of a gotcha. Of course one would think that in three years of working on this virus he would have some samples that he could release. Or at least some recordings of the audio stream. And the "so that hum in my speaker system is actually a supervirus" isn't confidence inspiring either. Paul MaudDib fucked around with this message at 20:01 on Nov 2, 2013 |
|
#
¿
Nov 2, 2013 16:45
|
|
|
I don't know what "the original article" is here. Is it the ArsTechnica one? Because he didn't (openly) write that. And I don't see anything that's truly impossible in there. I don't see anything impossible in his Google+ feed either, which is the only thing I've read direct from him. So a longtime security expert describes a plausible-sounding virus, possibly with some contradictory details (that no one has specifically named), but not enough information to really verify any of it, and we're supposed to be fools for not just instantly rejecting it out of hand? If that's really his game, that's incredibly unprofessional and proves nothing more than the fact that experts can abuse their authority. Can you imagine the CDC pulling a stunt like that? "We told everyone that we found SuperAIDS that spreads by toilet seats and you trusted us, heh, plebs  "Frankly if anything the opposite is true. Like people claiming that a 20khz low pass filter in a speaker would cause full suppression at 20khz, even in the face of easy tests you can do yourself (just tried it, sitting on my lap my laptop's lovely mic can pick up my lovely desk speakers at 20khz no problem). Sure, be skeptical, I'm not throwing out every computer in the house either. He certainly should provide some evidence of this if it exists - a recording of the audio transmission, some samples of the virus, etc. At the same time it's not impossible that someone could put their mind and some serious funding and intel into it and make something like that. Probably a state actor or organized crime or something. There's certainly an angle on how bad media reporting is. Like, it obviously can't infect your computer with sound alone, and so on. Paul MaudDib fucked around with this message at 21:48 on Nov 2, 2013 |
|
#
¿
Nov 2, 2013 20:11
|
|
|
Big demands from a person who apparently didn't even bother playing a tone generator website though his speakers before pontificating about how cheap hardware obviously couldn't send or receive a frequency marginally above their nominal spec. Computer viruses aren't audiophiles. No, I really doubt a researcher with 15 years in the field is going to burn up his career to make a semantic point about how if you can "jump an airgap" that means there was never an airgap to begin with. As I've said repeatedly, the proof is in the pudding. The concept doesn't seem impossible, if you ignore the cross-platform claim (difficult) and the sound modem it would be just another vicious trojan, but there's no reason to believe it exists except "he says it does". If it exists, it would be super easy to release some recordings of it communicating. Although then people would probably just fishmech out over whether he just forged a recording or something. He'd really need to post some demonstrably malicious binary to have solid proof. People have offered to buy a contaminated system to have them analyzed more thoroughly and he hasn't done that. Another approach would be producing the USB controller firmware dumps on something that would be truly different and binary incompatible with x86, maybe an ARM or 68k or PPC. Or really substantial proof of any kind. There's just not enough information to either dismiss it as a troll or accept it as real. Or the dude could legitimately be going nuts, this "virus" has been afflicting his systems more and more over the past three years yet no one else has ever seen it in the wild, people went through a BIOS dump and couldn't find anything, his writing is pretty erratic, etc. Onset of schizophrenia, anyone? If he's making legitimately impossible claims, that would explain it equally well. Paul MaudDib fucked around with this message at 02:50 on Nov 3, 2013 |
|
#
¿
Nov 2, 2013 23:48
|
|
|
Apparently GCHQ is using MITM attacks at GRX mobile exchanges and internet exchanges. Here, they used MITM attacks on LinkedIn and Slashdot to drop malware onto the computers of engineers for the GRX router system. From there, they can perform other attacks, like monitoring users or using a MITM to drop malware onto smartphones. This apparently includes the capability of remote microphone activation. And their end goal is to be able to deploy malware ("implants") when they only know the MSISDN. http://www.spiegel.de/international/world/ghcq-targets-engineers-with-fake-linkedin-pages-a-932821.html Pretty impressive stuff, people swore up and down that most of that stuff was impossible earlier this year. Paul MaudDib fucked around with this message at 22:20 on Nov 12, 2013 |
|
#
¿
Nov 12, 2013 17:19
|
|
|
Ur Getting Fatter posted:Would using encrypted voice-communications apps help, or are they literally picking up everything your microphone records (ie: before the app itself can even get a chance to encrypt it)? It totally depends on the particular attack vector. Sure, they can pick up anything you send in an unencrypted over-the-air conversation, they don't even need to compromise your phone to do that. If they get a process running in the background, or push a phony update for something that runs in the background, they could turn on your microphone and hear everything around you before it hits encryption. Or they could force an update that breaks the encryption or reduces the entropy or something like that. On the other hand they don't even necessarily need to be doing this from user-facing OS. Like the firmware viruses we were discussing above, there is firmware in the other chips in your phone, like the radio stack/baseband chip (which runs a full-on RTOS). These are standardized (who wants to write their own radio stack?) and like most code it's done on the cheap. There's no security in there, it's just assumed that anyone who can run their own tower is legitimate and wouldn't try to attack you (an absolutely preposterous idea in a world of open source base software). quote:The insecurity of baseband software is not by error; it's by design. The standards that govern how these baseband processors and radios work were designed in the '80s, ending up with a complicated codebase written in the '90s - complete with a '90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave. There's actually at least one more OS running inside the SIM card by the way. (see pp10-13 for a summary) Paul MaudDib fucked around with this message at 22:52 on Nov 14, 2013 |
|
#
¿
Nov 14, 2013 22:47
|
|
|
jre posted:You missed the bit where the 'fake' certificate has to be issued by a trusted certificate authority otherwise it will raise an error. It's trivial to do if its a corp network because you already have your CA cert in all the browsers on work pcs and can do whatever you want. SSL/TLS is pretty thoroughly broken at this point. SSL 2 and 3 are toast, many sites allow use of the weaker modes/ciphers that are outright broken or creaking dangerously and many sites aren't using sufficiently long certificates for the ones that aren't. Other slides show that the NSA considers "decrypting all VPN starts from Country X so I can identify users" to be a reasonable request within the capabilities of their systems. So it's either broken or the NSA's Key Provisioning Service has enough keys that they can decrypt the majority of traffic. It's certainly possible that they could order the CA to issue them a certificate, or even hand over the signing certificate. Or they could have straight up stolen the CA or Slashdot's certificates, they have a hacking team called the Key Recovery Service that specializes in that. Paul MaudDib fucked around with this message at 23:34 on Nov 14, 2013 |
|
#
¿
Nov 14, 2013 22:58
|
|
|
Khablam posted:e3: Like with the just-click-through issue of non-CA certs, another attack vector is to simply not bother re-encrypting the data. You do the basic MITM attack, but the version of the site served to the user isn't using SSL. Most times people just won't notice, and there's no alert for it. A couple of years back someone did this over a Tor exit node, and he collected countless logins from people not noticing the non-SSL page. One assumes as a sample of users, 'people who use Tor' would be more likely than your average user to know to check. Yeah, this attack has been at "script kiddie" level difficulty for quite a while now. http://www.thoughtcrime.org/software/sslstrip/
|
|
#
¿
Nov 16, 2013 03:50
|
|
|
The White Dragon posted:He'd had the computer for about a year by that point, so y'know, unless you're VERY selective about what you let through with NoScript, you'll probably pick up one or two sketch-rear end things that hide themselves in AppData or wherever in the space of fifty, sixty something weeks. I grabbed Malwarebytes (thanks antivirus thread, and thanks for that link!) and ran a full scan. After two hours, it had detected--I poo poo you not--nearly 11,000 different threats. I was like, "How the gently caress did you pick up all this?" Once you have one thing, it's fairly common for it to load other poo poo, even if the user isn't an idiot who downloads all the free cursors he can. Preventing applications from running out of your User folder is one of the things CryptoPrevent and other policy-based anti-Cryptolocker tools does, so that's another good reason to install it ASAP. Paul MaudDib fucked around with this message at 15:21 on Apr 16, 2014 |
|
#
¿
Apr 16, 2014 15:13
|
|
|
I'm running Kaspersky Pure 3.0 with all but a few of the modules turned on, it's consuming 71 MB of memory and 1% CPU (Phenom II X4 830). The "security suite" control panel is pretty awful to work in, and the performance in full deep scan mode with max heuristics isn't great, but with a low false negative score who cares?
|
|
#
¿
Apr 19, 2014 05:19
|
|
|
Drunk Badger posted:Outside of what's on the OP, what's the recommendation for preventative measures for people who don't follow normal security practices? A few members of my family always end up with some malware each time I'm at their place, and I'm looking for best practices on how to lock down their Windows 7 boxes. Don't run as admin. Run NoScript + AdBlock Plus in a modern internet browser that has automatic updates. Run forced Java updates + whatever. Run MalwareBytes Premium + a decent AV client (either some form of ESET or Kasperskpy)
|
|
#
¿
Sep 8, 2014 08:03
|
|
|
Ynglaur posted:What do knowledgable goons consider to be good AV software for individuals? I know my company prefers McAfee because it's easier to manage centrally, but central administration is not a big concern for a small family. Either some flavor of kaspersky or Eset/Nod32 antivirus, plus Malwarebytes anti-malware.
|
|
#
¿
Sep 8, 2014 09:25
|
|
|
Zogo posted:I'm wondering when the XP OS will finally go out of vogue. The amount of businesses still relying on it is very impressive. It's mostly "going out of vogue" already in places where that's possible. Smart users and admins have moved to one of the newer OS's that still have active updates and stuff. According to W3schools, XP is down to 6.5% market share, versus 54.2% for Win7 and 18.1% for Win8. Now in terms of when you'll stop encountering lone installations in the wild - pretty much never. You will be finding it on Grandma's ancient desktop, industrial installations, and powering unique/unsupported software/hardware for decades to come. As an example, drum scanners usually come as a package with an archaic 68k/PPC Mac that has the drivers and software installed. It's just not economical to support a decades-old piece of hardware - nobody's going to pay thousands of dollars for an updated driver, even assuming that the manufacturer hasn't gone out of business in the meantime. Even something as simple as "getting a working SCSI card" is a challenge nowadays, after some digging I finally managed to find one Adaptec card that has Vista-compatible 64-bit drivers. Microsoft actually decided to remove the drivers for this card in Win7, but you can still install the Vista drivers manually. There's a few companies who service niche stuff like this if you really have the bucks - for example there's a company who makes an LGA1155 motherboard with ISA slots on it, price on request. Paul MaudDib fucked around with this message at 23:32 on Sep 9, 2014 |
|
#
¿
Sep 8, 2014 22:42
|
|
|
Zogo posted:Yea, a popup shows up for each browser download. The typical user will find NoScript/Sandboxie a hassle and/or the multiple layers confusing so I usually don't recommend those to everyone. Then you need to charge a fee for every time you come clean viruses off their computer or something. My girlfriend is not really a technical person, but she eventually got the hang of NoScript. Make them go to a new website that uses scripts, make them push the buttons and armchair quarterback them on what looks like a scripts server or CDN and what looks like ads, and they will figure out the thought process pretty fast. It would be super awesome if there were some sort of community-ratings system for this task. Like a plugin that looks at the NoScript settings everyone is using for horsecockstube.com and sees which domains the collective hivemind is enabling. Then you can aggregate it on a web-wide level and see that no one actually needs googlemetrics.com for any site to work properly, and so on. Paul MaudDib fucked around with this message at 01:08 on Sep 12, 2014 |
|
#
¿
Sep 12, 2014 01:05
|
|
|
Gothmog1065 posted:Does anyone know if there is a way to remove Avast externally? Their rescue disk only does scans, and I'm pretty sure that is what is stopping this computer from booting. Flattening is the next option, but was wondering if there was something before that (And I really don't want to pull this goddamn harddrive out.) Have you tried a safe mode boot? What makes you sure that Avast is keeping it from booting?
|
|
#
¿
Sep 20, 2014 00:25
|
|
|
Siochain posted:Eset or Kaspersky are the only decent antiviruses. Yup, if you're going to pay money it should be one of these two. And if you watch Newegg/etc and are willing to float a rebate, you can often pick them up for almost nothing. I got a 3-seat 1-year license on Kaspersky Pure for either $0 or $5 (after $50 rebate), and I got a 1-seat ESET license for free after a $10 or $15 rebate or something along those lines.
|
|
#
¿
Oct 9, 2014 20:40
|
|
|
omeg posted:I wonder if there were any public audits of fab security and how easy it is to plant something there. Probably not too hard for some random Chinese fab making HDD or network card controllers. We had some Intel engineer on here who insisted it was drum-tight but refused to elaborate at all. The thing is there's now stuff like dopant-level trojans that can be trivially modified at the fab, and cannot be visually differentiated from the un-modified designs. It doesn't matter if you require triple-encrypted file signoffs and handcuff the suitcase to a courier and express it across the Pacific if the night before you can just slip some guy living in the dorms at the fab $50k to replace the file and forget that you were ever there.
|
|
#
¿
Oct 8, 2015 04:15
|
|
|
|
| # ¿ May 20, 2024 23:53 |
|
|
shyduck posted:
Yeah, you have malware. I don't know this malware in particular, but the best advice is to boot from a completely separate source since the virus scanner can't efficaciously scan the OS or its own files. I think Kaspersky has a boot scanner - if regular/rootkit/full scans in Malwarebytes or Kaspersky aren't turning it up that's your next measure, scan before the poo poo gets loaded. Second, I know Kaspersky does have a Rescue Disk that can be booted from CD or USB. You should also try to get a Malwarebytes scan going from a USB boot too. For that type of stuff, way back when I used to use BartPE to build rescue discs myself with McAfee and Malwarebytes on them. Nowadays, I think perhaps you can do that stuff with the "Rufus" USB tool? It's a good tool that does unetbootin type stuff, I know there's a "build live-boot" option on there but I've never tried it. Probably a good question for this thread: what's your "deep-scan" procedure nowadays for stuff you can't afford to just wipe and re-image? Yes, dumb situation to be in, etc. Some stuff will gently caress you incredibly thoroughly and the only way to get clean is nuclear wipe the whole thing. It's always the safest option. Microsoft licenses Windows 10 based on the motherboard serial or some poo poo like that, and if you burn a disk and clean-wipe they will let you reactivate on that hardware no problem. In the past, restoring to factory original wasn't as good unless you had a factory-restore CD - some stuff will install itself to the factory recovery partition. Windows 10, though, I'd give the "wipe everything and restore to a clean build" a shot. Paul MaudDib fucked around with this message at 03:51 on Oct 22, 2015 |
|
#
¿
Oct 22, 2015 03:45
|
|
