Detecting and eliminating hypervisor style BIOS hacks

[Progman]

Does anyone know how to detect and eliminate hypervisor style BIOS hacks which seems to be illegally being done by some shady criminals tied to private corporations and government agencies as well as microchips which are implantable and has been documented the NSA has done previously.  Certainly there should be some flaw in this, and disabling hypervisor settings in the BCD or BIOS settings or even removing power and resetting the part of BIOS memory by doing an action along the lines of holding the power button for 15 seconds can have an effect.  It would be nice to see some real solid information about this topic beyond hoping for more leaks about it in the media.

[Extreme Coders]

Hypervisor style BIOS hacks are difficult to detect,  and more so if the manufacturer of such devices has a tie up with such agencies (In reality there is).

 

In such cases the rootkit can be implemented very deep in hardware without even the processor's knowledge.Tweaking settings in BCD or BIOS will have no effect. 

The only option is to trash that hardware.

[simple]

1st, read this on why the info you mentioned was bullsh!t - http://www.rootwyrm.com/2013/11/the-badbios-analysis-is-wrong/

 

2nd, Depending on the board, you'd find how the rom was flashed then use a hardware debugger to rip and reverse the flashed image. It's not that hard. It'd be impossible to hide it.

 

3rd, "air gapped" SDR being distro'd w/laptops would destroy profits for hardware manufacturers. profits the only concern. "air gapping" requires close physical proximity. Naturally, they give little to no details on this too..

 

But I did my own research and have found it's really a group of Chinese ninja hackers. They hide all the l33t r00tkit sources on the paper inside the fortune cookies, then trade it to the Iranians for top secret flying carpet technology. Its serious. Trash that hardware.

 

edit - its possible but overhyped, not pracical, only poc. ALL "bios malware" is detectable and removeable via standard methods, and no more dangerous than any other millions of offline attacks. dont trash your computer.

Edited August 22, 2014 by simple

[Progman]

If in fact it was in the BIOS, then it would likely protect itself so that it would corrupt the new flashed image by lurking in the memory areas of the BIOS that are not flashed.

I believe they can desolder a chip on the motherboard, solder in a very small chip and then put the original chip back on top of it. In this case without a laboratory and deep knowledge of the board, one would never find the hypervisor chip. One way to block it would be to jam whatever wireless signals were being used to control it. Often I suspect they use the built-in wi-fi itself as the communication mechanism.

The only way to detect it is arbitrarily slow performance, and excessive "random" glitches but one can become certain of it over time.

In fact they have advanced collections of scripts for various hardware manufacturers. A web-cam can be partial freeze-framed where part of the image appears frozen and fixed while a certain rectangle of the image say where a clock appears continues to be seen properly. Nasty stuff.

[simple]

all the ones like blue pill, badbios, hypervisor are easily detectable w/cheap gear, even from the os. Reflash bios, problem solved.

 

"unflashable" bios is possible. again easily detected w/minimal cheap gear. considering acer (probably many more i dont know) replaces boards w/ "unflashable bios" for free, i dont think its in their interest to do that.. 

 

everything u say is easily/publically detectable. show examples of all this from the wild, this is only theory. without examples, specs, etc i will never believe any claim u make.

[kao]

Yes, bring out the tin foil hats!    Attackers always go for the easiest and most practical approach. BIOS-level attacks are extremely hard to do and there are plenty of easier ways to achieve same results, especially if target is using Windows machine w/o trusted boot and w/o full disk encryption.

 

If you're one of the extremely-high-value-targets that would warrant use of such an attack - what are you doing on this forum?

[Progman]

The world is quite corrupt now and most intellectual resources are controlled and owned by the rich.  Certainly the NSA has all the details of every computer, phone, camcorder or anything they want to hack for any target.  It is not a matter of difficulty but money.  If the rich controlling the criminals that be in the big agencies want to send them after you, then it would happen.  Electronics are not safe unless they are physically safe-guarded which is expensive.  Guaranteed security in the world now is nearly impossible except for the richest of the rich as its just a cat and mouse intelligence war consuming endless resources.

 

I suppose if one were an extremely-high-value-target, the question becomes what can be done to expose and destroy as much of the nonsense as possible?  Throw the hardware away is not really a good strategy.

 

It always raises the question of secret decompilers and reverse engineering tools that are kept protected in secret clearance or secret corporate circles.  It is hard to imagine that with such sophisticated compilers, that primitive decompilers have not been attempted by the big resources out there.

[Nemo]

Plenty of conspiracy theories out there, you shouldn't buy into them without proof .. a lot of it all is he says she says.. 

[Progman]

"How the NSA Plans to Infect 'Millions' of Computers with Malware".  I think leaked documents have brought the conspiracy to light well enough.  A simple google search will unearth plenty of press-leaked documents which was enough to blow the lid on the program.

 

It does not effect all people here yet.  But in 10 years do you think you will have a computer that does not have surveillance and attack vectors easily at the hands of the big powers?  People slept 30 years already and things have gotten bad.  Just look at the lack of progress in RE where nothing has happened for 5 years which reflects the state of the whole world.  Less conspiracy theory, most places you can just look at the behavior of people in public places for an hour before you realize the world has turned into a sick and even laughing joke of scoundrels.

 

It is one of the cases where the conspiracy involves far fewer rich elitist people than you think but the number controlled by it is far more than you would believe or imagine.  But if proof must come in the form of leaked documents then I suppose looking out the window is not going to be enough to enlighten one.

[Teddy Rogers]

If you have nothing to hide you have nothing to fear. Go Team Australia!

 

Seriously though... no one forces you to carry a mobile phone, use the internet or any other technology. You have the choice to be connected or not, the world still turns without it. I know from personal experience as it happens to me every time I drive out of town...

 

Ted.

[Progman]

Actually this has nothing to do with having nothing to hide.  The surveillance part is a minor part of it.

 

It is the attack part which they will use to do all sorts of harassing behavior.  Perhaps they want to force you to change jobs or derail a reverse engineering project.

 

That is easy, just create lots of magnetic bad clusters on the drive using certain rewriting patterns inverse to those that repair them, or scramble the page file all over the disk, or disable cameras to make break-ins possible or random crashes of software or just general slowness or what have you.

 

If you are ready to trust criminals with your technology equipment, then remember nobody wants to use surveillance someone who has nothing to hide.  But they will inevitably rationalize a right for perverted entertainment through harassing and sabotaging and any method available.  If you want to trust criminals who can rationalize outright physical torture with limitless power in the technology world then certainly they will do psychological torture here too.

 

Already examples in the media have surfaced showing how they created viruses to attack other countries.

 

The old nothing to hide line is tired and overdone.  There is not a person in any intelligence agencies interested in watching someone.  They are interested in getting rich quick with their surveillance powers which involves crime and corruption.  That is human nature when you become perversely involved with surveillance of peoples private and personal secrets.

[simple]

Stop believing the media/movies. Edwin Snowdons just trying to bang hot Rusky babes, I doubt he cares about this. Besides, mailmen have been reading the public's mail for a century so its nothing new.

 

Good news - there's nothing "they" can do that you can't. Even the poorest can hack. You should focus your energy on making your own hacks instead of worrying about other peoples. Check out boards like BBB, rasberry PI, etc to make some cheap DIY computers that will be free of any hardware/surveillance mods.

 

edit - look into bbb, imx233 as they have open pcb files and can be reprinted. u can also open your laptop and start examining your mobo. try this

Edited August 23, 2014 by simple

[xSRTsect]

yes guys and I have also heard that we are also the result of breeding between aliens and humans beings, do you think that aliens might also be trying to acquire our personal information?

[Progman]

I think the custom built machine would do the job...though it distracts from the focus on software.

Anyway if your physical environment is not secure, then your computer or any electronic devices are just a joke of a toy. And rest assured no computer nerds have the money or resources to safeguard a physical environment. Best to stay off the radar .

People posing with tricks and technology have somehow been labeled as aliens. That has truly been going on for more than a century. There exists knowledge about those of the unseen but they are not aliens and it would be a mistake to give them significance.

[ByteLawd]

There's certain BIOSes which might be close to impossible to compromise, even with a helper chip. An example might be a DELL BIOS. If you've noticed, that whenever you want to flash a dell laptop even one that's 10 years old your new flash has to pass a signature requirement which the laptop or desktop is already expecting. That means that each BIOS image has to be signed using a master key known only to DELL. With these clone motherboard brands such as ASUS, Gigabyte. Foxcon, Supermicro and ECS you can just take an existing BIOS image, edit it and reupload and the motherboard will take it without any complaints. Now try doing this to a DELL BIOS and you'll get a checksum error. The DELL motherboard knows what to expect and rejects any custom alterations. I'm not sure exactly how it works but my guess is that perhaps a checksum is taken of a certain range of bytes and that checksum along with a secret master key is used to generate a signature string added to the tail end of the binary.

 

What this means is that if your clone PC gets rooted then depending on the sophistication of the attacker, your BIOS could be pwned. if you have a clone mobo friendly to "open source" BIOS flashes. In the recent pass they used to make motherboards which had a write protect jumper next to a removable flash chip which does obviosly provide some protection. Today however there is no write protect chip on most if not all of these clones and the bios chip itself is not removable either so that you may want to check it's contents independently on a ROM reader or another PC. BIOS security at least on clones seems to have been headed downwards. Lack of ignorance among fans of clone motherboards might have fixed it. And according to this book https://tuts4you.com/download.php?view.3296. which was written way back in 2006 BIOS hacking is easy peasy which means all rooters above the script kiddy level would have made their custom mods for every clone box they root?

 

I run a clone PC but after realizing this I'm no longer such a big fan.

[Conquest]

The world is quite corrupt now and most intellectual resources are controlled and owned by the rich.  Certainly the NSA has all the details of every computer, phone, camcorder or anything they want to hack for any target. 

true if you are linked with the internet . If you are going to bomb somewhere i will suggest you to set up a copper mesh to prevent magnetic flux from going in or out, disconnect your system from internet, compiler your own operating system preferably from linux kernel and you are done. No one can possibly with current public technology will be able to intercept your computer data. The biggest mistake those terrorist monkeys do is to get social and email the plans to their mates in Afghanistan . i personally believe nsa currently has enough power to decrypt even  2k~4k rsa encryptions  .

When you are planning for something secret (doesnt matter good or bad) you will need to keep it hidden and detached from the outer world till you are done with it . 

They cant hack what doesnt "exists" .

On the hyper visor thing , you can have it 2 way lets assume , 1. the bios has it implemented 2. another separate chip to control the bios

1. In case of 1st thing , all you need is IDA and will to dissect the code. If its not x86, there has to be some disassembler for that language, use it. I have only done bios related activities long ago when i was newbie and vista was new, some Chinese guy disassembled award bios using ida, and i got curious enough and followed his path . its not a hidden maze down there. its the fastest executing code one can make , so easy to dissect. 

2 . get a hammer and break your board and sue the motherboard manufacturer . You will be rich.

since it seems you are doing something big - 1 more possibility is probably they can intercept data flow using some private on going project which intercepts the magnetic/electric data from from your pc(?) . Only way to prevent that is to set up an electric/magnetic shield. read some high school physics book on that matter. 

 

Goodluck mate. Lets hope you arent going to blow us up for some purpose which doesnt concern the common, innocent public .

Edited October 23, 2014 by Conquest