Thursday, August 15, 2019

Uh... why does firmware need to send EHLO?

So, anyway, a little while ago, we stumbled across a program in firmware that seems to be sending an EHLO. The program in question also seems to have a UID and PW in plaintext.

It also _seems_ to have the capability of starting a TLS connection.

Now, I’m not saying the vendor is doing anything wrong, but it is just a bit of a surprise to find.

Also, it is not yet clear if communications are hidden from the OS, but they could easily be.

The program in question is about 27k in length, of compiled C, so it takes some time to study. Analysis continues.

Oh, but this caused us to look for other examples of EHLO in firmware, and, lo and behold, we found another vendor, who seems to have that capability. This particular program is over 600k, so will take a little while to analyze properly.

Again, I’m not suggesting that they are doing anything malicious. It’s just a surprise, and it makes one wonder what else might be found. There do seem to be other firmware programs that are capable of starting TLS. Oh, and it also makes us wonder if it is exploitable.

Watch this space.

Wednesday, July 31, 2019

Uh ... secure boot might be trying to tell you something.

So, anyway, today this popped up on my google alerts...

Apparently, some people see a message that says "Secure boot violation. The system found unauthorized changes on the firmware, operating system or UEFI drivers.", and the article suggests that the answer is to (1) Turn off secure boot, and (2) Use a system restore point.

The article explains how to do those steps, and the upside is that turning off secure boot will stop you seeing the message, but the downside is that Secure Boot might be trying to tell you something. ;-)

The danger here is that malware is increasingly targeting firmware.

And, I might be wrong, but I don't think that using a system restore point will restore firmware.

If you do see such a message, you are better off to seek very professional help.

Just sayin'

Wednesday, July 3, 2019

Ok, that's kind of creepy, FaceBook

So, anyway, for some reason today, pictures on FaceBook are not rendering. In the overall scheme of things, this is neither here, nor there, and I'm sure it will soon be corrected.

But...

In place of pictures, I see things like this "image may contain three people, including xxxxxxxxx"



It seems highly unlikely that a human sat there, and added all these "may contain" messages, so therefore, some AI did.

That probably means that all pictures uploaded to FaceBook have had similar AI estimations applied to them.

One one hand, it's innocent, but on the other hand (the suspicious, cynical hand), one wonders how this might play out long term, especially in places like China.

Sigh. Privacy Revolution again, folks.

Thursday, June 6, 2019

Firmware dumper

Hi all,

We've made our Win10x64 firmware dumper available for download here, if anyone wants to give it a try. It's much easier than turning off secure boot, and booting off a thumb drive. It's probably not perfect, but it seems pretty good. If you get a firmware dump, you are also welcome to upload it to us at the same URL, for analysis.

Saturday, January 26, 2019

Privacy revolution again

So, anyway, I won’t mention Sandra’s name, but a friend of mine, who used to be a security geek, but is now a goat farmer, pinged me with a scary story yesterday.

She got a robo call from PayPal, advertising something, which might be a bit annoying, but that’s not scary.

As you generally do, with an unrecognized number, she let it go to voice mail, and the message asked her to call back a different number. Nothing entirely amazing there.

But here’s the scary bit. The spoofed number pretended to be from a really small town in PA, that she had only ever been to once before... and that was _earlier that day_

Amazing coincidence, right?

Problem is, those of us in the security biz don’t tend to like coincidences, so the alternative is that something was tracking her.

She checked her settings for PayPal, but it showed that it only tracked her while using the app, and as far as she knew, she was not using the app.

So now we are left to wonder ... is something else selling its tracking data?

At this point, we simply don’t know, but there are certainly lots of apps (it is an iPhone) that are capable of tracking you all the time.

It’s either an amazing coincidence, or the Privacy Revolution in action.

Wednesday, November 28, 2018

ASUS UEFI rootkit

Hi folks,

Late October, I noticed this article

The nub of the article is that the authors noticed that the ASUS z390 motherboard was able to access the Internet, without any Windows 10 network drivers, and was able to install extra software.

This is remarkably similar behavior to the Lenovo rootkit, from 2015.

Now, let me stress, that in neither case, do I think they were of malicious intent. They were clearly designed to allow the vendor to install updates as needed, but the problem is that, just like with the Lenovo rootkit, no one would have known it was there, if it hadn't tipped its hand, by doing something obvious, and the obvious question is now, "What _else_ is out there?"

We have now found five variants of the ASUS UEFI updater/rootkit software, none of which seem to be detected by anyone. Oh, and seven variants of the (hopefully extinct) Lenovo rootkit from 2015.

Analysis continues.

Stay tuned.

P.S. If anyone wants to help, I blogged about how to dump firmware here.

Thursday, September 27, 2018

Stuff just got real

So, anyway, ESET just released that they found the first UEFI rootkit. You can read about it here … , but the short version is that they found an example of a modified version of Computrace/Lo Jack being used to attack a computer.

This is serious, and here are the main bits to know…

(1) Computrace/Lo Jack is a legitimate application that is factory installed into the firmware of nearly every laptop in the world, of all varieties. The idea is that if your laptop gets stolen, you can find it, and/or wipe it remotely. This is obviously good, and useful.

Close followers of my blogs, and posts, will know that I have pointed out that the Kaspersky guys, in 2014, showed how it could be compromised, and that it was therefore a potential problem, even though it is a legit app. This is not a slight against the excellent Lo Jack. All software has a weak underbelly, if you probe hard enough.

This is now proof that I was right.

(2) The perps are probably a Russian hacking group (military, KGB, FSB, or something similar), known by a bunch of names, but I call them Fancy Bear, for no particular reason other than it was the first name I knew them by, and it's a neat name. These are the same guys that (probably) broke into a factory in Taiwan in Feb 2018, and modified firmware in a bunch of computers, headed for the German government. If you are a suspicious soul, like me, you probably think this is not their only rodeo.

(3) The perps used a legitimate, and scary powerful tool called RWEverything. This is new to me, but the nub of the matter is that it is a legitimately signed driver that, seemingly, can read or write everything in firmware. This is obviously powerful, and cool, as long as it is used for good.

(4) So far, we have not found an exact match for the samples in their report in our collection, but we have _many_ variants of Lo Jack. They may be all innocent, or … maybe not. We are still looking and thinking.

(5) We still have six variants of the Lenovo rootkit, that no one detects (well, one product detects one variant, but that’s approaching zero from a stats perspective… one out of 360). This may/probably mean they are extinct, or ... maybe not…

(6) Interestingly, the modus operandi of the Lenovo rootkit and the modified Lo Jacks, are _remarkably_ similar. This might be pure coincidence… or … maybe something else.

Bottom line is that we have many variants of Computrace/Lo Jack that need to be examined, and many Lenovo rootkit variants that need to be examined.

And we have other things that look suspicious.

It would be really helpful to get more firmware samples, and it's geeky, but some How To instructions can be found here

All this, combined with what we have found about certificates being expired, or marked "Do not trust", or "Do not ship", which you can read about here suggests to me that we are on dangerous, shaky, and new, ground.

Stay tuned.