minimum viable toolset for low level malware forensics [was: BadBIOS forensics]

coderman coderman at gmail.com
Sun Jul 20 00:07:47 PDT 2014


On Wed, Jul 16, 2014 at 4:19 AM, Bluelotus <bluelotus at openmailbox.org> wrote:
> ...
> I wrote threads on my limited ability to perform forensics


for those technical, the minimum viable toolset for identifying low
level subversive programming is:

- a solid base (clean hw, clean installs, clean environment) in a
separate location with RF shielding. (a closed metal barn out in the
country, for example. if you're a geek you love the thought of a
faraday closet ;)

- instrumented runtime (e.g. volatility memory forensics, system
performance profiling, all to append only storage) on any systems you
are using as suspect to attack.

- obstructed runtime (see thread on "how to hack your systems before
someone else") - this is optional; a modified system that appears to
be vulnerable / stock condition will exhibit undefined behavior under
attempted enabling, sometimes. otherwise it may be difficult to
identify a successful infection.

- direct flash memory pinout rig (specs for all chips including flash
memory associated with BIOS, integrated management controllers,
network devices, I/O ports, keyboard, trac pad or mouse, HD/DVD/CD
drives, graphics memory, wifi, 4g, and bluetooth wireless adapters
will be needed  you're programming an FPGA to perform reads directly
from the flash chips. converting flash memory into high level block
storage the next black art upward.

- wide band high performance software defined radio. you will be
building custom GNU radio blocks and running many from third party
repositories or research projects. you are using a two stage process,
where wide sweeps and auto ranging are applied to sample swaths of
signal of interest to storage. then parallel processing on other
hardware or later time (off-use-hours) extracting known / useful data
and anomalies for further analysis.

- in-line network archival, shaping, and cut-out for link to internet
/ local network. this works best as a zero visibility transparent
ethernet bridge with ARP spoofing and ether mangling at each end. that
does not speak IP at all. the shaping is used to squelch suspect or
unexpected peak traffic (both a signalling system for malicious
activity and a means to constrain the reach once compromised)


as per the kit above,

you are instrumenting a system to observe its runtime behavior on an
external audit system. this is because the advanced attacks inject
into processes and ring0, persisting only what is needed / chosen
(enabling hooks). you need to capture the active payloads that are
delivered on-demand in host memory space.

you are observing the network and RF space for anomalies and
discrepancies. for example, a wifi radio disabled yet still emitting
into 2.4Ghz/5.xGhz spectrum.  network captures also provide evidence
to correlate with malicious memory, for example identifying a payload
delivered over the network, with keys from volatility used to decrypt
the encrypted communications containing the payload identified in
memory.

you are (sometimes destructively) sampling all flash memory as parts
of advanced payloads persist outside of the OS and storage level
interface visibility. (stealth at bus/bios level). discrepancies in
blocks that should not have changed, executable code segments where
not expected, strange carvings of wear leveling around "protected"
offsets. all of these are indicators for further scrutiny and
instruction level reversing (if corresponding to microcontroller
programming instructions for manipulating streams read or written to
and from device, for example :)

last but not least, you are not getting attached to any hardware,
because at any moment you may find it all suspect and have to replace
all laptops, desktops, routers, printers, mobile devices, storage
media, media servers, smart televisions, and god forbid you installed
one of those intelligent thermostats. [ laugh for sanity, then go back
and read the list, and then understand that the far end of the nation
state malware asymptote is full of freaky exotics. i also hope you
never hit that level of "all systems go" *grin* ]


best regards,



More information about the cypherpunks mailing list