coderman at protonmail.com
Tue Jan 8 17:23:49 PST 2019
some things to note about the samples:
- the L1 image uses BIOS recovery to trigger actual exploit payload on unaddressable storage; that is to say it does not store the loader / malware directly on SPI flash memory. NSA has been adept at avoiding trivial detection via this route for a long time...
- the L2 image is a configuration permanent denial of service. this is designed to disrupt target activities, rather than perform any traditional exploitation or exfiltration. with an impossible boot configuration, the system appears "dead".
these techniques are the opposite of the Sednit approach where the malware resides as an UEFI module with malicious code stored on SPI flash memory. this makes it easy to detect (if you happen to catch it! :) as per the talk linked originally https://media.ccc.de/v/35c3-9561-first_sednit_uefi_rootkit_unveiled
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1321 bytes
Desc: not available
More information about the cypherpunks