Delivery-Date: Sat, 21 Nov 2015 07:10:21 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 8901E1E00C8;
	Sat, 21 Nov 2015 07:10:19 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id C8F8137CB4;
	Sat, 21 Nov 2015 12:10:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D83BF37CA5
 for <tor-talk@lists.torproject.org>; Sat, 21 Nov 2015 12:10:09 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 1fCctWBqLZaC for <tor-talk@lists.torproject.org>;
 Sat, 21 Nov 2015 12:10:09 +0000 (UTC)
Received: from mail-lf0-x22e.google.com (mail-lf0-x22e.google.com
 [IPv6:2a00:1450:4010:c07::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 7A4EB37CAB
 for <tor-talk@lists.torproject.org>; Sat, 21 Nov 2015 12:10:09 +0000 (UTC)
Received: by lffu14 with SMTP id u14so83955705lff.1
 for <tor-talk@lists.torproject.org>; Sat, 21 Nov 2015 04:10:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :content-type; bh=BpHWDD4fkWN9lS1pSqtqJBtm9BsbheEGxoFf4mo9A0s=;
 b=o0kD+Ok4ZS9bX0Jfam5tI0WoT0pao+wyChqeMvU0JiwBOvciyXhJ0FZ9Vc8MhFlONQ
 ptzKLkwWz0xHutBC3SjUiodt22kLgi59TsSOr0NRcVKbXK51EPAgbXT1qpM7kcddjQV0
 7PGcEzfywW9Dxyj1dejhJwrZTf80z8WKdq5yKp6w7jAaPo+L/ukmIDZwkvmQh83l9KF2
 PCxMTos+H8HMdN00ySPmQ2qpw99H7dw7WaWk7Q2PiR01WqltRRxWj3mofBqa+fTGEg2l
 25oOMyf4kozSdWMpEe/2jZEK+a8rwf3JM5AVXbRtCJ5qzaC3uTHoIZxMNnENam+NUkgJ
 ZxNQ==
MIME-Version: 1.0
X-Received: by 10.25.163.85 with SMTP id m82mr664248lfe.76.1448107805502; Sat,
 21 Nov 2015 04:10:05 -0800 (PST)
Received: by 10.25.40.66 with HTTP; Sat, 21 Nov 2015 04:10:05 -0800 (PST)
In-Reply-To: <20151120210105.Horde.YWWb5RcfXQQPOxUlAGDtLw1@127.0.0.1>
References: <564EB197.7020207@columbia.edu>
 <20151120210105.Horde.YWWb5RcfXQQPOxUlAGDtLw1@127.0.0.1>
Date: Sat, 21 Nov 2015 04:10:05 -0800
Message-ID: <CAJVRA1Q7ysd4c2wvicXy9ZH3tQvFzR_robA-LkUOFOs3TkwcJQ@mail.gmail.com>
From: coderman <coderman@gmail.com>
To: "William H. Depperman" <whd2@columbia.edu>, tor-talk@lists.torproject.org
Subject: Re: [tor-talk] How does one remove the NSA Virus off the BIOS Chip
 as described by Snowden in the ANT Program
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 11/20/15, Virilha <tor@cheiraminhavirilha.com> wrote:
>
> I believe you need immediate help, to capture evidence and/or reverse
> engineer malware.

it will be persistent but latent.
  e.g. after a time period of "unable to successfully implant in OS"
    it will quit trying. or maybe not! unknown unknowns, etc.
or maybe not! large variance between paid proprietary LE only exploit kit
 and truly exceptional nation state intelligence and exploitation techniques.
you should use the BIOS adventures below to find out.
 [the TAO-related Snowden leak details are informative]

mobile implants are observed "geofenced" by tower or stringray. by
activity of other apps. by network traffic. by time of day, ... this
is a long list :)

your router(s) are trash, now. (maybe you can directly flash, like
BIOS adventures below?)



> If the first case (capture evidence), advise you to join an IRC
> channel on server irc.oftc.net channel #debian -

capture is good first step, and if not in this instance perhaps the next.
capture is always useful! (via independent and not networked device)



> If the second (reverse engineer the malware), I advise you to join an
> IRC channel on server irc.freenode.net on channel ##asm and/or channel
> ##re - me or others can help you with x86/64 stuff (assembly).

you can open up and search for BIOS flash chip. if you're lucky it
will be a 3.3V SPI flash chip in 4 or 8MByte (they often measure in
bits, too, don't ask me why).

you can use a rPi to do it, even!
  http://www.win-raid.com/t58f16-Guide-Recover-from-failed-BIOS-flash-using-Raspberry-PI.html
http://satxhackers.org/wp/hack-content/uploads/2013/04/rPI_flashrom.pdf
http://www.winbond-usa.com/resource-files/w25q64fv_revl1_100713.pdf

that last is an SPI chip in my pair of ASUS B43J laptops - it is nice
to have a pair, saving the good one, in case something like this
happens. the stealthy stuff will betray power consumption and forensic
flash image digest values (sha256 of specific flash regions)

remember to adjust configuration parameters for SPI support if using the rPi.

i highly recommend the Shikra as well, however, it requires postal CUSTOMS. :)
 http://int3.cc/products/the-shikra

this is just the start, of course, but enough to give tells...



best regards,
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

