[tor-talk] How does one remove the NSA Virus off the BIOS Chip as described by Snowden in the ANT Program

coderman coderman at gmail.com
Sat Nov 21 12:10:05 UTC 2015


On 11/20/15, Virilha <tor at cheiraminhavirilha.com> wrote:
>
> I believe you need immediate help, to capture evidence and/or reverse
> engineer malware.

it will be persistent but latent.
  e.g. after a time period of "unable to successfully implant in OS"
    it will quit trying. or maybe not! unknown unknowns, etc.
or maybe not! large variance between paid proprietary LE only exploit kit
 and truly exceptional nation state intelligence and exploitation techniques.
you should use the BIOS adventures below to find out.
 [the TAO-related Snowden leak details are informative]

mobile implants are observed "geofenced" by tower or stringray. by
activity of other apps. by network traffic. by time of day, ... this
is a long list :)

your router(s) are trash, now. (maybe you can directly flash, like
BIOS adventures below?)



> If the first case (capture evidence), advise you to join an IRC
> channel on server irc.oftc.net channel #debian -

capture is good first step, and if not in this instance perhaps the next.
capture is always useful! (via independent and not networked device)



> If the second (reverse engineer the malware), I advise you to join an
> IRC channel on server irc.freenode.net on channel ##asm and/or channel
> ##re - me or others can help you with x86/64 stuff (assembly).

you can open up and search for BIOS flash chip. if you're lucky it
will be a 3.3V SPI flash chip in 4 or 8MByte (they often measure in
bits, too, don't ask me why).

you can use a rPi to do it, even!
  http://www.win-raid.com/t58f16-Guide-Recover-from-failed-BIOS-flash-using-Raspberry-PI.html
http://satxhackers.org/wp/hack-content/uploads/2013/04/rPI_flashrom.pdf
http://www.winbond-usa.com/resource-files/w25q64fv_revl1_100713.pdf

that last is an SPI chip in my pair of ASUS B43J laptops - it is nice
to have a pair, saving the good one, in case something like this
happens. the stealthy stuff will betray power consumption and forensic
flash image digest values (sha256 of specific flash regions)

remember to adjust configuration parameters for SPI support if using the rPi.

i highly recommend the Shikra as well, however, it requires postal CUSTOMS. :)
 http://int3.cc/products/the-shikra

this is just the start, of course, but enough to give tells...



best regards,


More information about the tor-talk mailing list