Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Precision Espionage MiniFlame Malware Tied To Flame

samzenpus posted about 2 years ago | from the smart-malware dept.

Government 34

Gunkerty Jeb writes "Initially thought to be merely a module of the now-infamous Flame malware, MiniFlame, or SPE is, in reality, a secondary surveillance tool deployed against specially identified targets following an initial Flame or Gauss compromise. MiniFlame/SPE was one of three previously unseen pieces of malware discovered during a forensic analysis of Flame's command and control servers. Researchers at Kaspersky Lab and CERT-Bund/BSI determined that the program, which has compromised somewhere between 10 and 20 machines, can stand alone as an independent piece of malware or run as a plug-in for both Flame and Gauss."

cancel ×

34 comments

Sorry! There are no comments related to the filter you selected.

First flame (0)

Anonymous Coward | about 2 years ago | (#41658695)

First flame!

Cross your fingers (5, Funny)

Sparticus789 (2625955) | about 2 years ago | (#41658779)

I sure hope that an actual person wrote this MiniFlame. Otherwise the virus has become self-aware and is now reproducing autonomously.

lol (0)

Anonymous Coward | about 2 years ago | (#41658965)

It really does sound like the antivirus folks are just so far out of their league...

They were always a step behind... But now it sounds more like a mile.

I'm NEVER WORRIED about these things... (-1)

Anonymous Coward | about 2 years ago | (#41658979)

Why? Simple - the very SECOND their C&C Servers (or other online parts) are known, I block them the heck out (either by IP addresses in my firewall rules tables via a powershell script, albeit when that's available OR the only information, OR by host-domain names in my custom hosts file).

"Easy as apple pie" too, "automagically", every 12 hours!

How? This:

IF you don't want to be tracked, & to get your speed/bandwidth back you paid for (as well as electricity, CPU cycles, RAM, & other forms of I/O as well), better "layered-security"/"defense-in-depth", reliability (vs. DNS poisoning redirection OR being "downed"), & even anonymity (to an extent vs. DNS request logs) + being able to "blow by" what you may feel are unjust blocks (in DNSBL's) & more...

---

APK Hosts File Engine 5.0++ 32-bit & 64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

---

Custom hosts files gain me the following benefits (A short summary of where custom hosts files can be extremely useful):

---

1.) Blocking out malware/malscripted sites

2.) Blocking out Known sites-servers/hosts-domains that are known to serve up malware

3.) Blocking out Bogus DNS servers malware makers use

4.) Blocking out Botnet C&C servers

5.) Blocking out Bogus adbanners that are full of malicious script content

6.) Getting you back speed/bandwidth you paid for by blocking out adbanners + hardcoding in your favorite sites (faster than remote DNS server resolution)

7.) Added reliability (vs. downed or misdirect/poisoned DNS servers).

8.) Added "anonymity" (to an extent, vs. DNS request logs)

9.) The ability to bypass DNSBL's (DNS block lists you may not agree with).

10.) Blocking out TRACKERS

11.) More screen "real estate" (since no more adbanners appear onscreen eating up CPU, Memory, & other forms of I/O too - bonus!)

12.) Truly UNIVERSAL PROTECTION (since any OS, even on smartphones, usually has a BSD drived IP stack).

13.) Faster & MORE EFFICIENT operation vs. browser plugins (which "layer on" ontop of Ring 3/RPL 3/usermode browsers - whereas the hosts file operates @ the Ring 0/RPL 0/Kernelmode of operation (far faster) as a filter for the IP stack itself...)

14.) Custom hosts files work on ANY & ALL webbound apps (browser plugins do not).

15.) Custom hosts files offer a better, faster, more efficient way, & safer way to surf the web & are COMPLETELY controlled by the end-user of them.

---

* There you go... & above all else IF you choose to try it for the enumerated list of benefits I extolled above?

Enjoy the program!

(However, more importantly, the results in better speed/bandwidth, privacy, reliability, "layered-security"/"defense-in-depth", & even anonymity to an extent (vs. DNS request logs & blowing past DNSBL's) + more, that custom hosts files can yield...)

---

Of course, THIS is NOT going to "go well" with 3 types of people out there online, profiting by advertising & nefarious exploits + more @ YOUR expense as the consumer:

A.) Malware makers & the like (botnet masters, etc./et al)

B.) ADVERTISERS - the TRULY offended ones, as it is their "lifeblood" in psychological attack galore, tracking, & more, etc.!

C.) Possibly webmasters (who profit by ad banners, but fail to realize that those SAME adbanners suck away the users' bandwidth/speed, electricity, CPU cycles, RAM, & other forms of I/O they PAY FOR, plus, adbanners DO get infested with malicious code, & if anyone wants many "examples thereof" from the past near-decade now? Ask!)

---

APK

P.S.=> Lastly - It does a BETTER JOB than AdBlock &/or Ghostery (both of those are OWNED BY ADVERTISERS & are crippled in the former by default, + track you via the latter)

AND

It also circumvents Apache's b.s. as well as anything in ANY browser that attempts to defeat blocks (or other webbound programs):

---

Adblock Plus To Offer 'Acceptable Ads' Option:

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option

---

and

---

Evidon, which makes Ghostery, is an advertising company. They were originally named Better Advertising, Inc., but changed their name for obvious PR reasons.

Despite the name change, let's be clear on one thing: their goal still is building better advertising, not protecting consumer privacy.

Evidon bought Ghostery, an independent privacy tool that had a good reputation.

They took a tool that was originally for watching the trackers online, something people saw as a legitimate privacy tool, and users were understandably concerned. The company said they were just using Ghostery for research.

Turns out they had relationships with a bunch of ad companies and were compiling data from which sites you visited when you were using Ghostery, what trackers were on those sites, what ads they were, etc., and building a database to monetize.

When confronted about it, they made their tracking opt-in and called it GhostRank, which is how it exists today.

They took an open-source type tool, bought it, turned it from something that's actually protecting people from the ad industry, to something where the users are actually providing data to the advertisers to make it easier to track them.

This is a fundamental conflict of interest.

To sum up: Ghostery makes its money from selling supposedly de-indentified user data about sites visited and ads encountered to marketers and advertisers. You get less privacy, they get more money.

That's an inverse relationship.

Better Advertising/Evidon continually plays up the story that people should just download Ghostery to help them hide from advertisers. Their motivation to promote it, however, isn't for better privacy; it's because they hope that you'll opt in to GhostRank and send you a bunch of information.

They named their company Better Advertising for a reason: their incentive is better advertising, not better privacy

---

Advertisters never intended to honor "DNT" (Do Not Track):

http://yro.slashdot.org/story/12/09/23/1334258/advertisers-never-intended-to-honor-dnt

---

AND, neither do others:

http://yro.slashdot.org/story/12/09/30/1435231/think-tanks-website-rejects-browser-do-not-track-requests

---

The webserver program folks even "jumped on the bandwagon" in Apache, as far as "DNT":

http://apache.slashdot.org/story/12/09/08/0053235/apache-patch-to-override-ie-10s-do-not-track-setting

---

Talk about "crooked" & telling 1/2 truths (as well as making software that was ONCE quite useful & effective, NOT QUITE AS USEFUL & EFFECTIVE by default anymore!)

... apk

When the "best you've got" = bogus downmods? (-1)

Anonymous Coward | about 2 years ago | (#41659277)

You haven't accomplished a damn thing, trolls (see subject-line, YOU FAIL, badly)...

* As-per-my-usual? I challenge ANYONE to disprove the points I stated in my post you bogusly downmodded...

(Knowing FULL WELL that whoever downmodded my post won't be able to MEET THAT CHALLENGE... lol!)

APK

P.S.=> Thus, well... you just KNOW I've just GOTTA SAY IT, as-is-per-my-inimitable style:

This? THIS was just "too, Too, TOO EASY - just '2ez'" - since whoever "computing technically" speaking can't justify their downmod of my post I just replied to on valid grounds by disproving my points...

Face it - YOU know it, I know it, & anyone else reading with 1/2 a brain, knows it also...

... apk

Re:When the "best you've got" = bogus downmods? (0)

Anonymous Coward | about 2 years ago | (#41659737)

Oh and of course, I like to suck cock.

apk

Impersonation of myself? (0)

Anonymous Coward | about 2 years ago | (#41659975)

Plus an illogical off-topic weak failing ad hominem attack on myself, rather than disproving my points here -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 is "the best you've got", little ac troll?

* Please... make me laugh some more!

(Like I said: Not a SINGLE ONE OF YOU CAN DISPROVE MY POINTS in the link above, & you ALWAYS RUN from this challenge put to you also -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41659277 )

APK

P.S.=> Face facts, troll - YOU FAIL, miserably... and you know it!/quote... apk

Re:When the "best you've got" = bogus downmods? (0)

Anonymous Coward | about 2 years ago | (#41660567)

...anyone else reading with 1/2 a brain

Those with full brains likely didn't make it past the first few lines...

"Run, Forrest: RUN!" (0)

Anonymous Coward | about 2 years ago | (#41660885)

Fully dyslexia or ADHD addled brains, like yours? Disprove my points here instead troll -> http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 because your off-topic illogical ad hominem attacks only show anyone reading that you are indeed, lol, "pulling a forrest gump" (& running)...

* You FAIL, troll... & you're apparently out of modpoints to bogusly + unjustifiably downmod my post (instead of disproving its points).

APK

P.S.=> Of course, IF you could manage to disprove my points in that link above, then I couldn't SAY you are failing, but alas? LMAO, you are - badly!/quote... apk

Re:"Run, Forrest: RUN!" (0)

Anonymous Coward | about 2 years ago | (#41661503)

The funniest part is that my "full brain" comment is the only comment I've made in this thread and, to my knowledge, any thing you've ever posted. I also have no recollection of ever modding anything you've ever written. Fortunately, I feel no need to prove or disprove anything you've said. I don't even care about the content of your post (which stems primarily from the way it's written). I just enjoyed poking the bear because it's so funny. Childish certainly, but still funny.

Re:"Run, Forrest: RUN!" (0)

Anonymous Coward | about 2 years ago | (#41661555)

Thanks for proving apk's point for him Forrest.

Re:"Run, Forrest: RUN!" (0)

Anonymous Coward | about 2 years ago | (#41665667)

There was a point in there? Was it hidden under his hat or something?

Re:"Run, Forrest: RUN!" (0)

Anonymous Coward | about 2 years ago | (#41666987)

You're avoiding disproving apk's points on hosts files when you were challenged to do so here http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979

Re:I'm NEVER WORRIED about these things... (0, Informative)

Anonymous Coward | about 2 years ago | (#41659663)

It'd be a whole lot easier to use an OS that isn't so susceptible to malware.

Re:I'm NEVER WORRIED about these things... (1)

Anonymous Coward | about 2 years ago | (#41660255)

They all are to one degree or another, & most implement the same general concepts for security too. Most used = most attacked. From the perspective of the malware maker/botnet master etc., this makes TOTAL sense (and it's why Microsoft Windows is the most attacked as far as Operating Systems go).

Re:I'm NEVER WORRIED about these things... (1)

camperdave (969942) | about 2 years ago | (#41661969)

It'd be a whole lot easier to use an OS that isn't so susceptible to malware.

That's why I use hand written Action! code on an Atari 800XL, and I never, ever, ever go online.

Re:I'm NEVER WORRIED about these things... (0)

Anonymous Coward | about 2 years ago | (#41660943)

Instead of trolls doing unjustifiable downmods, why can't they disprove the points posted here instead http://yro.slashdot.org/comments.pl?sid=3186429&cid=41658979 ?

Re:I'm NEVER WORRIED about these things... (0)

Anonymous Coward | about 2 years ago | (#41661177)

Why? Simple - the very SECOND their C&C Servers (or other online parts) are known, I block them the heck out

What if they become known while you're spamming /., eh?
Might not add it that very second, hmmmm?

Re:I'm NEVER WORRIED about these things... (0)

Anonymous Coward | about 2 years ago | (#41661311)

Open Sores people post about their wares here, such as adblock and it's not as good, so why can't he?

I'm pretty well covered... apk (0)

Anonymous Coward | about 2 years ago | (#41661527)

The program runs itself every 12 hours "automagically" IF I wish & gets its data for custom hosts files from 12 reputable & reliable sites for that. I'll get it then without lifting a finger!

* However/OR, I can just do a "manual run" right then too...

(I also get a LOT of botnet C&C Server information from articles during my evenings as well, & sometimes, my sources don't even get them THAT fast, so I do manual runs in the evenings after dinner usually!)

APK

P.S.=> So far, since 1997 when I started doing custom hosts files? I have myself covered vs. LITERALLY 1,848,485++ known bad sites/servers/hosts-domains that serve up malicious content/exploits/malware etc.-et al!

Now, that's pretty good considering it's a solution in custom hosts files that's TIGHTLY INTEGRATED into the OS since it's really only using a part of the IP stack, as a filter for it!

(The IP stack's written in C + assembly afaik, fastest there is, AND, it runs in Ring 0/RPL 0/kernelmode too, not usermode/Ring 3/RPL 3 AND layering ontop of browsers ONLY (not external to browser email programs like Outlook/Outlook Express or Eudora for example)... SLOW!'

Solutions like AdBlock, by way of comparison AGAIN in terms of "SLOW"?

AdBlock's also written in SLOWER interpreted languages like javascript, python, & perl too - not as fast, OR efficient as the IP stack yet again which again, was written in FAR FASTER C & Assembly language... period!

All that, is where custom hosts files rock (and more), vs. "solutions" that are OWNED BY ADVERTISERS (& intentionally weakened by default in AdBlock + Ghostery in tracking)...

... apk

Re:I'm pretty well covered... apk (0)

Anonymous Coward | about 2 years ago | (#41662877)

That very second

every 12 hours

Your logic is especially bad today.

Covered vs. nearly 2 million bogus servers (0)

Anonymous Coward | about 2 years ago | (#41663627)

Is it? I run it manually when & IF needed (by simply visiting the sites as they update, sometimes every 20 minutes or so, other times once a day, sometimes once a week or once a month), & then I scour articles on security too, mainly for botnet C&C servers that aren't mentioned/listed/noted in my normal 12 sources...

* Pretty simple - but, @ the VERY LEAST, I am covered "automagically" every 12 hours for them all...

APK

P.S.=> I can certainly say 1 thing - I know that my being covered vs. nearly 2 million (& growing) KNOWN bad sites/servers/hosts-domains that are bogus DNS servers, botnet C&C servers, fastflux hosts, or just plain malware or malscripted housing sites... and, VERY CURRENTLY found as so here, & inserted into my custom hosts file!

(For security, it's a great extra-layer of protection, but the speed gains are even MORE astounding & noticeable!)

QUESTION: Are you? I am SURE I am...

... apk

Get used to it (4, Insightful)

crazyjj (2598719) | about 2 years ago | (#41659031)

The era of governments using malware as part of their standard military/security/intelligence arsenal has arrived.

Re:Get used to it (0)

Anonymous Coward | about 2 years ago | (#41659275)

The era of governments using malware as part of their standard military/security/intelligence arsenal has arrived.

That era has been here since ~1960, but civilian researchers have now caught up to the fact.

Re:Get used to it (1)

flyingfsck (986395) | about 2 years ago | (#41659383)

No, it arrived a long, long time ago. Ordinary folk only started to take notice now though.

Re:Get used to it (1)

SpzToid (869795) | about 2 years ago | (#41660245)

If nothing else, open-source code and watching how that movie director Robert Rodriguez successfully preaches low-budget artistic control vs. bigger-budget studio-control has taught me how raw talent, motivation, and perseverance can still succeed against 'the odds'. Oh, and fear helps a lot!

This knowledge I try to use for good given the gifts my life has given to me. Still, others will inherently do otherwise to the best of their abilities.

After all, it isn't what you have that matters, but what you do with what you have.

Re:Get used to it (0)

Anonymous Coward | about 2 years ago | (#41663239)

After all, it isn't what you have that matters, but what you do with what you have.

No, it just means that you haven't made it and should have worked harder.

Re:Get used to it (1)

SethJohnson (112166) | about 2 years ago | (#41663557)

"....and watching how that movie director Robert Rodriguez successfully preaches low-budget artistic control vs. bigger-budget studio-control has taught me how raw talent, motivation, and perseverance can still succeed against 'the odds'."

That dude hasn't made a worthwhile movie since Sin City. He uses low budgets as an excuse for making crappy movies. There was no reason Predators had to suck with that budget. It was all him. He's infatuated by Hollywood's adoration of him. Crammed so many celebrities into Machete, he bloated out the story to fit them all in. Should have turned the camera off when Booth was killed. That was the end of the story that mattered. Same with his career.

Here's a wonderful music video Robert Rodriguez shot that may-or-may-not be self-aware that it's the story of Rodriguez banging a Hollywood Starlet (Rose McGowan) and then stressing over whether or not his kids from his divorce will accept the younger woman [vimeo.com] . Bob Schneider plays the Robert Rodriguez role while Kat Demming fills in for Rose McGowan. His kid plays himself in the video. I can't tell if he's tipping his hat to Nena with the release of the red balloons at the end or is just outright ripping the ending off.

Seth

Is there more out there? (0)

Anonymous Coward | about 2 years ago | (#41659691)

Is there likely to be a lot more of this type of thing out there that just hasn't been discovered? I was thinking...damn, it's gotta be embarrassing for those secretive TLAs for their activities to be made so public, but then, what is the likelihood that those secretive TLAs have a lot more stuff out there that simply hasn't been made public?

Re:Is there more out there? (2)

A Friendly Troll (1017492) | about 2 years ago | (#41661631)

Is there likely to be a lot more of this type of thing out there that just hasn't been discovered?

Yes.

There are four known communication protocols (OldProtocol, OldProtocolIE, SignupProtocol, RedProtocol) and four classes of malware (SP, SPE, IP, FL).

This is SPE. FL was Flame. SP is unknown (though presumed early SPE), IP is also unknown.

IP uses SignupProtocol. It is presumed that RedProtocol is not yet implemented, although I'd lean towards "not yet discovered".

This is really, really precisely targeted stuff. Stuxnet went out - supposedly the Israelis modified it and a bug/feature let it spread - but the others were pretty much precisely guided towards the victims. Nobody has any idea what's out there and which operating systems these things are targeting. Given that the creators of this entire malware family have also utilized a completely new hash collision algorithm and managed to do things nobody ever did before, I wouldn't be surprised if there were plenty more malware unknowns where this came from.

Fascinating stuff. Evil stuff, but incredibly fascinating. To this date, nobody figured out how malware operators gained access to some Linux servers used for C&C, nor why their first action after logging in was to upgrade OpenSSH.

Re:Is there more out there? (0)

Anonymous Coward | about 2 years ago | (#41662943)

To this date, nobody figured out how malware operators gained access to some Linux servers used for C&C, nor why their first action after logging in was to upgrade OpenSSH.

Oh, let me take a stab at it. The authors behind this are, of course, the NSA. As we all know, the NSA has placed backdoors in the OBSD TCP stack, so it stands to reason they've placed backdoors in OpenSSH as well. There are two reasons they could have upgraded:

1) To cover their tracks and remove the backdoor, which has been removed from the latest version of OpenSSH either intentionally or accidentally.
2) To make people THINK that (1) was the reason, because the backdoor is still there!

\end{sarcasm}

Blowback from this is going to hurt (1)

RoTNCoRE (744518) | about 2 years ago | (#41661331)

Malware like this is unique in warfare in that the payload can be recovered intact, reverse engineered, and deployed for other motives quite easily, and (from my admittedly limited understanding) requires only off-the-shelf technological overhead. I've read several articles here recently about critical infrastructure related SCADA equipment needing per-site patches due to backdoors and poor default security settings. Presuming the proliferators of this malware based espionage are intelligent and can predict the following chain of events, they must have deemed this to be an acceptable risk, or even want it to happen...

I wonder what the legal liabilities for the originating state(s) are when a modified version impact their own citizens and infrastructure? It worries me that nations are running headlong into this type of undeclared war. Bioweapons are limited in their usefulness in warfare for this very reason - their propensity to harm non-combatants on both sides. With our dependance on IT and networks in all areas including the provisions of the necessities of life, when this escalates, it won't be pretty.

Windows Only ... (0)

Anonymous Coward | about 2 years ago | (#41662845)

Nothing to see here ...

Nobody Seems To Notice and Nobody Seems To Care (0)

Anonymous Coward | about 2 years ago | (#41665283)

Nobody Seems To Notice and Nobody Seems To Care - Government & Stealth Malware

In Response To Slashdot Article: Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms 87

How many rootkits does the US[2] use officially or unofficially?

How much of the free but proprietary software in the US spies on you?

Which software would that be?

Visit any of the top freeware sites in the US, count the number of thousands or millions of downloads of free but proprietary software, much of it works, again on a proprietary Operating System, with files stored or in transit.

How many free but proprietary programs have you downloaded and scanned entire hard drives, flash drives, and other media? Do you realize you are giving these types of proprietary programs complete access to all of your computer's files on the basis of faith alone?

If you are an atheist, the comparison is that you believe in code you cannot see to detect and contain malware on the basis of faith! So you do believe in something invisible to you, don't you?

I'm now going to touch on a subject most anti-malware, commercial or free, developers will DELETE on most of their forums or mailing lists:

APT malware infecting and remaining in BIOS, on PCI and AGP devices, in firmware, your router (many routers are forced to place backdoors in their firmware for their government) your NIC, and many other devices.

Where are the commercial or free anti-malware organizations and individual's products which hash and compare in the cloud and scan for malware for these vectors? If you post on mailing lists or forums of most anti-malware organizations about this threat, one of the following actions will apply: your post will be deleted and/or moved to a hard to find or 'deleted/junk posts' forum section, someone or a team of individuals will mock you in various forms 'tin foil hat', 'conspiracy nut', and my favorite, 'where is the proof of these infections?' One only needs to search Google for these threats and they will open your malware world view to a much larger arena of malware on devices not scanned/supported by the scanners from these freeware sites. This point assumed you're using the proprietary Microsoft Windows OS. Now, let's move on to Linux.

The rootkit scanners for Linux are few and poor. If you're lucky, you'll know how to use chkrootkit (but you can use strings and other tools for analysis) and show the strings of binaries on your installation, but the results are dependent on your capability of deciphering the output and performing further analysis with various tools or in an environment such as Remnux Linux. None of these free scanners scan the earlier mentioned areas of your PC, either! Nor do they detect many of the hundreds of trojans and rootkits easily available on popular websites and the dark/deep web.

Compromised defenders of Linux will look down their nose at you (unless they are into reverse engineering malware/bad binaries, Google for this and Linux and begin a valuable education!) and respond with a similar tone, if they don't call you a noob or point to verifying/downloading packages in a signed repo/original/secure source or checking hashes, they will jump to conspiracy type labels, ignore you, lock and/or shuffle the thread, or otherwise lead you astray from learning how to examine bad binaries. The world of Linux is funny in this way, and I've been a part of it for many years. The majority of Linux users, like the Windows users, will go out of their way to lead you and say anything other than pointing you to information readily available on detailed binary file analysis.

Don't let them get you down, the information is plenty and out there, some from some well known publishers of Linux/Unix books. Search, learn, and share the information on detecting and picking through bad binaries. But this still will not touch the void of the APT malware described above which will survive any wipe of r/w media. I'm convinced, on both *nix and Windows, these pieces of APT malware are government in origin. Maybe not from the US, but most of the 'curious' malware I've come across in poisoned binaries, were written by someone with a good knowledge in English, some, I found, functioned similar to the now well known Flame malware. From my experience, either many forum/mailing list mods and malware developers/defenders are 'on the take', compromised themselves, and/or working for a government entity.

Search enough, and you'll arrive at some lone individuals who cry out their system is compromised and nothing in their attempts can shake it of some 'strange infection'. These posts receive the same behavior as I said above, but often they are lone posts which receive no answer at all, AT ALL! While other posts are quickly and kindly replied to and the 'strange infection' posts are left to age and end up in a lost pile of old threads.

If you're persistent, the usual challenge is to, "prove it or STFU" and if the thread is not attacked or locked/shuffled and you're lucky to reference some actual data, they will usually attack or ridicule you and further drive the discussion away from actual proof of APT infections.

The market is ripe for an ambitious company or individual to begin demanding companies and organizations who release firmware and design hardware to release signed and hashed packages and pour this information into the cloud, so everyone's BIOS is checked, all firmware on routers, NICs, and other devices are checked, and malware identified and knowledge reported and shared openly.

But even this will do nothing to stop backdoored firmware (often on commercial routers and other networked devices of real importance for government use - which again opens the possibility of hackers discovering these backdoors) people continue to use instead of refusing to buy hardware with proprietary firmware/software.

Many people will say, "the only safe computer is the one disconnected from any network, wireless, wired, LAN, internet, intranet" but I have seen and you can search yourself for and read about satellite, RF, temperature, TEMPEST (is it illegal in your part of the world to SHIELD your system against some of these APT attacks, especially TEMPEST? And no, it's not simply a CRT issue), power line and many other attacks which can and do strike computers which have no active network connection, some which have never had any network connection. Some individuals have complained they receive APT attacks throughout their disconnected systems and they are ridiculed and labeled as a nutter. The information exists, some people have gone so far as to scream from the rooftops online about it, but they are nutters who must have some serious problems and this technology with our systems could not be possible.

I believe most modern computer hardware is more powerful than many of us imagine, and a lot of these systems swept from above via satellite and other attacks. Some exploits take advantage of packet radio and some of your proprietary hardware. Some exploits piggyback and unless you really know what you're doing, and even then... you won't notice it.

Back to the Windows users, a lot of them will dismiss any strange activity to, "that's just Windows!" and ignore it or format again and again only to see the same APT infected activity continue. Using older versions of sysinternals, I've observed very bizarre behavior on a few non networked systems, a mysterious chat program running which doesn't exist on the system, all communication methods monitored (bluetooth, your hard/software modems, and more), disk mirroring software running[1], scans running on different but specific file types, command line versions of popular Windows freeware installed on the system rather than the use of the graphical component, and more.

[1] In one anonymous post on pastebin, claiming to be from an intel org, it blasted the group Anonymous, with a bunch of threats and information, including that their systems are all mirrored in some remote location anyway.

[2] Or other government, US used in this case due to the article source and speculation vs. China. This is not to defend China, which is one messed up hell hole on several levels and we all need to push for human rights and freedom for China's people. For other, freer countries, however, the concentration camps exist but you wouldn't notice them, they originate from media, mostly your TV, and you don't even know it. As George Carlin railed about "Our Owners", "nobody seems to notice and nobody seems to care".

[3] http://www.stallman.org/ [stallman.org]

Try this yourself on a wide variety of internet forums and mailing lists, push for malware scanners to scan more than files, but firmware/BIOS. See what happens, I can guarantee it won't be pleasant, especially with APT cases.

So scan away, or blissfully ignore it, but we need more people like RMS[3] in the world. Such individuals tend to be eccentric but their words ring true and clear about electronics and freedom.

I believe we're mostly pwned, whether we would like to admit it or not, blind and pwned, yet fiercely holding to misinformation, often due to lack of self discovery and education, and "nobody seems to notice and nobody seems to care".

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>