44 comments

[ 3.6 ms ] story [ 102 ms ] thread
D*mmit. Guess I finally should break down and burn a linux bootdisk for banking.
Ahhh, but what system can you trust to burn the linux boot CD on?
Not to mention by the time you burned it it would be well out of date (security patches). If you're going to go that route you'd be better off buying a USB stick with a write-lock (Kanguru sells some).
The usual move is to argue but I have seen un-patched Windows servers rooted in under 30 min on the public Internet. I made several recommendations to modify their SOP...
Kanguru has some really nice thumb drives. I own two and would recommend them to anyone. Keep in mind, you can also store private keys on them.
> you can also store private keys on them

As regular files (e.g. `cp ~/.gnupg/secring.gpg /media/kanguru/`) or can you somehow import them such as with a smart card?

I carry multiple devices at the moment but it would be nice to consolidate.

Only as regular files, but with the write lock you can be sure that they don't get deleted.
Are you saying this software can inject malicious code into a disk image and/or falsify the integrity report if you look at the md5 checksum of said image?
No. But it is also hard to trust a frozen OS. How often should one refresh the ISO?
Even if your OS is out of date:

1 - Malware should be purged on shut down

2 - Only specific sites are accessed, e.g. banking domains, minimizing the risk of picking something up through e-mail or careless browsing.

3 - Obviously you shouldn't be running a server.

4 - You should still practice safe browsing, being aware of packet injection via public WiFi.

If you are being specifically targeted, that is another issue.

Also, you shouldn't even be using md5 anyways. It's essentially broken and has serious vulnerabilities. Use sha2 or sha3.
That's what I get for being specific. >.<

My point was that it's unlikely that you're dealing with malware so sophisticated that it can successfully corrupt any given OS disk image and/or fake-out a checksum verification on same -- and if it can, you're probably screwed anyway.

> That's what I get for being specific.

That's one little thing about HN -- most people are so literal, completely missing the point.

I'm sure that it's not (yet) possible to do that, although that would be a huge breakthrough. Imagine malware that could detect what (OS) is on the ISO image and inject itself into the files inside the ISO stealthily... all at run-time when you click the "burn this ISO to this CD" button.

Yeah, we'd just be screwed at that point.

Yeah but if you go this far, how could you ever trust the bank's security?
A Linux boot CD would be secure but I think it's awkward to have to reboot your computer all the time. I use Linux but I have stopped using my computer for anything like banking. Instead, I use my bank's app on my iPhone or iPad neither of which are jailbroken.
Just hope you never open the wrong PDF... Or hope that the app is using SSL correct.... Or, nah, forget it. too much hope goes on in using a closed source from a company that does not disclose nothing. thank you.
Or break down and invest in a VMWare license, and run everything (_everything_) in a virtual machine.
I tried to find an article about an attack against virtualization that used some CPU trickery to spy on everything the host computer was doing. (Including other virtual machines on the same host.) Sadly I couldn't.

So here are all the tabs I opened during my search instead.

http://www.kb.cert.org/vuls/id/649219

https://www.scmagazineus.com/Altor-Networks-Altor-VF/Review/...

https://www.juniper.net/us/en/products-services/software/sec...

http://news.cnet.com/8301-13846_3-10395695-62.html?tag=mncol...

http://www.itworld.com/security/80289/securing-your-virtual-...

http://www.symantec.com/connect/blogs/infographic-what-small...

A quick look at these shows them to be wholly not what I'm looking for. (And wholly unfit for HN I might add, which is where I got them.)

If anyone out there has a link to the vulnerability I'm thinking of (it was on HN at one point), or useful information on securing virtual machines against breakout malware, that would be awesome.

This one?

http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-pr...

http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_...

Exploits are developed to break VMs, just like everything else, and are promptly patched once revealed. Apart from general intrusion detection tools, I think you would be hard pressed to find anything to guard against them.

Maybe run a VM inside another VM ;)

Make sure the media don't come with a little surprise. :-)
$40,000 dollars sounds cheap
Really? How many hours do you think it'd take to write something like this?
botnets make that much everyday
Assuming that, you'd think the author of this codebase would have done some sort of calculation on expected daily return from renting a botnet created via this software, and priced it accordingly. There is a calculation similar to what I described to determine what a successful poker bot is worth.

Otherwise it would make more sense to just run it themselves -- although that would of course expose them to [more] legal risk. Reminds me of bitcoin mining -- can you make more money selling ASIC miners or just mining BTC with the ones that you've built?

Probably stolen software that requires work to deploy.
It is absolutely not about the hours taken to write it, but the skill and knowledge required.

How many hours does it take a doctor to remove your appendix? Is that a relevant metric to judge or place a cost on?

You need to read up on how capitalism actually works. It doesn't matter if the thing was written in 30 seconds. The price comes from the perceived value of it.
$40,000 is ridiculously cheap when you realise how little effort can go in to building, say, a master-data management software, which licenses for many hundreds of thousands per year.

Or, consider the average salary of a programmer with enough operating systems knowledge to write this.

But then, supply and demand is a strange thing.

I don't understand how people comprehend this shit. Not only is it malicious, it's absolutely hideous.
Shitty coders with shitty morals write shitty software for shitty people
It might not read quite like the poetry, but this is definitely not shitty code.

Of course, I agree with you completely wrt their morality.

Some times I feel like the world I live in is from a science fiction novel.
I'm sure all the tropes exist today in some form or another (and they needn't be products of the new millenium, either - I've been seeing reportage from Naipaul's cramped Bombay well since the 70s, wrought out of an incredible amount of tiering and complete alienation between the tiers) but we consider them individual failures of society, and god knows if we'll ever suspend the ideals from our rhetoric in order to assemble the full enchilada.
Bootkit alone is probably worth $40k - https://github.com/hzeroo/Carberp/tree/master/source%20-%20a...

The code looks better than a lot of commercial kernel code of comparable complexity, and it is complex. From readme -

  --
Bootkit is a driver for loading other drivers at the OS boot time. Driver is loaded before the initialization of NT kernel (i.e. before the start of the PatchGuard) and it can patch arbitrary kernel code. The driver gets launched before every other drivers, including the boot-time ones, and it can monitor and control their loading. No digital signature is required.

Supported Windows versions - from XP to W8 inclusively.

Supported platforms - x86 and amd64.

Boot-loader works with all types of NTFS partitions.

The code is metamorphic, it consists of several blocks that are randomly rearranged with each build. The IPL (initial loader) code is encrypted and it is incrementally decrypted during the execution. Considered together, this means that each build of the bootkit is binary unique. The driver is also encrypted when stored on the disk and it is decrypted by IPL upon loading.

  --
All in all, this is quite a leak. Very few people can code something like this and it's a unique chance to peek at and learn from their work.
>code looks better than a lot of commercial kernel code

Sounds like we need another of Fabien Sanglard's source code reviews:) Normally I'd stay away from this sort of thing, but if it's a good as people say, I might have to check it out myself.

Does it go around W8 protected boot? From what I understand it cannot.

But how it goes around the signature requirement of drivers is very clever.

What is the legality of selling this as opposed to using it? I assume it's legal?