Results 1 to 4 of 4
A half a year ago, bartsimpson posted a thread warning PartedMagic in Ultimate Boot CD (UBCD) was tampered. linuxforums moved the thread to coffee-lounge without giving a reason. Title of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 05-18-2014 #1
- Join Date
- May 2014
BadBIOS infected linux distros have multiple squashfs, busybox initrd
Last week, I commented. My comment was deleted. I resubmitted my comment. My comment included my testimony that my computers were infected from a tampered PartedMagic. I copied and pasted xii's comment on his computers being infected from tampered PartedMagic and Deft. Bartsimpson and Xii, thank you for sharing your findings.
My computers were already infected with BadBios before they became reinfected by my downloading, burning and booting to a live tampered PartedMagic CD and live UBCD CD in 2013. I discarded my tampered PartedMagic CD and UBCD CD. Thus, I cannot confirm bartsimpson's and xii's findings for those two distros.
My computers became infected with BadBIOS in November 2011. In November 2011, I downloaded, burned and booted to Privatix 11.04.11, a German Debian remix Tor distro.
Yesterday and today, I conducted forensics on Privatix to ascertain whether the tampering of Privatix used the same methods that bartsimpson described of PartedMagic and xii described of PartedMagic and DEFT. Privatix does. Even more so. Privatix has multiple squashfs, busyboxes and initrds.
This method of tampering of linux distros started at least as far back as November 2011 when I downloaded Privatix.
Possibly starting 2010 as my PCLinuxOS GNOME 2010.12 distro has fake audio and video plugins. Several days ago, I posted in the Security section a thread titled 'Fake browser plugins in live linux DVDs'. Privatix 11.04.11, PCLinuxOS FullMonty 2013.04 and PCLinuxOS GNOME 2010.12 have fake browser plugins. Almost all the fake plugins are audio and video plugins.I do not have the time to conduct forensics on the two PCLinuxOS distros. I am asking for volunteers.
Privatix > Places > computer > has two filesystems:
(1) 863 MB File: 863 MB Filesystem and
(2) File System
863 MB File: 863 MB Filesystem > right click to select properties:
Permissions: "The permissions of "863 MB File: 863 MB Filesystem" could not be determined."
I attempted to open the 863 MB file. Error message: "Unable to mount location. Internal error: No mount object for mounted volume."
File System > right click to select properties:
Type: folder (inode/directory)
Contents: 185,491 items totaling 13.7 GB (some contents unreadable)
Free space: 663.2 MB
Permissions: The permissions of "/" could not be determined.
13.7 GB size of file system is huge! I removed the internal hard drive, wifi card and speakers from my HP Compaq Presario V2000. My computer is offline. Obviously, my computer is connecting offline to a remote server. The server is not mine. I neither have a server nor RAID.
Each filesystem has its own var logs. The 863 MB file filesystem has its /var.log at /live/cow/var/log/live.log. The second File System has var logs at /var/log.
xii wrote: "Most of the detection methods for virtualization of this variety are timing related. This was visible to me in Windows by observing event logs like the following: 'Event ID: 1 The system time has changed to <date:time> from <date:time>'
After booting to Privatix live CD, the system time is always a hour behind.
xii wrote: "When booting from a liveCD, you can easily spot tainted files by looking at date modified timestamps. I don't understand why/how malicious code that is able to communicate to airgapped computers didn't even try to cover its tracks by forging timestamps, but in my case I can plainly see altered files by looking at any files that have a timestamp associated with a date after I burned the CD/DVD."
No files have their modified date as the date I burned the ISO in November 2011. Many files have a modified date of 2010. 2010 is both prior to the burning and prior to the release date of the distro which was April 11, 2011.
Numerous files have a modified date of the date I booted to the live DVD.
xii wrote: "The files that I found to be altered / poisoned after booting to either Parted Magic or Deft include:
A. filesystem.squashfs. . . B. initrd.img . . .there are timestamps on many files in the mounted locations as well as the squashfs file itself that indicate they were either modified at a date prior to burning (not the current date either), or at a date that occurred prior to the release date of the running distribution (impossible)."
Privatix has two squashfs and one filesystem.squashfs. The squashfs, located at /sys/module, has modified date of the day I boot live Privatix DVD.
While in the computer directory, I searched for 'squashfs':
Three squashfs files, One filesystem.squashfs size 823.1 MB, One squashfs_inode_cache, Two lenny_chroot_squash and two squashfs.ko
The three squashfs files
Contents: 1 item, with size 27.8 KB
Location: /lib/modules/2.6.32-5-686/, /media/disk/lib/modules/2 and /sys/module
Permissions: same as above
Size: 823.1 MB
Accessed: Mon 11 April 2011 10:57:13 PM UTC
Modified: MOn 11 April 2011 10:53:09 PM UTC
Permissions same except not executable
Last changed: Mon 11 April 2011 10:56:18 PM UTC
Contents: 27 items, totally 108.0 KB
free space: unknown
Permissions: same as above
The two squash.ko are type: object code type files. size 27.8 kb.
permissions same as above except not executable
The second squashfs.ko location: /media/disk/lib/modules/2.6.32-5
permissions: same as first squashfs.ko.
Type: shell script
Size 652 bytes
location: /media/disk/usr/share/live/build/example/, /usr/share/live/build/examples/hooks
Accessed: Wed 02 Feb 2011 11:39:10 AM UTC
Modified: Wed 02 Feb 2011 11:39:10 AM UTC
Permissions: same as above but executable
Xii wrote: "Both of these distributions (PartedMagic and Deft) utilize Busybox, which redirects various commands to compressed / optimized ELF binaries, making it highly difficult to understand exactly what kind of tampering has been done without a working knowledge of low level reverse engineering (that I do not possess)."
Privatix uses Busybox. Places > Computer > search for 'busybox' results:
busybox folder, modified date 11 April 2011, location at /usr/share/doc, contains a changelog.Debian.gz file,
modified date 15 Nov 2010 and a copyright file.
busybox executable, modified date 15 Nov 2010 location at /bin
busybox shell script, modified date 25 Aug 2010, location at usr/share/intiramfs-tools/hooks
busybox.1.gz located at /usr/share/man/man1
busybox.list located at /var/lib/dpkg/info
busybox.md5sums, modified date 15 Nov 2010, located at /var/lib/dpkg/info
Most linux distros do not use busybox.
xii wrote: "B. initrd.img In deft this file is named "initrd.img-3.5.0-30-generic" with a file size of approximately 22.2 MB. The system indicates this file is gzip compressed but trying to extract with Archive Manager fails generically."
I searched for 'initrd'. Privatix > Places > Computer > search 'initrd' results:
initrd.4.gz, link to initrd.img, initrd.img and initrd.img-2.6.32-5-686. Privatix has two imgs. Linux distros are supposed to have just one img.
I right clicked on link to initrd.img and selected properties:
link target: boot/initrd.img-2.6.32-5-686
location: /, volume: unknown, permissions: same as initrd.4.gz
I right clicked on initrd.img and selected properties:
size: 10.1 MB, location: /live/image/live, volume: unknown
Accessed and Modified: Mon 11 April 2011
Permissions: same as initrz.4.gz except for last changed: Mon 11 April 2011.
Archive manager displayed contents of initrd.img grayed out:
filesystem.packages, filesystem.squashfs, initrd.img, memtest and vmlinuz.
I right clicked on initrd.img-2.6.32-5-686 and selected properties:
Size: 10.1 MB, location: /boot, volume: unknown
Accessed and Modified: Mon 11 April 2011 10:35:29 PM UTC
Permissions same as initrd.4.gz.
Archive manager displayed grayed out files as I didn't have permission to extract initrd.img-2.6.32-5-686:
grub folder, config.220.127.116.11-686, initrd.img-2.6.32-5-686, system.map-18.104.22.168-686 and vmlinuz-2.6.32-5-686
I do not have the file permissions to extract the ////initrd.img. I do not have the file permissions to extract any of the gz files oor to read most of the /var/logs.
I right clicked on initrd.4.gz and selected properties:
Size: 4.6 KB, Location: /usr/share/man/man4, volume: unknown
Accessed and modified: Tue 16 Nov 2010 08:50:0 PM UTC
Owner root: read and write
Group root: read-only
SELinux context: unknown
Last changed: unknown
I attempted to extract initrd.4.gz. Error message: "You don't have the right permissions to extract archives in the folder at/usr/share/man/man4."
Archive manager brought up the files in initrd.gz but they are grayed out so would not be legible in a screenshot. The files are all compressed files:
apm.4.gz, ati.4.gz, chips.4.gz, cirrus.4.gz, console_codes.4.gz, console_ioctl.4.gz, cpuid.4.gz, dsp56k.4.gz, epoll.4.gz, evdev.4.gz, exa.4.gz, fbdev.4.gz, fbdevhw.4.gz, fifo.4.gz, full.4.gz, futex.4.gz, hd.4.gz, il28.4.gz, i740.4.gz, initrd.4.gz, intro.4.gz, kmem.4.gz, lp.4.gz, mem4.gz, mga.4.gz, mouse.4.gz, msr.4.gz, neomagic.4.gz, nouveau.4.gz, null.4.gz, nv.4.gz, openchrome.4.gz, port.4.gz, ptmx.4.gz, pts.4.gz, 4128.4.gz, radeon.4.gz, ram.4.gz, random.4.gz, rendition.4.gz, rtc.4.gz, s3.4.gz, s3virge.4.gz, savage.4.gz, sd.4.gz, siliconmotion.4.gz, sis.4.gz, sisusb.4.gz, sk98lin.4.gz, st.4.gz, synaptics.4.gz, tdfx.4.gz, tseng.4.gz, tty.4.gz, tty_ioctl.4.gz, ttys.4.gz, ttyS.4.gz, urandom.4.gz, vcs.4.gz, vcsa.4.gz, vesa.4.gz, vmware.4.gz, voodoo.4.gz, wacom.4.gz, wavelan.4.gz and zero.4.gz.
Xii wrote: "I am very interested in hearing any explanation as to why encrypted PXE firmware is sitting inside of the initrd file on a LiveCD.
Archive manager could not extract the multiple initrd. I searched for PXE. Places > Computer > search 'PXE' results:
debian-live-pxe-server shell script location: /usr/share/live/build/hooks
debian-live-pxe-server plain text document location: /usr/share/live/build/lists
pxeboot.img location /usr/lib/grub/i386-pc
pxe.mod Amiga Soundtracker audio location: /usr/lib/grub/i386-pc
PXE server files should not be in a live Tor distro. Nor should pxe audio files. pxe.mod Amiga Sountracker audio may be one method BadBIOS is streaming audio and data via PXE.
The /lib/modules/2.6.32-5-686/kernel/sound directory is extremely large. Contains sophisticated audio files, both German and Chinese. Research needs to be performed on the kernel sound directory and the fake audio browser plugins.
To discover if there were other img files besides pxe.img and several initrd.img files, I searched for 'img.
Privatix > Places > computer > search for .img results:
boot.img unknown file type
cdboot.img unknown file type
initrd.img location: /live/image/live
kernel.img location: /usr/lib/grub/i386-pc
inxboot.img location: /usr/lib/grub/i386-pc
pxeboot.img location /usr/lib/grub/i386-pc
Untampered linux distros do not have all of these img files.
Screenshots are at 'German Tor CD has PXE server streaming Amiga' in /r/onions subreddit of reddit.
I will ship my tampered Privatix 11.04.11 CD, PCLinuxOS FullMonty 2013.04 DVD purchased from OSDisc.com, PCLinuxOS GNOME 2010.12 CD, BadBIOS infected music DVDs and my BadBIOS infected HP Compaq Presario V2000 to anyone agreeing to conduct forensics and post their findings.
Last edited by BadBIOSVictim; 05-18-2014 at 09:07 PM.
- 05-19-2014 #2
If you had not noticed, ALL announcements are moved to the Coffee Lounge. And for a damn good reason - because that is the place where they'll receive the most eyes. It's all logical step to us, but don't let our attempt to help publicise this issue stop you thinking there is some huge conspiracy at work here.
http://www.linuxforums.org/forum/cof...ouncement.html) and there is a deletion from that thread - bartsimpson originally hit a bug we suffered from occasionally and his post was inserted twice - one of those was removed. But there are no other deletions from that thread.
Despite your repeated posts on this subject, the BIOS compromise has been largely discredited by security specialists. The BIOS chip would have to be huge to contain all the binary information you're suggesting it's shipping. And I'm pretty sure I've booted from some of the things you claim are infected, and my TV set (which should, by now, have been compromised by sound-wave based attack) is still working fine.
Take a look at the comment by Steven_G on that thread for a level-headed analysis of this issue.
If you have real, hard evidence that an exploit has made it into the wild, then this really is not the place to be highlighting it. There -are- better places to report this stuff, but they're going to want you to prove what you've found. I hope you're ready for that.Linux user #126863 - see http://linuxcounter.net/
- 05-19-2014 #3
- Join Date
- May 2014
Roxoff, thank you for explaining why Bartsimpson's thread was moved.
NSA created GENIE. GENIE is BadBIOS. 'Evidence of BadBIOS ultrasonic hacking' is in r/badBIOS subreddit of reddit..
I posted this thread for feedback on multiple squashfs, busybox, initrd and preseed. Hopefully, members will comment on these.
Last edited by BadBIOSVictim; 05-19-2014 at 10:42 PM.
- 06-06-2014 #4
- Join Date
- May 2014
Yesterday, I booted to a live Fedora 20 CD which I purchased on Ebay.com.
Fedora 20 has squashfs and busybox:
05busybox folder located: /usr/lib/Dracut/modules.d
Inside the folder was module-setup.sh type: program