Find the answer to your Linux question:
Results 1 to 4 of 4
A half a year ago, bartsimpson posted a thread warning PartedMagic in Ultimate Boot CD (UBCD) was tampered. linuxforums moved the thread to coffee-lounge without giving a reason. Title of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    May 2014
    Posts
    57

    BadBIOS infected linux distros have multiple squashfs, busybox initrd


    A half a year ago, bartsimpson posted a thread warning PartedMagic in Ultimate Boot CD (UBCD) was tampered. linuxforums moved the thread to coffee-lounge without giving a reason. Title of thread is 'Linux malware warning ubcd public service anouncement'.

    Last week, I commented. My comment was deleted. I resubmitted my comment. My comment included my testimony that my computers were infected from a tampered PartedMagic. I copied and pasted xii's comment on his computers being infected from tampered PartedMagic and Deft. Bartsimpson and Xii, thank you for sharing your findings.

    My computers were already infected with BadBios before they became reinfected by my downloading, burning and booting to a live tampered PartedMagic CD and live UBCD CD in 2013. I discarded my tampered PartedMagic CD and UBCD CD. Thus, I cannot confirm bartsimpson's and xii's findings for those two distros.

    My computers became infected with BadBIOS in November 2011. In November 2011, I downloaded, burned and booted to Privatix 11.04.11, a German Debian remix Tor distro.

    Yesterday and today, I conducted forensics on Privatix to ascertain whether the tampering of Privatix used the same methods that bartsimpson described of PartedMagic and xii described of PartedMagic and DEFT. Privatix does. Even more so. Privatix has multiple squashfs, busyboxes and initrds.

    This method of tampering of linux distros started at least as far back as November 2011 when I downloaded Privatix.

    Possibly starting 2010 as my PCLinuxOS GNOME 2010.12 distro has fake audio and video plugins. Several days ago, I posted in the Security section a thread titled 'Fake browser plugins in live linux DVDs'. Privatix 11.04.11, PCLinuxOS FullMonty 2013.04 and PCLinuxOS GNOME 2010.12 have fake browser plugins. Almost all the fake plugins are audio and video plugins.I do not have the time to conduct forensics on the two PCLinuxOS distros. I am asking for volunteers.

    Privatix > Places > computer > has two filesystems:

    (1) 863 MB File: 863 MB Filesystem and
    (2) File System

    863 MB File: 863 MB Filesystem > right click to select properties:

    Type: unknown
    size: unknown
    location: computer:/
    Accessed: unknown
    modified: unknown
    Permissions: "The permissions of "863 MB File: 863 MB Filesystem" could not be determined."

    I attempted to open the 863 MB file. Error message: "Unable to mount location. Internal error: No mount object for mounted volume."

    File System > right click to select properties:

    Type: folder (inode/directory)
    Contents: 185,491 items totaling 13.7 GB (some contents unreadable)
    location: computer:/
    volume: unknown
    Free space: 663.2 MB
    Permissions: The permissions of "/" could not be determined.

    13.7 GB size of file system is huge! I removed the internal hard drive, wifi card and speakers from my HP Compaq Presario V2000. My computer is offline. Obviously, my computer is connecting offline to a remote server. The server is not mine. I neither have a server nor RAID.

    Each filesystem has its own var logs. The 863 MB file filesystem has its /var.log at /live/cow/var/log/live.log. The second File System has var logs at /var/log.

    xii wrote: "Most of the detection methods for virtualization of this variety are timing related. This was visible to me in Windows by observing event logs like the following: 'Event ID: 1 The system time has changed to <date:time> from <date:time>'

    After booting to Privatix live CD, the system time is always a hour behind.

    xii wrote: "When booting from a liveCD, you can easily spot tainted files by looking at date modified timestamps. I don't understand why/how malicious code that is able to communicate to airgapped computers didn't even try to cover its tracks by forging timestamps, but in my case I can plainly see altered files by looking at any files that have a timestamp associated with a date after I burned the CD/DVD."

    No files have their modified date as the date I burned the ISO in November 2011. Many files have a modified date of 2010. 2010 is both prior to the burning and prior to the release date of the distro which was April 11, 2011.

    Numerous files have a modified date of the date I booted to the live DVD.

    xii wrote: "The files that I found to be altered / poisoned after booting to either Parted Magic or Deft include:

    A. filesystem.squashfs. . . B. initrd.img . . .there are timestamps on many files in the mounted locations as well as the squashfs file itself that indicate they were either modified at a date prior to burning (not the current date either), or at a date that occurred prior to the release date of the running distribution (impossible)."

    Privatix has two squashfs and one filesystem.squashfs. The squashfs, located at /sys/module, has modified date of the day I boot live Privatix DVD.

    While in the computer directory, I searched for 'squashfs':

    Three squashfs files, One filesystem.squashfs size 823.1 MB, One squashfs_inode_cache, Two lenny_chroot_squash and two squashfs.ko

    The three squashfs files
    Type: folder
    Contents: 1 item, with size 27.8 KB
    Location: /lib/modules/2.6.32-5-686/, /media/disk/lib/modules/2 and /sys/module
    volume: unknown
    Permissions: same as above

    Name: filesystem.squashfs
    Type: unknown
    Size: 823.1 MB
    Location: /live/image/live
    Volume: unknown
    Accessed: Mon 11 April 2011 10:57:13 PM UTC
    Modified: MOn 11 April 2011 10:53:09 PM UTC
    Permissions same except not executable
    Last changed: Mon 11 April 2011 10:56:18 PM UTC

    squashfs_inode_cache
    Type: folder
    Contents: 27 items, totally 108.0 KB
    Location: /sys/kernel/slab
    volume: unknown
    free space: unknown
    Permissions: same as above

    The two squash.ko are type: object code type files. size 27.8 kb.
    location: /lib/modules/2.6.32-5-683/kernel/
    volume: unknown
    permissions same as above except not executable

    The second squashfs.ko location: /media/disk/lib/modules/2.6.32-5
    volume: unknown
    permissions: same as first squashfs.ko.

    lenny_chroot_squashfs-modules.sh
    Type: shell script
    Size 652 bytes
    location: /media/disk/usr/share/live/build/example/, /usr/share/live/build/examples/hooks
    volume: unknown
    Accessed: Wed 02 Feb 2011 11:39:10 AM UTC
    Modified: Wed 02 Feb 2011 11:39:10 AM UTC
    Permissions: same as above but executable

    Xii wrote: "Both of these distributions (PartedMagic and Deft) utilize Busybox, which redirects various commands to compressed / optimized ELF binaries, making it highly difficult to understand exactly what kind of tampering has been done without a working knowledge of low level reverse engineering (that I do not possess)."

    Privatix uses Busybox. Places > Computer > search for 'busybox' results:

    busybox folder, modified date 11 April 2011, location at /usr/share/doc, contains a changelog.Debian.gz file,
    modified date 15 Nov 2010 and a copyright file.

    busybox executable, modified date 15 Nov 2010 location at /bin
    busybox shell script, modified date 25 Aug 2010, location at usr/share/intiramfs-tools/hooks
    busybox.1.gz located at /usr/share/man/man1
    busybox.list located at /var/lib/dpkg/info
    busybox.md5sums, modified date 15 Nov 2010, located at /var/lib/dpkg/info

    Most linux distros do not use busybox.

    xii wrote: "B. initrd.img In deft this file is named "initrd.img-3.5.0-30-generic" with a file size of approximately 22.2 MB. The system indicates this file is gzip compressed but trying to extract with Archive Manager fails generically."

    I searched for 'initrd'. Privatix > Places > Computer > search 'initrd' results:

    initrd.4.gz, link to initrd.img, initrd.img and initrd.img-2.6.32-5-686. Privatix has two imgs. Linux distros are supposed to have just one img.

    I right clicked on link to initrd.img and selected properties:
    link target: boot/initrd.img-2.6.32-5-686
    location: /, volume: unknown, permissions: same as initrd.4.gz

    I right clicked on initrd.img and selected properties:
    size: 10.1 MB, location: /live/image/live, volume: unknown
    Accessed and Modified: Mon 11 April 2011
    Permissions: same as initrz.4.gz except for last changed: Mon 11 April 2011.

    Archive manager displayed contents of initrd.img grayed out:
    filesystem.packages, filesystem.squashfs, initrd.img, memtest and vmlinuz.

    I right clicked on initrd.img-2.6.32-5-686 and selected properties:
    Size: 10.1 MB, location: /boot, volume: unknown
    Accessed and Modified: Mon 11 April 2011 10:35:29 PM UTC
    Permissions same as initrd.4.gz.

    Archive manager displayed grayed out files as I didn't have permission to extract initrd.img-2.6.32-5-686:
    grub folder, config.2.6.32.5-686, initrd.img-2.6.32-5-686, system.map-2.6.32.5-686 and vmlinuz-2.6.32-5-686

    I do not have the file permissions to extract the ////initrd.img. I do not have the file permissions to extract any of the gz files oor to read most of the /var/logs.

    I right clicked on initrd.4.gz and selected properties:

    Size: 4.6 KB, Location: /usr/share/man/man4, volume: unknown
    Accessed and modified: Tue 16 Nov 2010 08:50:0 PM UTC
    Permissions:
    Owner root: read and write
    Group root: read-only
    Others: read-only
    SELinux context: unknown
    Last changed: unknown

    I attempted to extract initrd.4.gz. Error message: "You don't have the right permissions to extract archives in the folder at/usr/share/man/man4."

    Archive manager brought up the files in initrd.gz but they are grayed out so would not be legible in a screenshot. The files are all compressed files:

    apm.4.gz, ati.4.gz, chips.4.gz, cirrus.4.gz, console_codes.4.gz, console_ioctl.4.gz, cpuid.4.gz, dsp56k.4.gz, epoll.4.gz, evdev.4.gz, exa.4.gz, fbdev.4.gz, fbdevhw.4.gz, fifo.4.gz, full.4.gz, futex.4.gz, hd.4.gz, il28.4.gz, i740.4.gz, initrd.4.gz, intro.4.gz, kmem.4.gz, lp.4.gz, mem4.gz, mga.4.gz, mouse.4.gz, msr.4.gz, neomagic.4.gz, nouveau.4.gz, null.4.gz, nv.4.gz, openchrome.4.gz, port.4.gz, ptmx.4.gz, pts.4.gz, 4128.4.gz, radeon.4.gz, ram.4.gz, random.4.gz, rendition.4.gz, rtc.4.gz, s3.4.gz, s3virge.4.gz, savage.4.gz, sd.4.gz, siliconmotion.4.gz, sis.4.gz, sisusb.4.gz, sk98lin.4.gz, st.4.gz, synaptics.4.gz, tdfx.4.gz, tseng.4.gz, tty.4.gz, tty_ioctl.4.gz, ttys.4.gz, ttyS.4.gz, urandom.4.gz, vcs.4.gz, vcsa.4.gz, vesa.4.gz, vmware.4.gz, voodoo.4.gz, wacom.4.gz, wavelan.4.gz and zero.4.gz.

    Xii wrote: "I am very interested in hearing any explanation as to why encrypted PXE firmware is sitting inside of the initrd file on a LiveCD.

    Archive manager could not extract the multiple initrd. I searched for PXE. Places > Computer > search 'PXE' results:

    debian-live-pxe-server shell script location: /usr/share/live/build/hooks
    debian-live-pxe-server plain text document location: /usr/share/live/build/lists
    pxeboot.img location /usr/lib/grub/i386-pc
    pxe.mod Amiga Soundtracker audio location: /usr/lib/grub/i386-pc

    PXE server files should not be in a live Tor distro. Nor should pxe audio files. pxe.mod Amiga Sountracker audio may be one method BadBIOS is streaming audio and data via PXE.

    The /lib/modules/2.6.32-5-686/kernel/sound directory is extremely large. Contains sophisticated audio files, both German and Chinese. Research needs to be performed on the kernel sound directory and the fake audio browser plugins.

    To discover if there were other img files besides pxe.img and several initrd.img files, I searched for 'img.

    Privatix > Places > computer > search for .img results:

    boot.img unknown file type
    cdboot.img unknown file type
    diskboot.img
    grldr.img
    initrd.img link
    initrd.img location: /live/image/live
    initrd.img- 2.6.32-5.686
    kernel.img location: /usr/lib/grub/i386-pc
    inxboot.img location: /usr/lib/grub/i386-pc
    pxeboot.img location /usr/lib/grub/i386-pc

    Untampered linux distros do not have all of these img files.

    Screenshots are at 'German Tor CD has PXE server streaming Amiga' in /r/onions subreddit of reddit.

    I will ship my tampered Privatix 11.04.11 CD, PCLinuxOS FullMonty 2013.04 DVD purchased from OSDisc.com, PCLinuxOS GNOME 2010.12 CD, BadBIOS infected music DVDs and my BadBIOS infected HP Compaq Presario V2000 to anyone agreeing to conduct forensics and post their findings.
    Last edited by BadBIOSVictim; 05-18-2014 at 09:07 PM.

  2. #2
    Super Moderator Roxoff's Avatar
    Join Date
    Aug 2005
    Location
    Nottingham, England
    Posts
    3,934
    Quote Originally Posted by BadBIOSVictim View Post
    A half a year ago, bartsimpson posted a thread warning PartedMagic in Ultimate Boot CD (UBCD) was tampered. linuxforums moved the thread to coffee-lounge without giving a reason. Title of thread is 'Linux malware warning ubcd public service anouncement'.
    Quite frankly I resent your insinuation that in some way we have the attempted to sweep this matter under the carpet. LinuxForums reserves the right to move -any- post for -any- reason on their own servers. Generally speaking we don't just move stuff around willy nilly, we actually want people to be able to find what they are looking for.

    If you had not noticed, ALL announcements are moved to the Coffee Lounge. And for a damn good reason - because that is the place where they'll receive the most eyes. It's all logical step to us, but don't let our attempt to help publicise this issue stop you thinking there is some huge conspiracy at work here.

    Quote Originally Posted by BadBIOSVictim View Post
    Last week, I commented. My comment was deleted. I resubmitted my comment. My comment included my testimony that my computers were infected from a tampered PartedMagic. I copied and pasted xii's comment on his computers being infected from tampered PartedMagic and Deft. Bartsimpson and Xii, thank you for sharing your findings.
    Despite your claim, I looked at the thread you say your post was deleted from (it's here: http://www.linuxforums.org/forum/cof...ouncement.html) and there is a deletion from that thread - bartsimpson originally hit a bug we suffered from occasionally and his post was inserted twice - one of those was removed. But there are no other deletions from that thread.

    Despite your repeated posts on this subject, the BIOS compromise has been largely discredited by security specialists. The BIOS chip would have to be huge to contain all the binary information you're suggesting it's shipping. And I'm pretty sure I've booted from some of the things you claim are infected, and my TV set (which should, by now, have been compromised by sound-wave based attack) is still working fine.

    Take a look at the comment by Steven_G on that thread for a level-headed analysis of this issue.

    If you have real, hard evidence that an exploit has made it into the wild, then this really is not the place to be highlighting it. There -are- better places to report this stuff, but they're going to want you to prove what you've found. I hope you're ready for that.
    Linux user #126863 - see http://linuxcounter.net/

  3. #3
    Just Joined!
    Join Date
    May 2014
    Posts
    57
    Roxoff, thank you for explaining why Bartsimpson's thread was moved.

    NSA created GENIE. GENIE is BadBIOS. 'Evidence of BadBIOS ultrasonic hacking' is in r/badBIOS subreddit of reddit..

    I posted this thread for feedback on multiple squashfs, busybox, initrd and preseed. Hopefully, members will comment on these.
    Last edited by BadBIOSVictim; 05-19-2014 at 10:42 PM.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    May 2014
    Posts
    57
    Yesterday, I booted to a live Fedora 20 CD which I purchased on Ebay.com.

    Fedora 20 has squashfs and busybox:

    05busybox folder located: /usr/lib/Dracut/modules.d
    Inside the folder was module-setup.sh type: program

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •