[AlyssaRowan]

UR = UNITEDRAKE ("Regin", basically?). And that'd probably be rmgree5@nsa.gov: that's the format their addresses are in.

This does seem to be, broadly-speaking, NSA's top-dollar brand-new 0-day-laden (at the time) malware, that they use to launch their less shiny stuff, which is more awkward and a massive overfunded modular boondoggle. This does not seem to be as freely shared around with the "Five Eyes".

By the way, there are innocent machines in the US infected with this thing, at this very moment. Anyone care to explain that?

The hard-drive component should be completely detectable, if you don't boot from it, based on the (small, sadly incomplete) fragment of (Cortex-M0?) stuff I've seen. Power-cycle it, send an ATA reset, read the MBR and following sectors. Look out for the NIC "option rom" persistence module, too - you may be well-advised to do it from something really exotic that doesn't run x86, just in case! (Independent hackers are running (µ)Linux on hard disks now, so it's not surprising a huge agency able to spend billions of dollars of tax money funding contractors on tiny pieces of this project got something of a head start!) Not sure of a good way to detect it in software, but it's not perfect, so it probably can be redpilled somehow.

Watch for "CD-ROM"s that unexpectedly have ATIPs, I guess?

[wongarsu]

Detecting an infected hard drive in software would be the usual malware arms race: you find some characteristic of it, they improve the firmware.

But if we start to systematically check for it, it should be easy to discover via hardware debugging. Find the JTAG interface on the hard disk controller (or whatever debugging interface the specific processor uses), dump the firmware and compare it to firmware dumps from other hard drives of the same model. I don't see how they could fool that process (given that you have a clean machine to read out the firmware).

Of course to be thorough you would have to check pretty much the firmware of every component of the computer.

[CPLX]

> dump the firmware and compare it to firmware dumps from other hard drives of the same model

And then ponder the unstated assumption that said other hard drives may or may not have been exploited already. Dealing with a state level actor is hard, in the "trusting trust" sense.

[XorNot]

Well update your threat model appropriately. What are the realities if they've somehow hit every single hard disk in the US? What is the likelihood this level of subterfuge can be maintained? How many people are involved?

Just because you can imagine it doesn't suddenly make it practical, and it certainly doesn't mean they're going to burn that capability outing some guys porn habits either.

[CPLX]

> What are the realities if they've somehow hit every single hard disk in the US?

Who knows. The problem is you're not so concerned with "every single" hard drive in the US, but you may well be concerned with the other one you wish to use as a benchmark.

When you're dealing with things like hardware being compromised on the way from the plant to the store, or (as mentioned) a burned CD being compromised in the mail, and other things that really only governments can do, it changes the whole nature of the threat model.

[atlbeer]

You don't have to actively infect every HDD in the US through the front door.

- Target the build machine used by the dev team to make the firmware

- Target the manufacturing plant and alter it before loading

- etc

[rasz_pl]

next step is hiding malware using silicon backdoors (fake boundary chain), or seeding infected firmware at the source (manufacturer)

[kw71]

> if you don't boot from it

The malware might remain quiescent unless the examination techniques mimic a computer that is booting.

I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.

Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.

[AlyssaRowan]

There's a specific reason I said to send an ATA reset first! IRATEMONK (for it is that) isn't that smart. Doesn't need to be.

If you want to test more thoroughly, or actually dump the object for analysis, as wongarsu says below, the JTAG port or the serial port is the way to go. That's how they get it in there.

[kw71]

Usually a booting PC will issue several identify commands and try a SMART health check, and if there is a RAID option ROM then specific series of READ will be issued. If it would really disclose itself with simple RESET, READ interrogation then I must be a better malware author than those players. I don't think I am, and I feel that if it would give itself away without ensuring that the OS is really booting, this is a big flaw. If it were my project, it would be a showstopper. I'm a noob in the sense that I have never considered malware before, so probably the developers (who are smarter than me) thought about it long before I did.

This flaw would also make it much simpler to write a script for MHDD that would reveal the infection on the infected target itself after booting from a floppy.

I think a JTAG probe is not especially useful to analyze a hard disk. The flash on the board is usually only a bootstrap and "physical driver" of sorts. The rest of the firmware is stored on the media - you can see that many disks do not even know what they are if you disconnect the heads and try to identify.

I think JTAG is not commonly in the toolbox of the data recovery guys who dump firmware modules and trade them. DR sometimes involves replacing corrupted firmware that is on the disk, or reprogramming a controller board to match one that's failed. They have bought software and serial port cables, and this seems to handle it for them, so I concluded that there must be a way to dump all of the firmware - on chips and disks - with ATA commands or the serial port, and we know from field-service tools that there is usually a way to update it all with only ATA commands.

[final]

>> By the way, there are innocent machines in the US infected with this thing, at this very moment.

Nobody is innocent. The government has enemies both internal and external.