> If I think a computer has been infected, is there anything else I should > wipe/re-install other than > > 1. Hard Drive / Operating System > > 2. BIOS > > Is there anything else that a hacker could possibly infect that needs to > be wiped/re-installed..?
Lol, don't get me started... - Any PCI card (esp Network/Video/Sound) that has any kind of flashable firmware - Similarly, probably any PCMCIA cards - Any USB peripheral, especially flash drives; sadly, I don't think there's any way to verify your HD firmware hasn't been tampered with (write only, typically), and flash drives vary so much, it's not particularly practical to check/clean them. Some flash drive vendors have repair tools that can redo the BIOS (handy when the drive appears to get pooched), but it's fairly rare to find, I think. - SMB/DMI Bios Tables (as shown by dmidecode) - Related to the BIOS, and I think cleansed when you reflash your BIOS. Even so, it's good to maybe pop your motherboard battery or short out any BIOS-reset jumper to make sure you're starting with clean settings. - Basically, anything that can carry state needs to be looked at (although your RTC probably doesn't have an attack vector :) ) - I've heard that rogue printers can even keep copies of what you print. I'm not sure if this can happen from an infection, or if it needs to be a factory/interdiction implant. Doubtful if such a thing could be cleansed. I feel like I'm missing something else, but I might be thinking of more hardware-based attacks (fake chokes on video cables that broadcast, etc.) On-board peripherals (sound, network, video) typically have their firmware as chunks in the main motherboard BIOS, I believe, so re-flashing a fresh BIOS takes care of those. A major oddity and frustration is that so many motherboard manufacturers only provide their BIOS's via FTP/HTTP (and don't provide hashes!), just begging to be MITM'd with dodgy firmware during download. So careful with any downloads. It's a good idea to run the BIOS (and any firmware you download) through virustotal.com, which supposedly supports BIOSes now. You will typically see that it's already been checked in the past by someone else, and is clean. Similarly, if you have to boot DOS to run a firmware flash utility, be careful. I've used FreeDOS successfully in the past, but the motherboards I use thankfully support the Linux utility "flashrom" which seems to be able to successfully burn (and read) the BIOS on a lot of motherboards and other devices. (Of course, you always run the risk of bricking your system, but I think it's generally pretty safe, and won't go ahead if it isn't capable on your system.) I occasionally use FlashROM (installable with apt under Tails, and I use it while offline) to read and compare my BIOS against the original fresh burn. (I'll see the DMI tables at the beginning change as I make any BIOS changes, but so far, no mods to the code. :) ) I'd like to see FlashROM available in dom0 for the ability to do this under tails. But I guess that would be a super-dangerous utility to have floating around dom0, so rebooting to Tails now and then to check my BIOS is an acceptable inconvenience. Oh, and before you do reflash your BIOS, boot into Tails (or Debian, Redhat, whatever) install FlashROM, and do a "flashrom -r" to read the existing BIOS for posterity. Run the resulting file through VirusTotal. It's interesting to compare with another "flashrom -r" after re-flashing the new BIOS. It'd be good to catch any corrupt BIOS before you overwrite it, to know if you've been compromised that way, and to share the particular hack with the security community. Related: http://www.businessinsider.com/nsa-says-foiled-china-cyber-plot-2013-12 (Hey, thanks for looking out for us, NSA!) Note that any contents of a .ROM file you download to burn, won't necessarily compare exactly to the results of a "flashrom -r". But if you "flashrom -r oldbios.rom", burn a fresh BIOS, and do another "flashrom -r newbios.rom", you should have a good base for comparison. I do a "hexdump -C" on each .rom file, and then diff them to see what's different. If you end up upgrading your ROM in the process, obviously there will be a number of differences. The more interesting thing is if VirusTotal shows anything, or if, down the road, you notice changes in subsequent "flashrom -r"'s. If anything other than the SMB/DMI tables at the beginning change, you need to assume you've been compromised (again). (flashrom needs a "--programmer internal" option, which I left out for clarity above.) Obviously, any hard drive's boot sector should be examined as well. If you're worried about compromise, you're going to scrub your disks anyway. I usually do a regular "dd if=/dev/sda of=latest.img bs=512 count=2048", and compare against a saved baseline image that I grabbed after a fresh install. Any changes to the MBR, Grub stage 2 will be noticed with a comparison against the original. Any re-partitioning or reinstallation of grub will obviously change things. Booting/installing Tails/Debian/Fedora/Qubes from a verified, read-only DVD is another good idea. (It's unfortunate Qubes requires a dual-layer DVD.) Apparently many BIOS/firmware viruses will prevent booting from DVD, to keep themselves in the loop. So if your DVD booting starts to fail, it could be a warning sign. Hopefully others can fill in anything I might have missed. Cheers JJ -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e80dbe6f2ce97efe8bc3e75be08cacf4.webmail%40localhost. For more options, visit https://groups.google.com/d/optout.
