Worst Case Senario - Hardware trashing malware

Capt'n Midnight

Been thinking about risk analysis, like should we plan for a asteroid collision on the basis that the probability is zero but the consequences are extinction.

Anyway - I know some one who was convinced that a virus came from a printer and the problem did not go away until the printer firmware chip was changed (coincidence ?) and have heard stories like that from the first Iraq-US war where they signaled peripherials to release viruses (via signals on electricity supply if you believe the most paranoid)


Nowadays many devices have flashable firmware and ethernet interfaces. If a virus or trojan got loaded it could put a PC's NIC into promiscous mode and sniff out MAC's and work out the brand of device. Then using default passwords or sniffing out SNMP packets to the device or whatever it could probably connect and then SFTP a generic image across or telent in to change the password and IP address. It sounds a little far fetched but convergence means that interfaces are becoming fewer, also on the PC's themselves there aren't that many types of Flash BIOS chips and telling the motherboard to flash a 5V chip at 12V is kinda fatal. If the trojan was a little larger it could also overwrite the start of the local HDD and setup a little PXE server which could send out wake up packets or just flood junk to random ports (to get windows machines to reboot) and guess what... Hard drives , WiFi cards, video cards , backup devices can all be made inoperable by a bit of random flashing not to mention changing the MAC on NIC's

All in all it is not practical or easy to trash a network, but it could be done because almost all devices can be deprogrammed by software. At its worst you would be in a position "yes we have backups, but nothing to restore to" - it would be nasty to happen over a holiday

The question is how would this be prevented or mitigated ?

Could sending a spike down the mains reset devices - as a nasty way of resetting passwords. To recieve data across the mains all you need is a link (resistor and zener ?) from the before the smoothing capacitors to a pin on a chip - only a voltage spike will get through the zener and the chip can figure out the rest. (ok it wouldn't be that easy but it can be done and the component cost is nearly zero) - If the military have had backdoors put in software and hardware then there is the possibility of someone else abusing it .

Can you imagine the chaos that could be caused by for example a hypothetical "cisco worm" which infected routers themselves. Or if PC based once it passed through a router tenetted Back into it to close off routes from where it came, stopping managment and data from upstream, gradually cutting the internet into little cul-de-sacs with no email or websites where the isolated admins could get info on what was happening.

Just wondering if anyone has any thoughts on this highly imporbable doomsday scenario.

Static M.e.

Anyway - I know some one who was convinced that a virus came from a printer and the problem did not go away until the printer firmware chip was changed (coincidence ?) and have heard stories like that from the first Iraq-US war where they signaled peripherials to release viruses (via signals on electricity supply if you believe the most paranoid)

Their is a story in one of those Comp Sec books (I can dig it out of needs be) about a hacker who use to story alll his\her tools on printers in networks, connect to the printer then download her tools once inside.

Most modern day printers have a minimum 32 mb while big net printers can obviously have alot more, that is a alot of untapped space, also how many admins check the printers memory.

Also on your highly imporbable doomsday scenario, I think thats just what it would be, if it got inside your network, your net would be screwed.

Once it was released on the internet and I was lucky enough to hear about it before it got in. I would pull the company internet cable, and search for a solution using a stand alone. I think it should be treated as any other new worm, virus whatever released on the internet, analysis your exposure factor and develop a solution, in this hypothetical situation, if you couldnt get a signature for your IDS or block this on your firewall, pulling the plug on the net would be the best solution, depending on your compnay of course, alot of the time, the financial cost of rebuilding your entire network, would FAR outway the cost of losing email and browsing for a couple of hours, or days even with this worm. But then again if you are a company that relies entirely on the internet to make your money, think of this way, if everyone else's network is down, they arent going to be shopping.

Capt'n Midnight

Yeah a LOT of devices have tFTP servers and can load store files printers, routers, etc. The doomsday scenario is that the nasty would travel faster than the news so it would not be a case of blocking it when you hear about it. As I keep pointing out Slammer took between 10 and 15 minutes to infect 90% of vunerable servers worldwide ! all I'm doing is extrapolating from what has happend. A long time ago there were Bulgarian viruses that overdrove monitors and tried to destroy hard drives by seeking over the edge etc. so it's not as if a hardware killing virus is a new concept. Viruses that close the door after they climb in to a system are not new either, it's common practice for zombies.

The four key ingredients of a melt down exist , viruses that can propogate web wide before any human has recognised them, viruses that hide/lock themselves away to prevent some remote management intervention, viruses that cause physical damage and a high degree of monoculture eg: windows / cisco / web management / tFTP / Flash routines.

Static M.e.

As I keep pointing out Slammer took between 10 and 15 minutes to infect 90% of vunerable servers worldwide !

:eek: didn't know this ! ....guess that is kinda fast !

You are right of course in that the four key ingredients of a melt down exist.

But to your origional question.
The question is how would this be prevented or mitigated ?

In your doomsday virus example, (The theory) I dont think it can be prevented first of all, even if you have even decent security and even full time security personnel, you are always on the reactive, patching after vulnerabilitys have been released, looking through the logs after someone has attacked you and maybe if you are lucky and have someone watching an IDS, you are filtering after the event. Always reactive, and for the majority of Business's in Ireland they wouldn't even have a dedicated security admin, from what I have seen it is all outsourced to Sec Companys and Consultants, who harden the servers at set up and then leave more or less.

But im digressing how could you even mitigated the damage ? again if this worm was released it would be the equivalent of a 0day exploit worm, where even the Anti virus, Microsofts and Cisco's of the world had no prior knowledge and certainly no patch for then again networks would be in trouble.
I dont think you can mitigate against this either. All you can really do is make sure you have all basic's in place, keep everything upto date and hold on maybe Bios passwords will save us

I think the question should really be what ramifications do you see if someone where to release a worm like this ?

A favourite quote of mine

"If you spend more on coffee than on IT security, then you will be hacked," Clarke said during his keynote address. "What's more, you deserve to be hacked."

--Richard Clarke, The United States' top adviser on cybersecurity, after he had cited statistics that indicate that less than 0.0025 percent of corporate revenue on average is spent on information-technology security

tck

As I keep pointing out Slammer took between 10 and 15 minutes to infect 90% of vunerable servers worldwide !

not that high (the 90% of vlunerable servers), but it was a hell of alot of machines, even ATM networks got hit (that was interesting to find out)

And it would have been more if not for a little bug in the code, when generating new random ip networks in which to scan it just shuffled the bits of the IP address already in memory to create a new one. So two octets were always the same before sending out the packets.

This person knew the net very well (udp travels so much quicker than tcp), and at 376 bytes small, it was lethal.