I will ship Toshiba Portege R200 and R205 laptops to anyone volunteering to conduct foresnics on identifying and removing an implant. I took photos of two motherboards. How do I identify the PCI implant?
The last three Toshiba laptops I purchased were interdicted to implant a hardware FM radio transceiver/radio beacon and infect them with BadBIOS. Thereby, precluding me from air gapping them. I paid a handyman to drill out the screws and washers that the hackers glued.
I suspect BULLDOZER implant based on its description below and the /var/logs which I can email.
"One such implant is BULLDOZER -- a PCI express implant that hangs around on your bus, providing a backdoor to the NSA. Bulldozer talks to the motherboard using a program called IRONCHEF, which allows full monitoring and even control of the target machine. There's even a handy-dandy I2C implant (a rarely used motherboard port) that can chat with the moterhboard bios as well, via its own onboard IRONCHEF implementation."
http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Years/article34010.htm
I think the crackers followed instructions at http://resources.infosecinstitute.com/nsa-bios-backdoor-aka-god-mode-malware-part-2-bulldozer/
"partially hidden behind transparent bridge" is in logs of my past four laptops.
DMESG in root terminal on 7/7/2014 using Toshiba Portege R205. Booted to installed PLinuxOS GNOME 2010.12.
pci 0000:00:1e.0: PCI bridge to [bus 02-04] (subtractive decode) pci 0000:00:1e.0: bridge window [mem 0xcfd00000-0xcfdfffff] pcibus 0000:05: [bus 05-08] partially hidden behind transparent bridge 0000:02 [bus 02-04] pci_bus 0000:00: on NUMA node 0 ACPI: PCI Interrupt Routing Table [_SB.PCI0.PRT] ACPI: PCI Interrupt Routing Table [_SB.PCI0.PCIB.PRT] ACPI: PCI Interrupt Routing Table [_SB.PCI0.PEX1._PRT]
network outputs are at:
http://www.linuxforums.org/forum/security/202035-air-gapped-computer-proxying.html
The last three Toshiba laptops I purchased were interdicted to implant a hardware FM radio transceiver/radio beacon and infect them with BadBIOS. Thereby, precluding me from air gapping them. I paid a handyman to drill out the screws and washers that the hackers glued.
I suspect BULLDOZER implant based on its description below and the /var/logs which I can email.
"One such implant is BULLDOZER -- a PCI express implant that hangs around on your bus, providing a backdoor to the NSA. Bulldozer talks to the motherboard using a program called IRONCHEF, which allows full monitoring and even control of the target machine. There's even a handy-dandy I2C implant (a rarely used motherboard port) that can chat with the moterhboard bios as well, via its own onboard IRONCHEF implementation."
http://www.dailytech.com/Tax+and+Spy+How+the+NSA+Can+Hack+Any+American+Stores+Data+15+Years/article34010.htm
I think the crackers followed instructions at http://resources.infosecinstitute.com/nsa-bios-backdoor-aka-god-mode-malware-part-2-bulldozer/
"partially hidden behind transparent bridge" is in logs of my past four laptops.
DMESG in root terminal on 7/7/2014 using Toshiba Portege R205. Booted to installed PLinuxOS GNOME 2010.12.
pci 0000:00:1e.0: PCI bridge to [bus 02-04] (subtractive decode) pci 0000:00:1e.0: bridge window [mem 0xcfd00000-0xcfdfffff] pcibus 0000:05: [bus 05-08] partially hidden behind transparent bridge 0000:02 [bus 02-04] pci_bus 0000:00: on NUMA node 0 ACPI: PCI Interrupt Routing Table [_SB.PCI0.PRT] ACPI: PCI Interrupt Routing Table [_SB.PCI0.PCIB.PRT] ACPI: PCI Interrupt Routing Table [_SB.PCI0.PEX1._PRT]
network outputs are at:
http://www.linuxforums.org/forum/security/202035-air-gapped-computer-proxying.html