hngopher.com

       [HN Gopher] Nazar: Analyzing malware that was uncovered in leake...
       ___________________________________________________________________
        
       Nazar: Analyzing malware that was uncovered in leaked NSA files
        
       Author : Megabeets
       Score  : 72 points
       Date   : 2020-05-05 20:08 UTC (2 hours ago)
        
 (HTM) web link (research.checkpoint.com)
 (TXT) w3m dump (research.checkpoint.com)
        
       | hyperman1 wrote:
       | So if I want the USA out of my system, all I have to do is create
       | some dummy exes, dlls and regkeys on my system?
        
         | Zenst wrote:
         | I wonder what kind of system you can create without having any
         | specific country dependency at all.
         | 
         | Certainly the breakdown in influence for say your standard PC
         | will be hard to avoid any USA input, no matter the OS due to
         | code submissions/contributions and then that's presuming honest
         | location actors. Let alone binary blobs for drivers.
         | 
         | So hardware and OS, you will be pushed to avoid any USA
         | influence.
         | 
         | After all USB, Intel did that, clearly USA influence, as are
         | many standards, so I dare say that unless you build your own
         | CPU and everything, you will be having some USA influence upon
         | your system, one way or another. Let alone many other
         | countries.
         | 
         | Heck even all those 6502/Z80 systems - USA companies invented
         | those, so not even the humble Sinclair ZX81 would still have
         | USA in there.
         | 
         | Though I'm sure that Russia and China do have computers without
         | any USA in them. But then, you start to see how that works.
         | 
         | Gets down to trust, which for some can be a choice of
         | sandwiches they don't like but they need to eat. Most like the
         | sandwiches, some like all three flavours and some make their
         | own flavours, but using ingredients from all three. Some will
         | bake their own bread and use the standard ingredients. Very few
         | will make their own flour, bread, ingredients all by themselve.
         | Coz they still use an over and knife made by somebody else.
         | See, the efforts to exclude any potential influence is so deep
         | that to completely remove them all is beyond the scope of many.
         | So gets down to a balance, a trade off of trust.
        
         | yellow_lead wrote:
         | Seems like it. In other viruses (and I'm sure the NSA does this
         | too), your system might actually be scanned for other known
         | viruses and removed. In the NSA's case, these could be enemy
         | threat actors.
        
           | freedomben wrote:
           | It used to be standard operating practice as an attacker to
           | close the holes through which you yourself gained access to
           | prevent others from taking your prize.
           | 
           | Ironically the most secure and cheapest thing a company could
           | do was get compromised by a competent attacker who only
           | wanted to launder small amounts of data or CPU cycles through
           | your network, and in exchange keeps your servers all patched
           | and up to date for you to keep out other attackers.
        
         | [deleted]
        
         | ecmascript wrote:
         | Kinda hard to get them out of your system if you run Windows
         | which is made by a company located in the USA and that sends
         | data constantly to their servers, some of which are based in
         | the states.
        
         | shrimp_emoji wrote:
         | W-what if you use Linux? :B
        
           | [deleted]
        
         | dsl wrote:
         | No. Depending on the signature you trigger one of two things
         | will likely happen:
         | 
         | If it is an allied partners tool, they will reach out to the
         | other intelligence agency and deconflict. The other agency will
         | confirm access and share with the US.
         | 
         | If it is a foreign toolkit (Iranian in this example), they have
         | likely reverse engineered the tools and will piggy-back on them
         | to access your system. Another option is 4th party collection
         | where they use access to Iranian networks to siphon off the
         | data the Iranians have collected on you.
         | 
         | If either of these turn out to be bogus, it will be treated as
         | a false positive and they will reinfect your machine ignoring
         | the warning.
        
       | itin wrote:
       | The cultural significance of the name is pretty ironic:
       | https://en.wikipedia.org/wiki/Nazar_(amulet)
        
         | dsl wrote:
         | Researchers usually pick a name when they have started looking
         | at a collection of samples, and don't really have knowledge of
         | what is going on or who the threat actor is yet.
         | 
         | The authors call it khDr, a guardian angel type from the Quran
         | that shares secret knowledge.
        
       ___________________________________________________________________
       (page generated 2020-05-05 23:00 UTC)