[HN Gopher] Nazar: Analyzing malware that was uncovered in leake... ___________________________________________________________________ Nazar: Analyzing malware that was uncovered in leaked NSA files Author : Megabeets Score : 72 points Date : 2020-05-05 20:08 UTC (2 hours ago) (HTM) web link (research.checkpoint.com) (TXT) w3m dump (research.checkpoint.com) | hyperman1 wrote: | So if I want the USA out of my system, all I have to do is create | some dummy exes, dlls and regkeys on my system? | Zenst wrote: | I wonder what kind of system you can create without having any | specific country dependency at all. | | Certainly the breakdown in influence for say your standard PC | will be hard to avoid any USA input, no matter the OS due to | code submissions/contributions and then that's presuming honest | location actors. Let alone binary blobs for drivers. | | So hardware and OS, you will be pushed to avoid any USA | influence. | | After all USB, Intel did that, clearly USA influence, as are | many standards, so I dare say that unless you build your own | CPU and everything, you will be having some USA influence upon | your system, one way or another. Let alone many other | countries. | | Heck even all those 6502/Z80 systems - USA companies invented | those, so not even the humble Sinclair ZX81 would still have | USA in there. | | Though I'm sure that Russia and China do have computers without | any USA in them. But then, you start to see how that works. | | Gets down to trust, which for some can be a choice of | sandwiches they don't like but they need to eat. Most like the | sandwiches, some like all three flavours and some make their | own flavours, but using ingredients from all three. Some will | bake their own bread and use the standard ingredients. Very few | will make their own flour, bread, ingredients all by themselve. | Coz they still use an over and knife made by somebody else. | See, the efforts to exclude any potential influence is so deep | that to completely remove them all is beyond the scope of many. | So gets down to a balance, a trade off of trust. | yellow_lead wrote: | Seems like it. In other viruses (and I'm sure the NSA does this | too), your system might actually be scanned for other known | viruses and removed. In the NSA's case, these could be enemy | threat actors. | freedomben wrote: | It used to be standard operating practice as an attacker to | close the holes through which you yourself gained access to | prevent others from taking your prize. | | Ironically the most secure and cheapest thing a company could | do was get compromised by a competent attacker who only | wanted to launder small amounts of data or CPU cycles through | your network, and in exchange keeps your servers all patched | and up to date for you to keep out other attackers. | [deleted] | ecmascript wrote: | Kinda hard to get them out of your system if you run Windows | which is made by a company located in the USA and that sends | data constantly to their servers, some of which are based in | the states. | shrimp_emoji wrote: | W-what if you use Linux? :B | [deleted] | dsl wrote: | No. Depending on the signature you trigger one of two things | will likely happen: | | If it is an allied partners tool, they will reach out to the | other intelligence agency and deconflict. The other agency will | confirm access and share with the US. | | If it is a foreign toolkit (Iranian in this example), they have | likely reverse engineered the tools and will piggy-back on them | to access your system. Another option is 4th party collection | where they use access to Iranian networks to siphon off the | data the Iranians have collected on you. | | If either of these turn out to be bogus, it will be treated as | a false positive and they will reinfect your machine ignoring | the warning. | itin wrote: | The cultural significance of the name is pretty ironic: | https://en.wikipedia.org/wiki/Nazar_(amulet) | dsl wrote: | Researchers usually pick a name when they have started looking | at a collection of samples, and don't really have knowledge of | what is going on or who the threat actor is yet. | | The authors call it khDr, a guardian angel type from the Quran | that shares secret knowledge. ___________________________________________________________________ (page generated 2020-05-05 23:00 UTC)