Lessons learned: with a dynamic and reactive opponent with development resources and ops staff, a focus onstatic IOCs is an ancient philosophy stuck in the last decade. An attentive opponent will fix them before you can deploy detection.
-
This Tweet is unavailable.
-
This Tweet is unavailable.
-
Ultimately, we need a smoking gun. Smoking guns are *not* difficult to find. It's easy to avoid raising alarms on an automated system. It's quite hard to avoid raising suspicion on a personal computer. It's basically impossible to hide if someone is *looking* for the malware.
To put it another way: if BadBIOS were real and affected hardware I own, and I had strong belief that I was compromised by such a piece of software (or even a hardware implant), I am confident I would be able to gather hard, irrefutable evidence of such within a few days.
-
-
The fact that Dragos has not done so, and has not provided any evidence that would qualify as a smoking gun, hypothetically *could* be a sign of an unimaginably, incomprehensibly advanced series of implants and an active attacker... but occam's razor says he's just seeing things.
-
At the end of the day, you turn the thing off, dump the Flash memory, and either the malware is there or it isn't. Yes, it can get more complicated than that... but the basic premise holds.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.