|
Hard Drive Firmware Implant IRATEMONK
Here is yet another one of the NSA’s firmware implants which can be used to replace your current hard drive’s firmware. This allows the NSA to gain complete control of your hard drive and through the use of other exploits they would be able to gain complete access to your system.
What It Is
IRATEMONK is a firmware implant that replaces your current hard drive’s firmware and is used as a backdoor into your system. IRATEMONK gains execution through the Master Boot Record (MBR) substitution. IRATEMONK supports the following hard drive vendors: Western Digital, Seagate, Maxtor, and Samsung. IRATEMONK does not support systems that use hardware RAID, it is not clear if this method works with software RAID, but my guess would be that it does. IRATEMONK supports the following file systems: FAT, NTFS, EXT3, and UFS (I am sure that by today they support more). To upload the hard drive firmware onto a target machine the NSA uses UNITEDRAKE or STRAITBAZZARE in conjunction with SLICKERVICAR. This is used to implant IRATEMONK and its payload or the implant installer. Once IRATEMONK has been implanted onto a target machine its frequency of execution (dropping the payload) is configurable and occurs when the system is powered on. This process is very similar to a BIOS exploit for Dell PowerEdge servers called DEITYBOUNCE, which I discussed in my article: Dell PowerEdge Servers BIOS Exploit DEITYBOUNCE.
IRATEMONK is a firmware implant that replaces your current hard drive’s firmware and is used as a backdoor into your system. IRATEMONK gains execution through the Master Boot Record (MBR) substitution. IRATEMONK supports the following hard drive vendors: Western Digital, Seagate, Maxtor, and Samsung. IRATEMONK does not support systems that use hardware RAID, it is not clear if this method works with software RAID, but my guess would be that it does. IRATEMONK supports the following file systems: FAT, NTFS, EXT3, and UFS (I am sure that by today they support more). To upload the hard drive firmware onto a target machine the NSA uses UNITEDRAKE or STRAITBAZZARE in conjunction with SLICKERVICAR. This is used to implant IRATEMONK and its payload or the implant installer. Once IRATEMONK has been implanted onto a target machine its frequency of execution (dropping the payload) is configurable and occurs when the system is powered on. This process is very similar to a BIOS exploit for Dell PowerEdge servers called DEITYBOUNCE, which I discussed in my article: Dell PowerEdge Servers BIOS Exploit DEITYBOUNCE.
What We Can Do
The obvious things you could do is just use a hard drive vendor which this type of attack does not affect, or use hardware RAID which would eliminate the possibility of an attack like this; however, these options are not very economical nor logical for the everyday user. A more logical and economical solution which (I believe) would work is to encrypt your entire hard drive. This can be done with the use of some sort of old on-the-fly encryption (OTFE) software that can encrypt your entire hard drive. Examples of software that can do this are TrueCrypt, Bitlocker, and dm-crypt. Even though encrypting your entire hard drive will still leave the hard drive’s firmware exposed, it will add an extra layer of security which the attacker will have to get through before they can gain access to your files or OS. This theory should work as long as the attacker does not steal your encryption keys out of your RAM.
The obvious things you could do is just use a hard drive vendor which this type of attack does not affect, or use hardware RAID which would eliminate the possibility of an attack like this; however, these options are not very economical nor logical for the everyday user. A more logical and economical solution which (I believe) would work is to encrypt your entire hard drive. This can be done with the use of some sort of old on-the-fly encryption (OTFE) software that can encrypt your entire hard drive. Examples of software that can do this are TrueCrypt, Bitlocker, and dm-crypt. Even though encrypting your entire hard drive will still leave the hard drive’s firmware exposed, it will add an extra layer of security which the attacker will have to get through before they can gain access to your files or OS. This theory should work as long as the attacker does not steal your encryption keys out of your RAM.
Thank you for taking the time to read this article! As always keep the faith!
The NSA’s original documentation on IRATEMONK
The following two tabs change content below.