Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
hidden partitions
8 views
Skip to first unread message
T
Oct 18, 2019, 8:47:00 PM10/18/19
to
Hi All,
Has ransomware gotten smart enough to rad hidden drive
partitions now?
Many thanks,
-T
Has ransomware gotten smart enough to rad hidden drive
partitions now?
Many thanks,
-T
T
Oct 18, 2019, 8:47:21 PM10/18/19
to
On 10/18/19 5:46 PM, T wrote:
> rad hidden
read
> rad hidden
read
Shadow
Oct 19, 2019, 6:25:28 AM10/19/19
to
On Fri, 18 Oct 2019 17:46:58 -0700, T <T...@invalid.invalid> wrote:
>Hi All,
>
>Has ransomware gotten smart enough to rad hidden drive
>partitions now?
The NSA has been infecting firmware and hidden partitions
>Hi All,
>
>Has ransomware gotten smart enough to rad hidden drive
>partitions now?
(some malware even makes it's own hidden partition) for over a decade
now.
So, yes.
Kaspersky has an "agreement" not to detect said malware, so
most of the other bootable AVs probably do too.
And a bootable AV would be the only way to detect it.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Apd
Oct 19, 2019, 7:22:29 AM10/19/19
to
"T" wrote:
> Hi All,
There's an echo in here!
> Has ransomware gotten smart enough to read hidden drive
> partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
> Hi All,
There's an echo in here!
> Has ransomware gotten smart enough to read hidden drive
> partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
Shadow
Oct 19, 2019, 6:24:47 PM10/19/19
to
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
T
Oct 19, 2019, 8:51:34 PM10/19/19
to
on the home group, nothing you say can be trusted.
T
Oct 19, 2019, 8:51:44 PM10/19/19
to
On 10/19/19 3:24 AM, Shadow wrote:
> On Fri, 18 Oct 2019 17:46:58 -0700, T <T...@invalid.invalid> wrote:
>
>> Hi All,
>>
>> Has ransomware gotten smart enough to rad hidden drive
>> partitions now?
>
> The NSA has been infecting firmware and hidden partitions
> (some malware even makes it's own hidden partition) for over a decade
> now.
> So, yes.
> Kaspersky has an "agreement" not to detect said malware, so
> most of the other bootable AVs probably do too.
> And a bootable AV would be the only way to detect it.
> []'s
>
> On Fri, 18 Oct 2019 17:46:58 -0700, T <T...@invalid.invalid> wrote:
>
>> Hi All,
>>
>> Has ransomware gotten smart enough to rad hidden drive
>> partitions now?
>
> The NSA has been infecting firmware and hidden partitions
> (some malware even makes it's own hidden partition) for over a decade
> now.
> So, yes.
> Kaspersky has an "agreement" not to detect said malware, so
> most of the other bootable AVs probably do too.
> And a bootable AV would be the only way to detect it.
> []'s
>
Apd
Oct 19, 2019, 10:20:42 PM10/19/19
to
"Shadow" wrote:
> https://www.wired.com/2015/02/nsa-firmware-hacking/
> (firmware)
>
> https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
> (firmware)
>
> https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
> (hidden partition)
It's unclear if there's a hidden partition in that last link. It could
> https://www.wired.com/2015/02/nsa-firmware-hacking/
> (firmware)
>
> https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
> (firmware)
>
> https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
> (hidden partition)
be an infected UEFI bios, or something else entirely.
> If it is loaded into memory before the OS loads, it has access
> to everything (network and files). Even any Linux/Apple partitions or
> cloud storage you might have. It's a sophisticated rootkit.
>
> The payload can be anything. Just plain political spying to
> stealing banking/administrative passwords or even ransom.
way more than ransomware needs to do it's job. The spook stuff is well
targeted, usually by 0-day exploits on USB sticks which the targets
are encouraged to plug in their air-gapped systems. It's something
that needs to stay hidden, not "all ur files are belong to us!"
screamed out from an uncloseable pop-up window. Not saying it's
impossible, just unlikely in this scenario as users don't put their
stuff in hidden partitions. It's beyond the capabilities of the
average malware author and not worth the effort anyway.
> Weird, the original Kaspersky report has been removed from
> archive.org. I get a "Bummer, that page cannot be found"
Shadow
Oct 21, 2019, 6:39:37 AM10/21/19
to
or left wing).
I suppose that invalidates all the links to articles I posted
They are from a right-wing dictatorship where the government SPIES on
its citizens. And deletes records. Just like in 1984.
Shadow
Oct 21, 2019, 6:56:40 AM10/21/19
to
On Sun, 20 Oct 2019 03:19:55 +0100, "Apd" <n...@all.invalid> wrote:
>"Shadow" wrote:
>> https://www.wired.com/2015/02/nsa-firmware-hacking/
>> (firmware)
>>
>> https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
>> (firmware)
>>
>> https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
>> (hidden partition)
>
>It's unclear if there's a hidden partition in that last link. It could
>be an infected UEFI bios, or something else entirely.
UEFIs (most) are bigger than an XP install. Could something
>"Shadow" wrote:
>> https://www.wired.com/2015/02/nsa-firmware-hacking/
>> (firmware)
>>
>> https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
>> (firmware)
>>
>> https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
>> (hidden partition)
>
>It's unclear if there's a hidden partition in that last link. It could
>be an infected UEFI bios, or something else entirely.
hide in that? (rhetorical).
Malware in hidden partitions is "old" tech.
>
>> If it is loaded into memory before the OS loads, it has access
>> to everything (network and files). Even any Linux/Apple partitions or
>> cloud storage you might have. It's a sophisticated rootkit.
>>
>> The payload can be anything. Just plain political spying to
>> stealing banking/administrative passwords or even ransom.
>
>Yes, I know about advanced rootkits and state-sponsored malware. It is
>way more than ransomware needs to do it's job. The spook stuff is well
>targeted, usually by 0-day exploits on USB sticks which the targets
>are encouraged to plug in their air-gapped systems. It's something
>that needs to stay hidden, not "all ur files are belong to us!"
>screamed out from an uncloseable pop-up window. Not saying it's
>impossible, just unlikely in this scenario as users don't put their
>stuff in hidden partitions. It's beyond the capabilities of the
>average malware author and not worth the effort anyway.
I wasn't talking about HOW the infection took place. That's
>> If it is loaded into memory before the OS loads, it has access
>> to everything (network and files). Even any Linux/Apple partitions or
>> cloud storage you might have. It's a sophisticated rootkit.
>>
>> The payload can be anything. Just plain political spying to
>> stealing banking/administrative passwords or even ransom.
>
>Yes, I know about advanced rootkits and state-sponsored malware. It is
>way more than ransomware needs to do it's job. The spook stuff is well
>targeted, usually by 0-day exploits on USB sticks which the targets
>are encouraged to plug in their air-gapped systems. It's something
>that needs to stay hidden, not "all ur files are belong to us!"
>screamed out from an uncloseable pop-up window. Not saying it's
>impossible, just unlikely in this scenario as users don't put their
>stuff in hidden partitions. It's beyond the capabilities of the
>average malware author and not worth the effort anyway.
the "sophisticated" part.
The average user does not use air-gapped systems. He just
clicks on unknown files he receives in his email with names like "I
know what you did on Saturday night" (no extension visible, but with a
nice PDF or WMP icon).
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
That one has been in the wild for at least 5 years.
[]'s
>
>> Weird, the original Kaspersky report has been removed from
>> archive.org. I get a "Bummer, that page cannot be found"
>
>Oo-er!
>
>> Weird, the original Kaspersky report has been removed from
>> archive.org. I get a "Bummer, that page cannot be found"
>
>Oo-er!
>
T
Oct 21, 2019, 7:43:08 AM10/21/19
to
spews Communist propaganda and gives Communists
aid and comfort.
Apd
Oct 21, 2019, 7:38:28 PM10/21/19
to
"Shadow" wrote:
saying it's unlikely for that variant of malware to do so by being
sophisticated and/or installing a rootkit for the reasons given.
> The average user does not use air-gapped systems. He just
> clicks on unknown files he receives in his email with names like "I
> know what you did on Saturday night" (no extension visible, but with a
> nice PDF or WMP icon).
All true.
> On Sun, 20 Oct 2019 03:19:55 +0100, "Apd" wrote:
>>Yes, I know about advanced rootkits and state-sponsored malware. It is
>>way more than ransomware needs to do it's job. The spook stuff is well
>>targeted, usually by 0-day exploits on USB sticks which the targets
>>are encouraged to plug in their air-gapped systems. It's something
>>that needs to stay hidden, not "all ur files are belong to us!"
>>screamed out from an uncloseable pop-up window. Not saying it's
>>impossible, just unlikely in this scenario as users don't put their
>>stuff in hidden partitions. It's beyond the capabilities of the
>>average malware author and not worth the effort anyway.
>
> I wasn't talking about HOW the infection took place. That's
> the "sophisticated" part.
The question was about ransomware reading hidden partitions. I'm
>>Yes, I know about advanced rootkits and state-sponsored malware. It is
>>way more than ransomware needs to do it's job. The spook stuff is well
>>targeted, usually by 0-day exploits on USB sticks which the targets
>>are encouraged to plug in their air-gapped systems. It's something
>>that needs to stay hidden, not "all ur files are belong to us!"
>>screamed out from an uncloseable pop-up window. Not saying it's
>>impossible, just unlikely in this scenario as users don't put their
>>stuff in hidden partitions. It's beyond the capabilities of the
>>average malware author and not worth the effort anyway.
>
> I wasn't talking about HOW the infection took place. That's
> the "sophisticated" part.
saying it's unlikely for that variant of malware to do so by being
sophisticated and/or installing a rootkit for the reasons given.
> The average user does not use air-gapped systems. He just
> clicks on unknown files he receives in his email with names like "I
> know what you did on Saturday night" (no extension visible, but with a
> nice PDF or WMP icon).
0 new messages