Hi, an interesting detail in advance:
It does not boot from USB stick. Too dumb for that. >From DVD it boots only via BIOS or EFI BIOS emulation, not via generic EFI. I wrote: > > ... google ... Kim Schmitz ... rofl ... i am not that curious. Andrew McGlashan wrote: > Actually he doesn't run mega.nz any longer and he has said that he > wouldn't trust the site now due to current ownership Now is this what his public relations adviser told him to say ? Sandboxing as good as possible ... iceweaseling with Javascript: https://mega.nz/#!QwY1EZKJ!GW1gLzXaOUo8sNGF-zddRLwgsfamZy7C5u0CARjaUs0 Now it wants me to download a plugin. My gutt feeling is that i am short before winning a Darwin Award. New approach: $ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/debian-live-8.3.0-amd64-xfce-desktop.iso $ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS.sign $ wget http://cdimage.debian.org/debian-cd/current-live/amd64/iso-hybrid/SHA512SUMS $ gpg --verify SHA512SUMS.sign SHA512SUMS gpg: Signature made Thu 28 Jan 2016 02:07:19 AM CET using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <debian...@lists.debian.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Well, my own key is not any better. To me this step is a ritual that is applauded by people who are better informed than me. I consider it more a social courtesy than a personal security feature. $ x=$(grep debian-live-8.3.0-amd64-xfce-desktop.iso'$' SHA512SUMS) $ echo "$x" 1cead0dfde971e0c70145f6c908cea067ee7ee067f5ca481f076db78d99a99088be76737af4e2c9569540208d6e841f758a568ca12db077fa327e323b5da3a04 debian-live-8.3.0-amd64-xfce-desktop.iso $ y=$(sha512sum debian-live-8.3.0-amd64-xfce-desktop.iso) $ echo $y 1cead0dfde971e0c70145f6c908cea067ee7ee067f5ca481f076db78d99a99088be76737af4e2c9569540208d6e841f758a568ca12db077fa327e323b5da3a04 debian-live-8.3.0-amd64-xfce-desktop.iso $ test "$x" = "$y" && echo All is well All is well To the test machine ... iceweasel warns me duely that i am about to shoot my foot ... now the plugin is at work. I just don't see any file emerging in ~/Downloads. That's really scary. Like an Android phone. A large file emerges in ~/Desktop. (I am wearing my garlic necklace now, spraying holy water, and looking up witch signs in the Malleus Maleficarum.) Ok. It's downloaded and md5sum says 7d590864618866c225ede058f1ba61f0. Copying it on a DVD, not as image but as data file inside an ISO. So it cannot hop onto innocent machines just by being put into the DVD drive. Back on workstation ... They used genisoimage: $ xorriso -indev ...long.name...iso -pvd_info ... Volume Id : Linux Mint 17.3 Rosa 64-bit Volume Set Id: Publisher Id : Preparer Id : App Id : GENISOIMAGE ISO 9660/HFS FILESYSTEM CREATOR (C) 1993 E.YOUNGDALE (C) 1997-2006 J.PEARSON/J.SCHILLING (C) 2006-2007 CDRKIT TEAM System Id : LINUX CopyrightFile: Abstract File: Biblio File : Creation Time: 2016021909371600 Cr. Time Zone: -05:00 Modif. Time : 2016021909371600 Mo. Time Zone: -05:00 Expir. Time : 0000000000000000 Eff. Time : 2016021909371600 Ef. Time Zone: -05:00 The sequence of SUSP fields indicates that it was indeed made by a mkisofs clone. Now for the original $ wget http://...mirror.../linuxmint-17.3-cinnamon-64bit.iso $ md5sum linuxmint-17.3-cinnamon-64bit.iso e71a2aad8b58605e906dbea444dc4983 This matches the MD5 on http://www.linuxmint.com/edition.php?id=204 $ xorriso -indev linuxmint-17.3-cinnamon-64bit.iso -pvd_info ... Volume Id : Linux Mint 17.3 Cinnamon 64-bit Volume Set Id: Publisher Id : LINUX MINT Preparer Id : LIVE-BUILD 3.0_A57-1 App Id : System Id : CopyrightFile: Abstract File: Biblio File : Creation Time: 2015112815084800 Modif. Time : 2015112815084800 Expir. Time : 0000000000000000 Eff. Time : 0000000000000000 Ouch. They do not even have the same Volume Id (/dev/disk/by-label name). The original was quite surely written by libisofs, probably under control of xorriso. (Debian keeps my XORRISO branding in Preparer Id.) Now for boot equipment: $ xorriso -hfsplus on -indev ...iso -report_el_torito plain -report_system_area plain ... Drive current: -indev 'compromised-linuxmint-17.3-cinnamon-64bit-7D590864618866C225EDE058F1BA61F0.iso' ... El Torito catalog : 160 1 El Torito cat path : /isolinux/boot.cat El Torito images : N Pltf B Emul Ld_seg Hdpt Ldsiz LBA El Torito boot img : 1 BIOS y none 0x0000 0x00 4 161 El Torito img path : 1 /isolinux/isolinux.bin El Torito img opts : 1 boot-info-table isohybrid-suitable ... xorriso : NOTE : No System Area was loaded That's not even an isohybrid. No EFI equipment present either. (The criminal must have read the most outdated recipes for bootable ISOs.) $ xorriso -hfsplus on -indev linuxmint-17.3-cinnamon-64bit.iso -report_el_torito plain -report_system_area plain ... El Torito catalog : 155 1 El Torito cat path : /isolinux/boot.cat El Torito images : N Pltf B Emul Ld_seg Hdpt Ldsiz LBA El Torito boot img : 1 BIOS y none 0x0000 0x00 4 17931 El Torito boot img : 2 UEFI y none 0x0000 0x00 4544 769067 El Torito img path : 1 /isolinux/isolinux.bin El Torito img opts : 1 boot-info-table isohybrid-suitable El Torito img path : 2 /boot/grub/efi.img System area options: 0x00000102 System area summary: MBR isohybrid cyl-align-on GPT APM ISO image size/512 : 3088640 Partition offset : 0 MBR heads per cyl : 95 MBR secs per head : 32 MBR partition table: N Status Type Start Blocks MBR partition : 1 0x80 0x00 0 3088640 MBR partition : 2 0x00 0xef 3076268 4544 MBR partition path : 2 /boot/grub/efi.img GPT : N Info GPT disk GUID : fd922d606736564a9037adde0476578c GPT entry array : 12 208 overlapping GPT lba range : 64 3088586 3088639 GPT partition name : 1 490053004f00480079006200720069006400 GPT partname local : 1 ISOHybrid GPT partition GUID : 1 fd922d606736564a9035adde0476578c GPT type GUID : 1 a2a0d0ebe5b9334487c068b6b72699c7 GPT partition flags: 1 0x1000000000000001 GPT start and size : 1 0 3088584 GPT partition name : 2 490053004f004800790062007200690064003100 GPT partname local : 2 ISOHybrid1 GPT partition GUID : 2 fd922d606736564a9034adde0476578c GPT type GUID : 2 a2a0d0ebe5b9334487c068b6b72699c7 GPT partition flags: 2 0x1000000000000001 GPT start and size : 2 3076268 4544 GPT partition path : 2 /boot/grub/efi.img APM : N Info APM block size : 2048 APM gap fillers : 0 APM partition name : 1 EFI APM partition type : 1 Apple_HFS APM start and size : 1 769067 1136 APM partition path : 1 /boot/grub/efi.img Yeah. That's how we learned it from Matthew Garrett. (With some leanification in this case. Fedora Live CD has a HFS+ filesystem image as third El Torito and as additional partition entry in the three partition maps.) >From the viewpoint of my ivory tower i can confirm: This attacker had no real clue about how to mimick a contemporary installation ISO. The fact that on the other hand the burglary was repeatedly successful, gives me two theories: - A script kiddy found a powerful intrusion program. - An expert disguises as dumbnut. (For the fun of hearing the noise ?) Have a nice day :) Thomas
