Hackers rob US and global banks of millions in one of the largest heists ever | The Verge

Hackers rob US and global banks of millions in one of the largest heists ever | The Verge.

via Hackers rob US and global banks of millions in one of the largest heists ever | The Verge.


Firmware Vulnerablity Injection

>working draft in progress<

Objective: Document the research behind the reason one site was blocked in one CPU.

To begin, it was noted that the site http://www.aspireresourcesinc.com/ returned with the details:

This webpage is not available

Google Chrome could not load the webpage because http://www.aspireresourcesinc.com took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.
Check your Internet connection
Check any cables and reboot any routers, modems, or other network devices you may be using.
Allow Chrome to access the network in your firewall or antivirus settings.
If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.
If you use a proxy server…
Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don’t believe you should be using a proxy server: Go to the Chrome menu > Settings > Show advanced settings… > Change proxy settings… > LAN Settings and deselect “Use a proxy server for your LAN”.
The internet connection was good, Chrome had access through the firewall, proxy server was not in use.
No other site was being timed out or blocked. Other CPUs within the network could access the site. The suspect box was moved to a different router to test for a router hack. The site could not be accessed from the new router by the suspect CPU.
Nor could the site be accessed when using its IP address,  cookies was cleared, the CPU was scrubbed using CC, and the host file checked.
 A TRACERT was preformed. It showed the site being dropped at

IP address

Address type IPv4
ISP Data Research Associates
Organization Data Research Associates, Inc.
Timezone America/Denver (UTC-7)
Local time 07:15:26
Country United States  
State / Region Utah
City Lehi
Coordinates 40.3916, -111.851
By chance we experienced a region wide power outage and stopped work to conserve power. When we returned the suspect site was timing out at: Whois Report

This is the full research report for, which is an IP address.

Whois Server




Contact Email


Peer 1 Network (USA) Inc.
75 Broad Street
2nd Floor
New York, NY 10004

Administrative Contact

Peer 1 Network AUP Enforcement Peer 1 Network AUP Enforcement
Telephone: 16044842588 16044842588

Technical Contact

PEER 1 Network Inc PEER 1 Network Inc
Telephone: 16044842588 16044842588
Email: is the IP address you have a ran a report for on February, 08, 2015.

If you meant to use another IP other than, then enter above and try again.

It is 3:01 PM CET when you ran this report for here on our website, IP-Adress.com. When it comes to, you can trust that if we have IP Whois information available for it, we will display it further below to assist in your research of this IP address. Feel free to run another search for or a different search.

Timestamp Confirmation:
The IP Whois report for was ran at 3:01 PM CET on February 8, 2015 and the information is provided below if available.

View comments on this Whois IP address report below or add your own comment about

Now you can review additional IP Whois data for below. Things like the status of and the server of

Don’t forget that the server that hosts could also host other IP addresses, so research accordingly. Server Details

IP address:

Server Location:

New York, NY in United States


Peer 1 Network (USA)

A call was placed to tech support concerning the anomaly being experience by the suspect site. We explianed in detail the series of events. We were told that “some clients have can do anything with their servers and we have no control or ability to help” I restated that in the question, “So a dedicated server?” He did not confirm and he did not deny. We concluded our conversation with mutual understanding.
We took the research for peer review.
We posed such questions as:
How can one site be blocked from one CPU excluding cookies, malware, and the like?
It was during this research that a program request install came from Intell Manageability Engine Firmware Recovery Agent
Fullscreen capture 272015 71114 PM edit The question was raised was that program part of a RAT? Though questioned, this theory was explored.
Research for “Intel manageability engine firmware recovery agent hack” provided some information when coming across this site , which has numerous redflags suggesting this program was in use at one time as a little known hack or a cowing and intimidation hack.
Click picture to view

Click picture to view

Research for intel manageability engine firmware recovery agent uses provided these snippets (not in particular order)

Why the firmware recovery agent is needed in the first place, I don’t know. That is, if we can trust the use of “firmware” in the name, to mean it only deals with IME firmware. The IME Firmware Recovery Agent software is installed by the IME software installation program.

You may not know that Intel still provides the IME software to mother board manufactures,


  • Thread Tools
  • Display
  1. #1

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Victoria, Australia

    Intel manageability engine firmware recovery agent?

    I’ve had a program appear in my notifications asking to be installed called the intel manageability engine firmware recovery agent.

    Has anyone had this happen on their G75? And should I install it. I did google it, but being a technophobe had no idea if it was needed or not. I am assuming it checks for updated drivers or such for anything intel on the laptop? I really have no clue. Just not sure if I need to install it or not.


  2. #2


    Join Date
    Apr 2012

    This is useless for us…. it is for IT people who want to manage a computer from a remote location

    I never install it or if it was installed automatically I remove it from the Control Panel “Programs & Features”

  3. #3

    ROG EnthusiastArray

    Join Date
    Mar 2012
    Victoria, Australia


I un-installed Intel Manageability Engine Firmware Recovery Agent and no agent log file appeared! At least not yet! But I have a feeling that this was the program creating it. And I remember that I got error during its update. So in a way It all make sense now. Hope this is the real deal as I got really tired trying to figure out this agent log issue….


That program surfacing along with the above posts suggest that this is a malware ie backdoor that is injected into firmware of a CPU..

It is also suggested that this  Manageability Engine Firmware Recovery Agent is creating log files. Most have reported as empty. However, we have noted when preforming a search for a lost txt file unusual log files. These log files would sometimes be empty and other time show a location and a password. The passwords were always incorrect, but plain text. The files did not raise significant redflags, other than they were labeled logs and had passwords, though incorrect. The anomaly was marked for research at another time and not acted upon at that moment.

With this knowledge, the next question was what data could be transfer by using this backdoor?

What is Intel Manageability Engine Firmware Recovery Agent?
Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.


It is a bootstrap giving access to PCs that do not have remote functionalities that creates logs, some blank some with very limited and specific text. Could the blank logs actually have hidden text?

In concluding we researched “firmware controller data flow”.

Abstract: Burst mode data transfer in emerging wavelength division multiplexing (WDM) and code division multiplexing (CDM) PONs faces major challenges in electronics design. We develop an embedded software solution to enable optical line terminals (OLT) and Optical network terminals (ONT) to process Burst mode data flow smoothly. Our solution implements three important components on an FPGA platform. The first consists of a PCI interface that allows the OLT/ONT unit to communicate with a PC. The second is the PowerPC that manages and controls the data flow. Finally, a burst mode transceiver examines data transaction, synchronization and error correction


Given the sporadic nature of the log files seen was the logs being “burst” out?

Flow control mechanism in a data processing pipeline
US 8526303 B2
Herein described are at least a system and a method for regulating data flow in a data pipeline that may be used in a video processing system. The system comprises a processor, one or more data buffers, and one or more processing stations. The one or more data buffers may be used to buffer corresponding processing stations. Each of the one or more processing stations may comprise a switching circuitry that is used to inhibit data transmission when a hold signal is received from the processor. The processor may send the signal in response to a feedback control signal generated by the one or more processing stations. The method may comprise determining if the processing time of a processing station exceeds a specified time. The method further comprises generating a feedback control signal to a processor if the specified time is exceeded.
This abstract lends to the possibility of how the suspect site was timed out. It also gives an possibility that the logs are not empty but a form of hidden information within a video file that is not registered on a norm basis.
Not to be confused with Control flow.

In data communications, flow control is the process of managing the rate of data transmission between two nodes to prevent a fast sender from overwhelming a slow receiver. It provides a mechanism for the receiver to control the transmission speed, so that the receiving node is not overwhelmed with data from transmitting node. Flow control should be distinguished from congestion control, which is used for controlling the flow of data when congestion has actually occurred.[1] Flow control mechanisms can be classified by whether or not the receiving node sends feedback to the sending node.

Flow control is important because it is possible for a sending computer to transmit information at a faster rate than the destination computer can receive and process it. This can happen if the receiving computers have a heavy traffic load in comparison to the sending computer, or if the receiving computer has less processing power than the sending computer.


It is possible that flow control would also be utilized to prevent a sending computer that bursts large data from malfunction or detection under normal means.

That concludes this session of research:


A netstat was preformed. Noted was programs engaged when should be listening. When those programs were stopped the suspect website went back to being timed out in Utah.

Security risks[edit]

Mark Shuttleworth, founder of the UbuntuLinux distribution, has described proprietary firmware as a security risk,[10] saying that “firmware on your device is the NSA‘s best friend” and calling firmware “a trojan horse of monumental proportions”. He has pointed out that low-quality, closed source firmware is a major threat to system security:[11] “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”.

Researched : how to scan for injectable firmware

General Description The Sequencing SAR ADC component gives you the ability to configure and use the different operational modes of the SAR ADC on PSoC 4. You have schematic and firmware level support for seamless use of the Sequencing SAR ADC in PSoC Creator designs and projects. You also have the ability to configure up to 8 analog channels that are automatically scanned with the results placed in individual result registers. An optional “Injection channel” may also be enabled by firmware to occasionally scan a signal that does not need to be scanned at the same rate as other channels.


When Firmware Modifications Attack: A Case Study of Embedded Exploitation

ndss-2013 < The PDF file to above

VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware.

Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress.

AMD’s System Management Unit (SMU) firmware code within x86 processors did not run adequate checks prior to execution, allowing Marek to inject his own commands.

Marek told attendees to ask their mainboard vendors to push the fixed AGESA to BIOSes.

“Tell your vendors for a fixed AGESA (AMD Generic Encapsulated Software Architecture),” Marek said during the talk aimed at encouraging more of the low-level security analysis.

“This is the only way to push vendors to update BIOSes for older platforms.”

Marek did not describe particular attack scenarios created by the lack of a protected code along with further firmware errors.

It took roughly a year to fix the flaws in an exchange he described as “responsible and helpful”.


Fault Injection on Firmware Level

Software-implemented fault injection (SWIFI) is an established method to emulate hardware faults in computer systems. Existing approaches either extend the operating system by special drivers, modify the runtime environment, or change the application under test.

The FutureSOC project on novel SWIFI approaches investigates new ideas for adding fault injection as standard dependability assessment tool in modern server environments. One approach relies on the Extensible Firmware Interface (EFI), the BIOS-successor available in latest X86 systems as provided by the FutureSOC lab. Our approach extends the firmware of these systems in order to a) make fault injection completely transparent to the operating system, and to b) support a larger variety of fault types. No modifications to the operating system or the application code are needed.

Our prototype is available for free use in non-commerical usage scenarios. Below you can find installation and configuration instructions. Binaries are provided for download at the end of the page.

In case of further questions, please contact Peter Tröger.