>working draft in progress<
Objective: Document the research behind the reason one site was blocked in one CPU.
To begin, it was noted that the site http://www.aspireresourcesinc.com/ returned with the details:
This webpage is not availableGoogle Chrome could not load the webpage because http://www.aspireresourcesinc.com took too long to respond. The website may be down, or you may be experiencing issues with your Internet connection.Check your Internet connectionCheck any cables and reboot any routers, modems, or other network devices you may be using.Allow Chrome to access the network in your firewall or antivirus settings.If it is already listed as a program allowed to access the network, try removing it from the list and adding it again.If you use a proxy server…Check your proxy settings or contact your network administrator to make sure the proxy server is working. If you don’t believe you should be using a proxy server: Go to the Chrome menu > Settings > Show advanced settings… > Change proxy settings… > LAN Settings and deselect “Use a proxy server for your LAN”.Error code: ERR_CONNECTION_TIMED_OUT
IP address 126.96.36.199
Address type IPv4 ISP Data Research Associates Organization Data Research Associates, Inc. Timezone America/Denver (UTC-7) Local time 07:15:26 Country United States State / Region Utah City Lehi Coordinates 40.3916, -111.851
188.8.131.52 Whois Report
This is the full research report for 184.108.40.206, which is an IP address.
Peer 1 Network (USA) Inc.
75 Broad Street
New York, NY 10004
Peer 1 Network AUP Enforcement Peer 1 Network AUP Enforcement
Telephone: 16044842588 16044842588
PEER 1 Network Inc PEER 1 Network Inc
Telephone: 16044842588 16044842588
220.127.116.11 is the IP address you have a ran a report for on February, 08, 2015.
If you meant to use another IP other than 18.104.22.168, then enter above and try again.
It is 3:01 PM CET when you ran this report for 22.214.171.124 here on our website, IP-Adress.com. When it comes to 126.96.36.199, you can trust that if we have IP Whois information available for it, we will display it further below to assist in your research of this IP address. Feel free to run another search for 188.8.131.52 or a different search.
The IP Whois report for 184.108.40.206 was ran at 3:01 PM CET on February 8, 2015 and the information is provided below if available.
View comments on this 220.127.116.11 Whois IP address report below or add your own comment about 18.104.22.168.
Now you can review additional IP Whois data for 22.214.171.124 below. Things like the status of 126.96.36.199 and the server of 188.8.131.52.
Don’t forget that the server that hosts 184.108.40.206 could also host other IP addresses, so research accordingly.
220.127.116.11 Server Details
New York, NY in United States
Peer 1 Network (USA)
Research for intel manageability engine firmware recovery agent uses provided these snippets (not in particular order)
Why the firmware recovery agent is needed in the first place, I don’t know. That is, if we can trust the use of “firmware” in the name, to mean it only deals with IME firmware. The IME Firmware Recovery Agent software is installed by the IME software installation program.
You may not know that Intel still provides the IME software to mother board manufactures,
- 07-20-2012 06:47 AM#1
- Join Date
- Mar 2012
- Victoria, Australia
Intel manageability engine firmware recovery agent?
I’ve had a program appear in my notifications asking to be installed called the intel manageability engine firmware recovery agent.
Has anyone had this happen on their G75? And should I install it. I did google it, but being a technophobe had no idea if it was needed or not. I am assuming it checks for updated drivers or such for anything intel on the laptop? I really have no clue. Just not sure if I need to install it or not.
- 07-20-2012 07:46 AM#2
- Join Date
- Apr 2012
This is useless for us…. it is for IT people who want to manage a computer from a remote location
I never install it or if it was installed automatically I remove it from the Control Panel “Programs & Features”
- 07-20-2012 07:52 AM#3
- Join Date
- Mar 2012
- Victoria, Australia
I un-installed Intel Manageability Engine Firmware Recovery Agent and no agent log file appeared! At least not yet! But I have a feeling that this was the program creating it. And I remember that I got error during its update. So in a way It all make sense now. Hope this is the real deal as I got really tired trying to figure out this agent log issue….
That program surfacing along with the above posts suggest that this is a malware ie backdoor that is injected into firmware of a CPU..
It is also suggested that this Manageability Engine Firmware Recovery Agent is creating log files. Most have reported as empty. However, we have noted when preforming a search for a lost txt file unusual log files. These log files would sometimes be empty and other time show a location and a password. The passwords were always incorrect, but plain text. The files did not raise significant redflags, other than they were labeled logs and had passwords, though incorrect. The anomaly was marked for research at another time and not acted upon at that moment.
With this knowledge, the next question was what data could be transfer by using this backdoor?
What is Intel Manageability Engine Firmware Recovery Agent?
Intel Active Management Technology (AMT) is hardware-based technology for remotely managing and securing PCs out-of-band. Intel AMT is hardware and firmware technology that builds certain functionality into business PCs in order to monitor, maintain, update, upgrade, and repair PCs. Intel AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology. AMT is not intended to be used by itself; it is intended to be used with a software management application. It gives a management application (and thus, the system administrator who uses it) better access to the PC down the wire, in order to remotely and securely do tasks that are difficult or sometimes impossible when working on a PC that does not have remote functionalities built into it.
It is a bootstrap giving access to PCs that do not have remote functionalities that creates logs, some blank some with very limited and specific text. Could the blank logs actually have hidden text?
In concluding we researched “firmware controller data flow”.
Abstract: Burst mode data transfer in emerging wavelength division multiplexing (WDM) and code division multiplexing (CDM) PONs faces major challenges in electronics design. We develop an embedded software solution to enable optical line terminals (OLT) and Optical network terminals (ONT) to process Burst mode data flow smoothly. Our solution implements three important components on an FPGA platform. The first consists of a PCI interface that allows the OLT/ONT unit to communicate with a PC. The second is the PowerPC that manages and controls the data flow. Finally, a burst mode transceiver examines data transaction, synchronization and error correction
Given the sporadic nature of the log files seen was the logs being “burst” out?
Flow control mechanism in a data processing pipeline
US 8526303 B2ABSTRACTHerein described are at least a system and a method for regulating data flow in a data pipeline that may be used in a video processing system. The system comprises a processor, one or more data buffers, and one or more processing stations. The one or more data buffers may be used to buffer corresponding processing stations. Each of the one or more processing stations may comprise a switching circuitry that is used to inhibit data transmission when a hold signal is received from the processor. The processor may send the signal in response to a feedback control signal generated by the one or more processing stations. The method may comprise determining if the processing time of a processing station exceeds a specified time. The method further comprises generating a feedback control signal to a processor if the specified time is exceeded.
Not to be confused with Control flow.
In data communications, flow control is the process of managing the rate of data transmission between two nodes to prevent a fast sender from overwhelming a slow receiver. It provides a mechanism for the receiver to control the transmission speed, so that the receiving node is not overwhelmed with data from transmitting node. Flow control should be distinguished from congestion control, which is used for controlling the flow of data when congestion has actually occurred. Flow control mechanisms can be classified by whether or not the receiving node sends feedback to the sending node.
Flow control is important because it is possible for a sending computer to transmit information at a faster rate than the destination computer can receive and process it. This can happen if the receiving computers have a heavy traffic load in comparison to the sending computer, or if the receiving computer has less processing power than the sending computer.
It is possible that flow control would also be utilized to prevent a sending computer that bursts large data from malfunction or detection under normal means.
That concludes this session of research:
A netstat was preformed. Noted was programs engaged when should be listening. When those programs were stopped the suspect website went back to being timed out in Utah.
Mark Shuttleworth, founder of the UbuntuLinux distribution, has described proprietary firmware as a security risk, saying that “firmware on your device is the NSA‘s best friend” and calling firmware “a trojan horse of monumental proportions”. He has pointed out that low-quality, closed source firmware is a major threat to system security: “Your biggest mistake is to assume that the NSA is the only institution abusing this position of trust – in fact, it’s reasonable to assume that all firmware is a cesspool of insecurity, courtesy of incompetence of the highest degree from manufacturers, and competence of the highest degree from a very wide range of such agencies”.
Researched : how to scan for injectable firmware
General Description The Sequencing SAR ADC component gives you the ability to configure and use the different operational modes of the SAR ADC on PSoC 4. You have schematic and firmware level support for seamless use of the Sequencing SAR ADC in PSoC Creator designs and projects. You also have the ability to configure up to 8 analog channels that are automatically scanned with the results placed in individual result registers. An optional “Injection channel” may also be enabled by firmware to occasionally scan a signal that does not need to be scanned at the same rate as other channels.
ndss-2013 < The PDF file to above
VID Chip maker AMD has patched holes across its firmware lines that could allow hackers to inject malware.
Czech programmer Rudolf Marek reported the holes in the Trinity, Richland, Kaveri, and Kabini silicon series ahead of a disclosure at the Chaos Communications Congress.
AMD’s System Management Unit (SMU) firmware code within x86 processors did not run adequate checks prior to execution, allowing Marek to inject his own commands.
Marek told attendees to ask their mainboard vendors to push the fixed AGESA to BIOSes.
“Tell your vendors for a fixed AGESA (AMD Generic Encapsulated Software Architecture),” Marek said during the talk aimed at encouraging more of the low-level security analysis.
“This is the only way to push vendors to update BIOSes for older platforms.”
Marek did not describe particular attack scenarios created by the lack of a protected code along with further firmware errors.
It took roughly a year to fix the flaws in an exchange he described as “responsible and helpful”.
Fault Injection on Firmware Level
Software-implemented fault injection (SWIFI) is an established method to emulate hardware faults in computer systems. Existing approaches either extend the operating system by special drivers, modify the runtime environment, or change the application under test.
The FutureSOC project on novel SWIFI approaches investigates new ideas for adding fault injection as standard dependability assessment tool in modern server environments. One approach relies on the Extensible Firmware Interface (EFI), the BIOS-successor available in latest X86 systems as provided by the FutureSOC lab. Our approach extends the firmware of these systems in order to a) make fault injection completely transparent to the operating system, and to b) support a larger variety of fault types. No modifications to the operating system or the application code are needed.
Our prototype is available for free use in non-commerical usage scenarios. Below you can find installation and configuration instructions. Binaries are provided for download at the end of the page.
In case of further questions, please contact Peter Tröger.