jim-p/2758-compromise.txt

## 2758-compromise.txt

Hey folks,

I'm an entrepreneur based in the Bay Area..  in this case, It appears our once open & trusting attitude towards our regular guests @ home-hackatons most likely lead to its demise.  The result -- a total compromise of our personal network, all workstations and mobile devices - and of course, my PFSense/Netgate C2758 I had been evaluating was among the casualties.

Before I go any further,  the C2758 support code is:  2809614B .   Also to clarify: the device has been offline for the past 6 months and I have really not spent much time evaluating the extent of the compromise.   From what little I recall, it seemed the NIC oproms had been reflashed and I'm assuming the extent of the compromise was more substantial.

If the approach is at all similar to the handful of our other systems I've spent time evaluating -- then you may well find the system of interest.  In those cases, each involved rootkits that would consistently survive restoration efforts using various known methods of persistence.  One or more system components (nic/gpu/hidd, etc) would be flashed to address any attempts at a fresh start.

Ultimately, each compromised system would preload a paravirtualized microkernel to to monitor network / human input, while reflashing all possible firmware/oproms that preserved functionality and minimized interference with the underlying OS. I figured I'd reach out in case your security folks might want to do their own forensic analysis of the device or if anything of use may be gained.   Barring that scenario, just let meknow the best route towards reviving this baby ;)

-Shawn

	Hey folks,

	I'm an entrepreneur based in the Bay Area.. in this case, It appears our once open & trusting attitude towards our regular guests @ home-hackatons most likely lead to its demise. The result -- a total compromise of our personal network, all workstations and mobile devices - and of course, my PFSense/Netgate C2758 I had been evaluating was among the casualties.

	Before I go any further, the C2758 support code is: 2809614B . Also to clarify: the device has been offline for the past 6 months and I have really not spent much time evaluating the extent of the compromise. From what little I recall, it seemed the NIC oproms had been reflashed and I'm assuming the extent of the compromise was more substantial.

	If the approach is at all similar to the handful of our other systems I've spent time evaluating -- then you may well find the system of interest. In those cases, each involved rootkits that would consistently survive restoration efforts using various known methods of persistence. One or more system components (nic/gpu/hidd, etc) would be flashed to address any attempts at a fresh start.

	Ultimately, each compromised system would preload a paravirtualized microkernel to to monitor network / human input, while reflashing all possible firmware/oproms that preserved functionality and minimized interference with the underlying OS. I figured I'd reach out in case your security folks might want to do their own forensic analysis of the device or if anything of use may be gained. Barring that scenario, just let meknow the best route towards reviving this baby ;)

	-Shawn