MurmurCast
TechnicalStory

SN 1076: FAST16.SYS - Unmasking the NSA's Most Diabolical Digital Sabotage

Security Now (Audio)2h 35m

Security Now episode 1076 covers the discovery of FAST16.SYS, a sophisticated NSA-linked kernel rootkit from 2005 that subtly corrupted physics and engineering calculation software — predating Stuxnet by five years. The episode also covers a Bitwarden CLI supply chain attack, Iranian router malfunctions before the US/Israeli strikes, Meta's employee activity logging for AI training, and Steve Gibson's GRC e-commerce system rewrite.

Summary

The main story of this episode centers on the discovery of FAST16.SYS, a Windows kernel driver rootkit believed to be NSA-linked state-level cyber sabotage tooling from approximately 2005 — five years before Stuxnet. Sentinel Labs researchers stumbled upon it while searching for the earliest known use of the Lua scripting virtual machine in malware. A PDB path string buried in a service executable called Service Management.exe linked to the kernel driver, which would otherwise have gone unnoticed. The driver was also referenced in the 2017 Shadow Brokers leak of suspected NSA tools, where it appeared in a deconfliction list with the unusual note to leave it alone — with no malware name attached, unlike all other entries.

FAST16.SYS operated as a boot-time rootkit that hooked deep into the Windows file system I/O stack. Its diabolical function was to intercept executable files as they were read from disk into memory, patching them on the fly without ever modifying the files on disk. It specifically targeted executables compiled with the Intel C/C++ compiler and applied a ruleset of 101 pattern-matching instructions. Crucially, one injected code block consisted of floating-point unit (FPU) instructions designed to introduce subtle but systematic errors into precision arithmetic calculations. Reverse engineering traced the targeted binaries to high-precision engineering and simulation software used in civil engineering, physics, and nuclear modeling — specifically LS-Dyna 970, PKPM, and MOHID, with LS-Dyna cited in public reporting on Iran's nuclear weapons-related computer modeling. The effect would be that every infected machine running this software would silently agree on wrong answers, with no file alterations detectable on disk and no impact from reinstallation.

The malware spread as a network worm using a modular 'wormlet' architecture, propagating via Windows file shares and service control APIs, targeting weak or default admin credentials in Windows 2000/XP environments. It checked for the presence of common security products before installing, avoiding monitored environments. The carrier module used an embedded Lua 5 VM with encrypted bytecode, giving operators a highly adaptable and reusable framework. RCS-style source control marker strings inside the binary suggest a well-resourced, long-running government development program. Despite being uploaded to VirusTotal years ago, FAST16.SYS still receives almost no detections.

Other topics covered include: a Bitwarden CLI supply chain attack via a compromised GitHub Action in the broader Checkmarks campaign, which lasted only 93 minutes and affected only developer environments, not end-user vaults. Iranian networking equipment from Cisco, Fortinet, Juniper, and Microtech reportedly malfunctioned before US/Israeli missile strikes, with Iran already disconnected from the global internet at the time. Meta was reported to be logging employee mouse movements, clicks, and keystrokes to train AI models in areas where AI is deficient, such as menu navigation and form input. Steve Gibson announced the completion of a 90-day rewrite of GRC's e-commerce system and the release of DNS Benchmark version 5, which introduces a prominent Run Benchmark button, a full application menu, and a gold badge consultant license tier. Listener feedback covered topics including Cloudflare's 1.1.1.2 and 1.1.1.3 DNS resolvers for malware and content filtering, the Certum code signing certificate service for open-source developers, the limitations of AI-assisted coding for non-architects, the philosophical questions raised by AI consciousness, and the Zero Patch team's explanation of why they cannot patch the Red Sun zero-day in Windows Defender.

Key Insights

  • FAST16.SYS is a 2005-era NSA-linked kernel rootkit that predates Stuxnet by approximately five years, representing some of the earliest known state-grade cyber sabotage against physical-world targets.
  • The rootkit's core sabotage mechanism was to intercept precision engineering and physics simulation software as it was loaded into memory, patching floating-point arithmetic routines on the fly to introduce subtle but systematic calculation errors — without ever modifying files on disk.
  • The targeted software included LS-Dyna 970, a simulation tool cited in public reporting on Iran's suspected nuclear weapons computer modeling, strongly suggesting Iran was the intended target.
  • FAST16.SYS appeared in the 2017 Shadow Brokers NSA leak inside a deconfliction list — a document used by cyber operators to avoid interfering with each other's implants — listed with no malware name and an implicit instruction to leave it alone, unlike all other entries.
  • The malware spread as a network worm using a modular 'wormlet' architecture, propagating via Windows file shares and default or weak admin credentials, and checked for the presence of common security products before installing to avoid monitored environments.
  • Because no files were ever modified on disk, reinstalling software on an infected machine would have no effect, and antivirus scans would find nothing — yet every infected machine running the targeted software would silently agree on incorrect results.
  • RCS-style source control marker strings inside the FAST16.SYS binary — an artifact of 1970s and 80s Unix tooling — suggest a long-running, well-resourced government development program rather than opportunistic or criminal malware authorship.
  • The Bitwarden CLI supply chain attack was part of the broader Checkmarks GitHub Actions campaign and lasted only 93 minutes; it targeted developer secrets and CI/CD pipeline credentials, not end-user vault data.
  • Iranian networking equipment from Cisco, Fortinet, Juniper, and Microtech reportedly malfunctioned before US/Israeli strikes, with Iran already disconnected from the global internet at the time — raising the question of how time-triggered or remotely triggered sabotage could have been activated.
  • Meta was reported to be logging employee mouse movements, clicks, and keystrokes to train AI models in areas where current AI is deficient, such as navigating menus and typing in input fields, with the stated purpose being model improvement rather than employee review.
  • Steve Gibson argues that AI coding tools are currently aimed at developers who already understand software architecture, and that the quality of AI-generated code is directly constrained by how well the user can articulate architectural requirements — citing the analogy that knowing what to ask for is the critical missing skill for non-developers.
  • Gibson argues that AI compute costs will fall as radically as storage costs have over the past 40 years, while human coding costs will not, making the long-term shift toward AI-assisted development economically inevitable regardless of short-term breakeven points.
  • Gibson speculates that future, more powerful AI might be able to detect deliberately engineered backdoors in old, trusted, well-audited code that current AI and human auditors have missed — noting that such backdoors are specifically designed to look benign in isolation.
  • Cloudflare's 1.1.1.2 DNS resolver returns 0.0.0.0 for known malicious domains instead of their real IPs, providing a passive network-level filter that requires no client-side software; 1.1.1.3 additionally blocks adult content.
  • The Sentinel Labs researchers discovered FAST16.SYS not by looking for it directly, but by scanning historical malware corpora for the distinctive compiled bytecode fingerprint of the Lua scripting virtual machine — a research thread that unexpectedly led to the oldest known instance of Lua-based malware and revealed a previously unknown state-level sabotage operation.

Topics

FAST16.SYS NSA-linked kernel rootkit discoveryBitwarden CLI supply chain attack via GitHub ActionsIranian router malfunctions before US/Israeli strikesMeta logging employee activity for AI trainingGRC e-commerce rewrite and DNS Benchmark version 5 releaseCloudflare DNS filtering resolvers 1.1.1.2 and 1.1.1.3AI coding limitations and architectural knowledge requirementsCertum low-cost code signing certificates for open source

Full transcript available for MurmurCast members

Sign Up to Access
View original source →

Get AI summaries like this delivered to your inbox daily

Get AI summaries delivered to your inbox

MurmurCast summarizes your YouTube channels, podcasts, and newsletters into one daily email digest.