Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help!!! BIOS ROOTKIT INFECTION???


  • Please log in to reply
14 replies to this topic

#1 thatchinaboi

thatchinaboi

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 08:25 PM

My computer fails to POST when I turn on the computer. I am not certain what the problem is, but it seems like a bios rootkit.
For a period of a week before my computer died out, my computer was acting strangely: random resets while online torrenting and running web browser, and right after window xp sp3 loads (after one of these seemingly random resets) system resets again. Keep in mind I have NOD32 updated and running, as well as spybot search and destroy, Outpost 2009, rootkit detection and removal, router, and Protowall for my computer security purposes. The last time one of these resets occurred, xp failed to load, and I got a message RAM RW test failure. Afterwards, after turning the computer off and on, the BIOS Splash screen began to shake a little, and then BSOD. Afterwards the computer fails to POST. I've tried connecting another HD with XP and programs installed. After NUMEROUS tries, the computer finally POST and loads into XP of "new" HD. The system crashed while running a VSTi in CUBASE in "new" HD. Afterwards, the computer again fails to POST: keyboard caps lock and num lock LED does not light up or change when pressed, monitor fails to display, HD connected show no signs of spinning even though the MB LED is lit up and CPU fan spins, DVD drive led lights up and spins initially but stops and nothing happens even with XP Install Disc and Motherboard Driver Disc in the tray.

Do you think that I have a bios virus, based on what I have indicated? What should I do? I don't see how flashing the bios will work, without POSTing first. Am i correct?
So the solution is to replace BIOS chip with a new BIOS, but how to prevent the new BIOS chip from being attacked or infected once again? I would like to recover all the data in the hard drives as well, so reformat is completely out of the question.

I thank in advance anyone kind enough to help.

(p.s. I bought a new power supply and installed it in my system. Still no POST, so power supply is ruled out.)

BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:16 PM

Posted 05 September 2009 - 08:45 PM

This sounds more like motherboard failure than anything else to me. . . BIOS rootkits are strictly proof of concept at this point. They will likely remain so for the foreseeable future as well, due to their complexity and non-portability.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 09:04 PM

Blade thanx for the quick reply. What can I do to make sure it is not the motherboard?

Excuse my ignorance but, I really think I have a bios rootkit. Is it not possible to flash a bios chip from the OS kernal level? (people do this all the time to upgrade their MB and often mess up) Is it not possible that my computer has been compromised by a rootkit infection kernal level that has administrative priviledges to flash my bios? Is this not a very real possibility?

#4 Knight_of_BAAWA

Knight_of_BAAWA

  • Members
  • 40 posts
  • ONLINE
  •  
  • Local time:07:16 PM

Posted 05 September 2009 - 09:13 PM

It's highly doubtful that you have a BIOS rootkit. The most likely culprits are 1. bad RAM. 2. popped capacitors on your motherboard. Check for (2). If none, swap out the RAM.

#5 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 09:19 PM

BAAWA thank you for your reply. I don't see how the RAM or the motherboard can all of a sudden become "bad" for no apparent reason. Just doesn't make sense to me. Can you explain?

#6 Knight_of_BAAWA

Knight_of_BAAWA

  • Members
  • 40 posts
  • ONLINE
  •  
  • Local time:07:16 PM

Posted 05 September 2009 - 09:23 PM

You might have had a transient voltage spike through the system or dirty voltage. Or any number of other variables. Point is: I've seen a lot of systems that won't post because of either bad RAM or popped capacitors. In fact: I usually see at least 2 systems/month that have died because of popped caps. Check them.

#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:09:16 PM

Posted 05 September 2009 - 09:23 PM

Like I said before, BIOS rootkits are proof of concept. This means simply that a case was developed where this concept was proven. It is possible to compromise a computer in the way you describe. However, for this to occur, several conditions must be met, some of which are below.

1.) The BIOS rootkit must be written for your particular BIOS, for the version of that BIOS you have. Firmware level rootkits are hardware-dependent: a rootkit written for a Dell BIOS will not work whatsoever on an Alienware BIOS.

2.) The BIOS chip on your motherboard must be flashable, and set to allow flashing.

3.) Your computer must already be compromised by a rootkit with kernal level privileges.

So basically, for this to even be considered, you would have to have contracted malware which installed a kernal mode rootkit which flashed your BIOS with malicious code that just happened to be written specifically for the type and version of BIOS that you have on your system, and you would have to have the switch on the MB set to allow flashing of the BIOS.

Let's add to this the fact that there isn't a documented, publicly available case of an in the wild BIOS level rootkit infection. This would mean that you're pretty much one of the first people ever to become infected by this.

Having a BIOS level rootkit is a possibility in that the concept has been proven; a BIOS can be flashed with malicious code if all the requisite conditions are met. However, the odds against this are astronomical. It's possible, yes, but it's not a real possibility.

Hope that makes sense.

~Blade

EDIT: Just saw Knight of BAAWA's posts. I agree with him.

I don't see how the RAM or the motherboard can all of a sudden become "bad" for no apparent reason.


For a period of a week before my computer died out, my computer was acting strangely: random resets while online torrenting and running web browser, and right after window xp sp3 loads (after one of these seemingly random resets) system resets again.

It sounds to me like your motherboard/RAM has been failing gradually for some time now. You can attribute all the random restarts to it.

Edited by Blade Zephon, 05 September 2009 - 09:29 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 09:28 PM

I have check the motherboard and the ram and all of the connections. No popped capacitors.
Apart from some dust, no visible problem with either.

What should I do?

#9 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 09:34 PM

I might be thick-headed and paranoid..but better safe than sorry right?? You guys might want to take a look at this..

http://searchsecurity.techtarget.com/tip/0...1359106,00.html

"Until now, common wisdom has been that the large variety of BIOS implementations means it is unfeasible for attackers to create portable, widespread BIOS malware. Core's researchers proved this wrong. According to Core's CTO, Ivan Arce, the researchers identified a specific section of BIOS code -- a decompression routine -- used in the majority of motherboards. BIOS code is stored compressed so that it takes up less space, and code must be decompressed before it runs. The decompression routine is exactly the same in many different motherboards. This gives attackers a single snippet of code that they can target in order to compromise many different BIOSes. The result? For the first time, researchers showed that BIOS-level malware can practically infect a wide variety of hardware.

To demonstrate, the researchers injected code into the generic BIOS decompression"

#10 Knight_of_BAAWA

Knight_of_BAAWA

  • Members
  • 40 posts
  • ONLINE
  •  
  • Local time:07:16 PM

Posted 05 September 2009 - 09:39 PM

Let's look at what you've said, ok? Random restarts. Lock-ups. BSODs. RAM failure message on POST. That's not a rootkit; that's some piece or pieces of hardware failing.

Now with your checking of your RAM--did you just visually inspect it or did you swap out the RAM for some spares you may have? Have you also tried re-seating your processor and checking the proc for burns? Is the fan on your CPU heatink running, and if not--that could have cooked the proc.

Never attribute to a virus that which is more easily and probable hardware.

#11 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 09:49 PM

I do not have any spare DDR RAM to swap so no I have not swap out RAM. I have taken the computer apart, checked it, re-sat cpu and reconnected everything. I have a good surge protector that I use for my system that is grounded, and the fan on the cpu is working. Cooked proc is highly unlikely, because I do not overclock, and have ASUS Probe running often, so I would know about high temps.


Question is where do I go from here? Should I automatically assume MB and RAM is toast and spend money on a new system? What about the data? How do I recover everything? (web history, bookmarks, my documents, desktop files, etc?)

Edited by thatchinaboi, 05 September 2009 - 10:09 PM.


#12 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 10:11 PM

Question is where do I go from here? Should I automatically assume MB and RAM is toast and spend money on a new system? What about the data? How do I recover everything? (web history, bookmarks, my documents, desktop files, etc?)

#13 Knight_of_BAAWA

Knight_of_BAAWA

  • Members
  • 40 posts
  • ONLINE
  •  
  • Local time:07:16 PM

Posted 05 September 2009 - 10:18 PM

If you can swing it, buy a stick of RAM from a local parts store and pop that in, making sure that you only have that stick of RAM in the system. If nothing, your mobo is probably lunched.

Recovering the data is as easy as putting the drive as a secondary in another system and copying from one drive to another. What you're looking for will be in Documents and Settings\%Username%

#14 thatchinaboi

thatchinaboi
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 PM

Posted 05 September 2009 - 10:28 PM

I have previous experience in recovering data from a system drive. From my experience I was not able to recover data from Documents and Settings\%Username% of system drive that had a user password. The folder will appear grey out and when you click on it some error pops up.

#15 Knight_of_BAAWA

Knight_of_BAAWA

  • Members
  • 40 posts
  • ONLINE
  •  
  • Local time:07:16 PM

Posted 05 September 2009 - 10:38 PM

Then take ownership of it and all subfolders.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users