Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bios, Firmware Infection


  • Please log in to reply
47 replies to this topic

#1 4NeR

4NeR

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 24 January 2011 - 11:42 AM

Hello Everyone, Before I share my recent experiences I would like to say I am not a Bleeping Computer Specialist and do not recommend trying this unless you are fully capable.

I have had 3 computers in my shop with rootkit activity detected by combofix. This is after the hard drive was low level formatted with LLF from HDDGuru and a clean load of windows. Some windows updates might need to be installed before the combofix detection. The computers were:

Dell Dimension 2400- http://www.bleepingcomputer.com/forums/topic371370.html
Gigabyte motherboard- Intel P4, Award Bios
Asus motherboard- AMD Athlon X2, Pheonix Bios

On the first two, I was able to clear the rootkit detection by:

-unplug the machine
-Take out the CMOS Battery (Push power button to clear capacitors)
-Remove harddrive
-Install battery and plug machine in
-Flash the bios with a floppy (windows flash did not clear detection)
-LLF harddrive on other machine. (Remember to reboot after LLF)
I use the Apricorn DriveWire, (unplugged from usb on boot)
-Return harddrive to computer and Load windows from trusted disk.
****The rootkit detection has not returned on these computers****

On the Asus, after performing the above tasks. Combofix still detects a rootkit and wants to reboot. After clicking OK, The combofix window and all icons disappear. The mouse is still able to move, but after 15 minutes the computer still does not reboot. I power it down and reboot. Combofix runs but seems to detect nothing.

Could Combofix have a false Detection?

Any other experiences?

Edited by Orange Blossom, 26 January 2011 - 10:49 PM.
Moved to AV forum. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 27 January 2011 - 09:40 AM

Could Combofix have a false Detection?

False detections are possible with any security tool to include ComboFix and that is one reason using it without proper supervision or guidance is not recommended.

When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

Further, using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,718 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:01 PM

Posted 27 January 2011 - 10:37 AM

...
-Take out the CMOS Battery (Push power button to clear capacitors)
-Remove harddrive
-Install battery and plug machine in
-Flash the bios with a floppy (windows flash did not clear detection)
...


You remove the CMOS battery to clear the BIOS settings, right?
Any reason why you do this before flashing the BIOS, and not afterward? Or both?

Edited by Didier Stevens, 27 January 2011 - 10:37 AM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 4NeR

4NeR
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 27 January 2011 - 11:12 AM

quietman7,
Thanks for the reply. I have been removing viruses for just over 3 years now at an average of around 6 computers per week. I fully understand the possible consequences of impropper cleaning. I also understand that we are constantly learning about the new viruses that come out. I will never claim to know everything and truly value the expertise offered at Bleeping Computer.

It is still difficult to understand how combofix can detect a rootkit on a "Practically New Machine" (It does the same thing even when changing the Hard drive)

Didier,
I only do this as a precautionary measure. I do not fully understand hardware architecture. I think it may be possible for the memory to hide in memory for the boot process. All I know is 2 out of 3 machines came back clean after the whole ordeal. It is difficult to find anything other than the "proof of concept" on hardware infection.

The third computer went back to the customer with the belief of a false detection.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 27 January 2011 - 01:01 PM

It is still difficult to understand how combofix can detect a rootkit on a "Practically New Machine"

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. It is normal for a Firewall, some anti-virus and anti-malware software (ProcessGuard, Prevx), CD Emulators sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table. API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. ARK scanners do not differentiate between what is good and what is bad...they only report what is found.

Since CD Emulators use a hidden driver which can be seen as a rootkit and interfere with providing accurate results or cause other problems, it is recommended that you disable CD Emulation first if using those types of programs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 4NeR

4NeR
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 28 January 2011 - 10:19 AM

All three computers stated above were the same exact software configuration. I understand your concern, not knowing all of the details. Not only did I LLF the harddrives, but I also used some (Completely Different Harddrives) durring the diognostics and still came out with a detection.

On each computer I installed "Windows" and performed "windows updates". Nothing else apart from ComboFix. No antivirus, Java, Adobe, or anything else. It was as stripped down as possible.

Still, even with the bios flash (Which worked on 2 computers), 1 computer remains with the rootkit detection.

I do not know what combofix detects, but I am thankfull that it is at least aware of something residing in the memory. After researching things such as "SSM Rootkits, Hypervisors, Bios Infections" from websites like invisiblethingslab.com and BlackHat.com, I do believe it is possible. And judging by what I have seen in my shop, I think hardware infection is more than a "Proof of Concept".

Edited by 4NeR, 28 January 2011 - 11:27 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 28 January 2011 - 02:05 PM

The best way to see what ComboFix has detected is for you to post its log.

Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

:step2: ComboFix logs, where should I post them?
When you have done that, post the required logs to include your ComboFix log in that forum, NOT here, for assistance by the Malware Response Team Experts.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 4NeR

4NeR
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 28 January 2011 - 06:29 PM

The only logs I currently have are already posted from the first computer at http://www.bleepingcomputer.com/forums/topic371370.html I ran out of options with the third computer and had to let it go with the thaught of a false detection.

Gringo did not see anything out of the ordinary. The ComboFix log did not reveal the rootkit it detected prior to reboot.

Combofix detects something, Perhaps it could create a log of the ACPI Table (if that's even possible) or show what is residing in memory prior to windows loading. I believe the studying the way memory is allocated could be a key to solving this. I really appreciate you taking the time to discuss this with me. I realize this is really out of the box for most people, but nothing else makes sense.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 29 January 2011 - 07:55 AM

I reviewed the information and logs you provided to gringo_pr in your link and did not see anything that would trigger a detection either. This one is a puzzle to me as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 circuitburner

circuitburner

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:great state of Ticks-ass
  • Local time:01:01 PM

Posted 29 January 2011 - 01:00 PM

Guys, TDSS and some others are writing to the EEPROMS on BIOS and Video adapters. Its even possible for them to alter the few bytes of netBIOS on the network adapters. Im serious, this is getting pretty wild. Its opening up a new dimension practically. (no dell pun intended)
Reflashing appears to not be any kind of fix anymore due to some new capability Ive not seen before...I would love to understand how they are doing it...If anything, barring witchcraft or supernatural phenomenon executed by demons, they are damaging the PROMs on a one-way ride down the highway to hell. Dont trust boards doing weird sheet, and especially boards maxing the proc out at 101% non stop. This is a new era, Im afraid...
Be prepared to simply replace not ony hard disks, but main boards and video cards...or chase your tails for weeks doing endless re-works. ---unless you are the fly-by-night type and dont honor any warranty on your work. Keep eyes open for the symptoms... I swear this is not extreme fiction, its almost scary. Someones pretty dammed determined.

#11 BMXRcr

BMXRcr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:01 PM

Posted 29 January 2011 - 02:57 PM

My friend had the same problem. Hired an expert -- the rootkit was located in the Video Card BIOS and survived several HD wipedowns using DBAN. Some telltale clues were hidden device drivers with names like "Vgasave" and a whole bunch of others. If you load a linux disk (or install Linux) the logs say something like "PCI device attempting to load BIOS...appears valid." This is during the boot process. Computer still being examined,

Edited by quietman7, 29 January 2011 - 07:35 PM.


#12 4NeR

4NeR
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 31 January 2011 - 10:43 AM

Quietman7,
I now have a 4th computer here reloaded from LLF with a Combofix rootkit detection and reboot. One reason this seems rare is that I might be the only person to run Combofix on a "Clean" computer. Should I post the log here? or is there something else I can do? If possible could you please forward this to the developer of Combofix. I will do anything I can to help determine if this is a true or false detection.

BMXRcr,
Durring my research I remember reading something on how to clear nvidia video memory within the bios. I cannot seem to find my way back to that page, but I think after you are in the motherboard bios, you push (alt + (?), you will get a beep to confirm the memory has been cleared. I believe this is only on an onboard chipset. I will check out this current machine with live ubuntu and check the logs and see what they say.

Here is a link that goes through a lot of information on what goes on in the virtual world. http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf I do not believe this is applicable here, but it could help with other research.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 31 January 2011 - 12:33 PM

I will provide sUBs with a link to this thread so he can read all that you are reporting.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 4NeR

4NeR
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Nebraska
  • Local time:02:01 PM

Posted 01 February 2011 - 01:00 PM

Unfortunatly, this latest detection is on an HP Laptop. It does not give the option to flash the bios outside of Windows and it would be difficult to get to the battery. I believe I am stuck with a big (?). Combofix is an excellent tool and is the "Only" tool in my toolbox that detects anything. I do hope this somehow gets resolved in the near future.

If anybody has further information or simalar issues, Please Post

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,768 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:01 PM

Posted 01 February 2011 - 01:18 PM

I have passed on your issues to sUBs but he, like all staff members. are volunteers who assist other members as time permits. Further, with his available time sUBs is extremely busy with providing technical support to numerous folks here and many other forum boards.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users