Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How much longer before 2+2=4 and people see the connections to Boot.Mebromi/Trojan.Mebromi(BMW) and their ROM infections...


  • Please log in to reply
2 replies to this topic

#1 SentientRootkit

SentientRootkit

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 04 February 2012 - 10:18 PM

Am I the only one seeing this-all the connections? Most posts flooding the help sites are all related to the same infection and are only going to be fixed on a EPROM/hardware level. The rest is just treating the symptoms. Open your eyes people. The days of the Persistant Threat in BIOS and VGA are upon us. Go to device manager and show hidden devices and have a disturbing look. Netstat -a in cmd.exe and look for 127.0.0.1 and 0.0.0.0 listening and connecting to your new proxy server(if you still can). Reformat and recovery to factory settings only makes it worse... Trust me, 1000 hours and 4 pcs, 1 bank account @ -$400, 1 phone, 1 PS3, 1 PSP, countless external storage mediums and 500 pages of reports and photos later, I know what I know and it is more than I ever wanted to.

BTW, when you find that removing your WiFi and LAN cards and unplugging your router doesn't stop the net access, look to see if you have an empty smart card slot. I had to desolder mine to finally stop connecting to this private server on one PC. It was actually fooled into thinking I had a card inside and it was activated for mobile/always on access. Look for IRQ conflicts to be plentiful. Your motherboard has been completely reworked and drivers are being replaced with corrupt versions. Look to iexplorer and the validation certificates. Most are faked and the real ones untrusted or not allowed to verify anything anymore. Fix this and most software refuses to work at all anymore...depending on your level of infection. Get a new motherboard, remove your EPROM/reprogram/reinsert, or wait for a MB spoecific fix from your vendor as people start to demand an open-eyed admittance to the level of this pandemic (Not just CHINA) and something eventually gets done by MB manufacturers.

Educate yourself on MEBROMI or BMW Virus. Failure to do so is living with eyes wide shut. Now, THAT'S whassup!

Microsoft Windows [Version 6.1.7601]
Copyright © 2009 Microsoft Corporation. All rights reserved.

C:\Users\Niklas>netstat

Active Connections

Proto Local Address Foreign Address State
TCP REMOVED:52979 ec2-50-16-194-96:http CLOSE_WAIT
TCP REMOVED:52980 ec2-50-16-194-96:http CLOSE_WAIT

C:\Users\Niklas>netstat -a

Active Connections

Proto Local Address Foreign Address State Offload S
tate

TCP 0.0.0.0:135 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:445 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:5357 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:49152 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:49153 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:49154 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:49155 Niklas-PC:0 LISTENING InHost

TCP 0.0.0.0:49156 Niklas-PC:0 LISTENING InHost

TCP REMOVED :139 Niklas-PC:0 LISTENING InHost

TCP REMOVED :52979 ec2-50-16-194-96:http CLOSE_WAIT InHost

TCP REMOVED :52980 ec2-50-16-194-96:http CLOSE_WAIT InHost

TCP [::]:135 Niklas-PC:0 LISTENING InHost

TCP [::]:445 Niklas-PC:0 LISTENING InHost

TCP [::]:5357 Niklas-PC:0 LISTENING InHost

TCP [::]:49152 Niklas-PC:0 LISTENING InHost

TCP [::]:49153 Niklas-PC:0 LISTENING InHost

TCP [::]:49154 Niklas-PC:0 LISTENING InHost

TCP [::]:49155 Niklas-PC:0 LISTENING InHost

TCP [::]:49156 Niklas-PC:0 LISTENING InHost

UDP 0.0.0.0:3702 *:*

UDP 0.0.0.0:3702 *:*

UDP 0.0.0.0:3702 *:*

UDP 0.0.0.0:3702 *:*

UDP 0.0.0.0:5355 *:*

UDP 0.0.0.0:55468 *:*

UDP 0.0.0.0:62861 *:*

UDP 0.0.0.0:62863 *:*

UDP 127.0.0.1:1900 *:*

UDP 127.0.0.1:50020 *:*

UDP 127.0.0.1:52193 *:*

UDP 127.0.0.1:60240 *:*

UDP 127.0.0.1:61222 *:*

UDP 127.0.0.1:64248 *:*

UDP 127.0.0.1:64924 *:*

UDP REMOVED :137 *:*

UDP REMOVED :138 *:*

UDP REMOVED :1900 *:*

UDP REMOVED :64247 *:*

UDP [::]:3702 *:*

UDP [::]:3702 *:*

UDP [::]:3702 *:*

UDP [::]:3702 *:*

UDP [::]:5355 *:*

UDP [::]:55469 *:*

UDP [::]:62862 *:*

UDP [::]:62864 *:*

UDP [::1]:1900 *:*

UDP [::1]:64246 *:*

UDP [fe80::7565:27e5:ec8e:f090%13]:1900 *:*

UDP [fe80::7565:27e5:ec8e:f090%13]:64245 *:*


C:\Users\Niklas>

SentientRootkit

BC AdBot (Login to Remove)

 


#2 Galadriel

Galadriel

    Bleepin Elf


  • Malware Response Team
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Missouri, USA
  • Local time:05:29 PM

Posted 05 February 2012 - 01:59 AM

While you bring up some interesting points, you have to realize that 0.0.0.0 is a pointer to all IPs on the local machine (loopback) and that 127.0.0.1 is THE loopback (your own machine) address. So in essence, your machine is listening to traffic from itself (which is perfectly normal since that's how hardware/software communicates with the various buses on the motherboard).
A computer cannot access the internet without a network card (WiFi or wired), ever, period. A computer does need to be able to speak to itself, which is why by default, every computer has an IP address, regardless of whether they have an active connection or not. So I'm not sure what your netstat comment was about, because what you mentioned is perfectly normal for a Windows machine and not necessarily the sign of an infection. If you want to prevent unauthorized access, you should read up on how networks actually function (the difference between local and remote addresses, and the importance of ports specifically) and get a decent firewall you can tweak to your hearts desire.

While Mebromi is real and does infect BIOS (Award BIOSes specifically), it isn't necessarily to blame for every apparent unexplained behavior. I fail to see the evidence to back up any of the things you've said.
I cemna prestar aen. Han mathon ne nen. Han mathon ne chae. A han noston ne 'wilith. - Galadriel
'The avatar is changed; I can feel it in the water, I can feel it in the earth, I can smell it in the air.'

Phear teh ceiling cat, for he is roofkittehd! - Basement Cat

I'm a Bleeping Folder, are you? - Join BC in the fight against diseases - Click here
Become a BleepingComputer fan: Facebook

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,203 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:29 AM

Posted 05 February 2012 - 09:44 AM

To add to what Galadriel already pointed out, Mebromi may be a very advanced rootkit and can be hard to cure (you'll need either to flash the BIOS or reset it), it is not hard to detect.

See also this write-up from Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609-4557-99&tabid=2

To summarize: the MBR will be infected and after fixing be reinfected once you reboot, calc.exe and my.sys will be present in the root of the windows partition and winlogon.exe or wininit.exe (depending on version of Windows) will be infected.

At this moment the most common rootkit causing redirects and going often undetected is the TDL4/MaxSS partition rootkit.

Neither rootkit is undetectable, but as always it is important to properly diagnose the malware you are dealing with before attempting to fix it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users