Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vulnerability of internal hardware firmware?


  • Please log in to reply
5 replies to this topic

#1 Kevin Paul

Kevin Paul

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 15 June 2012 - 02:57 PM

I'm preparing to reinstall Windows 7 on my HP Compaq Presario laptop with a Microsoft update disk. The reason -- again -- is my suspicion my system has been compromised -- either that, or I've become paranoid. :P (Awhile back, someone in chat said they suspected my unfamiliarity with IT was my primary problem, along with strained processing power. I concede both are indeed true, but I strongly suspect there's more nefarious issues as well.)

Briefly, some of the issues: Even after a fresh install or even using a different computer on my old 2Wire DSL Modem/Router, used with AT&T High-Speed Internet, I find worrisome activity running on my PC. Not initially, but if I'm online for an extended time period I find resources being stressed, and upon checking, I'll find all sorts of processes, services and networks running that I don't see reason for. Typically, BIOS, command prompt, shadow volumes, hidden modem, remote network connections (including Windows mobile), home group networking, remote WMI alterations, powershell and/or NT functions are running -- none of which I knowingly ever use. (I only use one simple direct-connect public network for personal browsing, just myself on a solitary computer.) Investigating, I typically find hidden files, processes and unfamiliar user accounts, and much of what is running is remote network, root drive or BIOS-related. Upon disabling or removing some of what I find suspicious -- remote connections with security override access, for example -- those same files usually end up re-enabled sooner or later -- often with new self-protecting schemes obstructing further disabling, deletion or take-ownership attempts. I've also had security software and my firewall tampered with.

Anyway, since these issues (or my paranoia :unsure: ) seem beyond my control regardless of my efforts, I'm wondering if a hacker with long-time access could have hacked my network modem, BIOS, disk drive, or motherboard firmware, and if so, can I re-install anew to feel safer, or otherwise secure them? Since I don't used Command Prompt other than an occasional system file check (SFC /Scannow), I can't help but wonder why it's so often running as a pathway for much of this suspect activity, and I would be happy shutting down access to it and remote networking, video processing, back server operations, and such), unless Microsoft must use them (sometimes, after a session of my probing and disabling, good ol' Trusted Installer will slither in, installing his secret modules and who-the-hell-knows-what-else. He can't be denied (or disabled), I've learned, and is one reason I concede some of the worrisome activity is Microsoft carousing about in the dark. :ph34r: )

I tried to update my BIOS, but HP's flash executable update failed due to being the same version (I still wanted a fresh, authentic copy, regardless, but it cancelled my attempts). I know very little about modem, disk drive, processor or other low-level firmware -- can original or updated versions be located and reinstalled? If so, can they be obtained at the hardware creator's website rather than via my laptop's manufacturer? (HP, upon realizing I've updated a Vista OS laptop to Windows 7, denies me access to updates and drivers because I'm running an "unsupported" -- though legitimate -- version of Windows on my laptop model).

I'll very much appreciate any advice or suggestions.


Thanks,

Kevin

Edited by Kevin Paul, 15 June 2012 - 03:43 PM.


BC AdBot (Login to Remove)

 


#2 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:03:43 PM

Posted 16 June 2012 - 10:34 AM

Yes the bios for your motherboard can get infected.
http://en.wikipedia.org/wiki/BIOS#Virus_attacks

#3 Kevin Paul

Kevin Paul
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:43 PM

Posted 16 June 2012 - 02:46 PM

Thanks.

Upon reading through the Wikipedia article you linked, both the second and third viruses seem very familiar, descriptions of what I deem to be going on.

Persistent BIOS infection

The third BIOS virus was a technique called "Persistent BIOS infection." It appeared in 2009 at the CanSecWest Security Conference in Vancouver, and at the SyScan Security Conference in Singapore. Researchers Anibal Sacco[9] and Alfredo Ortega, from Core Security Technologies, demonstrated how to insert malicious code into the decompression routines in the BIOS, allowing for nearly full control of the PC at every start-up, even before the operating system is booted.

The proof-of-concept does not exploit a flaw in the BIOS implementation, but only involves the normal BIOS flashing procedures. Thus, it requires physical access to the machine, or for the user to be root. Despite these requirements, Ortega underlined the profound implications of his and Sacco's discovery: “We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus.”


I've completely wiped my hard disk to Department of Defense specifications, reformatted and created a new partition, then installed a new Windows 7 operating system -- efforts I expected to rid my problem -- only to soon have it reoccur. Baffled at first, the only way this could be, I reasoned, would be if my BIOS or modem had been hacked, and recently learned of other firmware that survives disk wipes and a new OS.

Not only is that description precisely what I've concluded has been happening -- even though not knowing it could be done, or how -- but following other links describe file types, locations and activities that fully match what I've been experiencing.

So, now... how do I rid this problem? My attempt to reinstall my BIOS failed because HP's executable for flashing it quits once it sees the version number is the same (apparently that particular Phoenix BIOS has not had an update release). But I absolutely need a fresh-from-the-manufacturer copy, along with other firmware that I've yet to figure out (processors and motherboard?)

I need this problem to be gone once and for all. Just days ago. I deleted all private and homegroup rules from my firewall, and disabled everything but the one essential core group for my one public network (which I use, as Microsoft recommends, for it's heightened security when not needing file sharing or networked devices, like printers.) Even so, right afterward a large slew of services and processes had set up shop and left me little resources to even browse online.

I'll get my BIOS specs and see if I can find a file for it at Phoenix's site again (which I tried but failed to find before making this post). Somehow, I ended up with DriverAgent all over my system, which was engineered to persistently reappear even after a thorough removal with Revo Uninstaller Pro. Thanks, Phoenix -- or was that from a redirection? Lord, why can't I simply browse and chuckle at videos of cute kittens like others do? :busy:

So, this new wipe, format, partition and OS installation I'm about to do -- again -- is a waste of my time without further necessary actions, of which I'm vague about.

Again, any guidance, advise -- or sympathy -- will be greatly appreciated.


Dazed and confused,

Kevin

#4 hamluis

hamluis

    Moderator


  • Moderator
  • 56,109 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:43 PM

Posted 16 June 2012 - 08:11 PM

If you feel that you may be infected...we have a forum for you :).

Am I infected What do I do - http://www.bleepingcomputer.com/forums/forum103.html

I suggest that you initiate a topic there...and try to be clear & concise in detailing symptoms that make you suspect malware :).

Louis

Edited by hamluis, 16 June 2012 - 08:14 PM.


#5 caperdog

caperdog

  • BC Advisor
  • 954 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Nova Scotia
  • Local time:04:43 PM

Posted 17 June 2012 - 10:40 AM

if you are trying to flash the BIOS from a windows environment then maybe you should try it from a DOS enviroment
Phoenix utility for windows is WinPhlash, DOS is Phlash16 (you will have to extract the .exe to get ROM or BIN file)

other info http://h30434.www3.hp.com/t5/Desktop-Lockups-Freezes-Hangs/How-to-Flash-BIOS-if-you-cannot-start-Windows/td-p/436381/page/2

#6 Layback Bear

Layback Bear

  • Members
  • 1,880 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Northern Ohio
  • Local time:03:43 PM

Posted 18 June 2012 - 08:17 AM

As hamluis has stated http://www.bleepingcomputer.com/forums/forum103.html
is your next best step. They are very good at such things.
Just to add a little more answer to your first post; you can get infected in anything that plugs into your computer, printers, routers, memory sticks, ect.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users