Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with multiple Worms+Trojans, persistant in FW


  • Please log in to reply
6 replies to this topic

#1 bwX

bwX

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 June 2014 - 06:15 PM

Hi,

 

I was hacked around 2 weeks ago through an unsecured Android device in my WiFi network. Infection includes the normal stuff from Zeus-2, ZeroAccess etc. but also something underlying that I have not managed to find now. I am really at the end of the line now. Started dreaming of badBIOS, please don't laught at me. Basically I don't know how it spreads since it has recently infected my old gaming PC without bluetooth or wlan. From the disks I recovered some logs, it looks like Apache Subversion was used to give the infected files a verified Microsoft signature. Also bypasses TPM without any problems. I do get some short detection starting with a Windows Live BootCD but as soon as you try to dig deeper Laptop crashes. Also infects Linux Kernel and even if running a live forensic mode CD it still manages to get to the HW. Also spreads to the firmware of Modem and Router and is Flash reistant. Starting with chea[ Technicolor TG582n Pro to my Billion 7800dxl. Not sure about Netgrear Prosafe switches.

 

Basic symptoms are that it creates hidden Virtual WAN devices and PunP devices, keylogger is installed and Wireshark goes mental with weird transmissions. From the basics it takes over the DCOM and RPC also creating a S folfer in recycle bin.

 

Through recovered logs I saw that 7 volumes were created on one HDD that survived KillDisk using the US DoD method, only were completly gone with German 7 ties random or Russian Ghost.

OS infected are Win 7 64, Win8 64 and Linux all Debian Based.

 

Any ideas? Help would be appreciated :) Just got my expensive laptop back from repair with a new mainboard and SDD's but i don't want to switch it on before I am sure my Flat is clean.



BC AdBot (Login to Remove)

 


#2 bwX

bwX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 27 June 2014 - 06:38 PM

Yes and forgot to metion everything is running through ipv6 then.



#3 bwX

bwX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 29 June 2014 - 10:43 PM

Anyone? Have some new info as well. Even when I start with a clean rescue CD that thing immediately takes over root starting processes. Also creates hundreds of files that are guides basically on how to remote log into the machine, run daemon, prevent logging. Should I post some logs or anyone thinks he can help me?

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:28 PM

Posted 02 July 2014 - 06:20 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/539242 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 bwX

bwX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 July 2014 - 08:12 AM

I can run dds and post it, but this won't help much. I'm way past data recovery. The problem sits somewhere in the PXE or any other optroms. Spreads via Bluetooth. I install either from a original win7 ultimate disk, not OEM but retail. Or an original win 8.1 disk. Both are pressed obviously. Any way to upload pictures here? I did manage to recover some dump files unfortunately no kernel dump available. Power she'll does not let me view secure boot settings. Extractions from log show microcode written on the CPU.bios update is possible but ME firmware update is impossible. I know metasploit was used to gain access and I am in contact with them but so far they told me such deep functions do not exist. As mentioned I clean the HDD with killdisk using by now 35 times random overwrite from an external PC, running on a live CD with all disks removed. Plus fingerprint written that remains valid until installing any OS. Tried with Linux, Win7,8,8.1 even baremetal. Doing a detailed analysis of the HDD after installing I find up to 7 hidden volumes, that also include the mounting point of the malware but recovering that file is impossible and also viewing the HEX code delivers a read error. EFI files get modified, debug options are not working. IRQ bridges are written on the main board. All DLL and exe files get a valid Microsoft signature through subversion. Drivers all date back to 21.06.2006. When forcing access to system32 trying to overWRITE drivers with legit ones, system crashes. Having wireshark running on another machine I can see that all IPv4 get translated toIPv6 and data send to an impossible IP adress. 255.255.255.254. Network device shows up as hybrid. Router gets infected too, verbose logging does not work, but external logging shows that kernel gets commands to bridge all Lab ports and the WiFi ports. Gpled, using different names every reset is installed as a child kernel, so even if I deactivate Alan, LED goes off but in fact it is still running. When trying to install Linux SE I get error messages. Trying to run KALI from a live boot CD created long time before infection, in forensic mode somehow there is still access to the HDD. When running a rescue CD, be it bit defender or kaspersky, top shows other root users connected through TTY. Reverse ssh not possible and also kill -9 command not possible without killing myself. In windows it uses swenum for setting IOs and IRCs not granting me access to manual define of IRQs.

Post of dds will follow, maybe someone sees a hint in there.

#6 bwX

bwX
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 July 2014 - 08:31 AM

Give me 2 hours, I will take a new HDD and graphics card and install Win7 32 bit. Please tell me what logs apart from dds could help. Thx

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:28 PM

Posted 15 July 2014 - 02:34 AM

Hello,

Without seeing any log there's nothing we can do here. It would help if you could give an exact description of the problem (not of what you think are the causes) you are still having.

 

Also, maybe of interest, I did a write up some time ago about the (im)possibility of advanced malware infections.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users