Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Firmware Attack! BAD VULNERABILITY!


  • This topic is locked This topic is locked
3 replies to this topic

#1 Mryan0333

Mryan0333

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:lenexa, kansas
  • Local time:11:24 AM

Posted 13 September 2014 - 12:12 AM

Hey i have been an sysadmin for many years working with computers and have an associate degree in electronics. The happy members of some very intrusive group (wont mention the name) has decided to put a malicious code onto all my computers that has literally wiped the nvram tables, after trying to modify or remove it on 8 systems i had! Needless to say this really isnt a virus but rather a very suspicious boot loader that creates a virtual disk inside your efi tables using a language code that literally tricks the bios into believing that a "?" Is an actual "." In the dir structure of ALL GRUB, NTFS, DOS, UNIX AND APPLE BOOTLOADERS!

I now have not only lost thousands of dollars worth of computers, i just recently bought a dell inspiron 15r that became infected before i could even get the recovery cd burned.. Personally i have taken almost 2 years to analyse this and figure out how it does what it does, but have yet to find a way to stop it!

Im pretty sure this is the BAD BIOS everyone talks about and found it doing things that seemed literally supernatural or alien by definition, but now i am very confident i can expose the real truth on how and why this works, but since i dont program, i could use some other help in finding out how to stop it for good!

And after contacting dell and explaining what i have said here, they had me rma the laptop to their repair center and immediately replaced it with a new one which should arrive tomorrow..

Im really upset as i know if i turn this laptop on in my apt it will become infected before i even put it on the network, and as hard to believe that may sound, i am very sure the virus uses existing infected wi_fi or cell devices that will broadcast a ultra high frequency which contains machine language code that is universal to most processors on the mainboard or videocard!

I know dell confirmed my suspicions by acknowledging that this does exist and ALL DEVICES including phones, computers, wifi and even some apple devices are vulnerable to this infection and just recently safecomputing.org confirmed a firmware vulnerability that effects usb on ALL devices, which is originally how they flaah your system, but once the maincode has been introduced into your network, you can literally kiss your computers goodbye if you try to modify or alter the hex code as it does wipe all the firmware it infects if it realizes you have altered or disabled its ability to load.

My question is does anyone have any ideas on how to stop a firmware infecting virus that literally can spread via no known or seen method other than sound? Right now i have been working with msi who sent me my 6th motherboard replacement and have just powered it on to find it infected too!

Msi refuses to acknowledge the malware exists and for a brief period of time back in February, purchased a store returned msi board that im pretty sure infected all my usb devices and dvdrw drives! Eight months later i get my 6th replacement board only to see that its efi driver table has been completely rewritten by a code language that looks like ??????????? , in hex and bios dmi references (null) in almost all devices inside nvram.

MSI REFUSES TO HELP AND HAVE LOST ALL FAITH IN THEIR PRODUCT AS 8 months later i am finding this malware on my android galaxy 4 and it literally has rewritten code inside my exwife acer laptop!

This is mind blowing when it comes to the sheer complexity and stealthy code it implements, but have no idea how i can stop it vrs replacing all electronic devices in my home?? It was designed to never get detected which is almost impossible to do if you trust uefi secure boot and windows 8.1?? Both are rewritten and vxd files loaded to load its own virtual drive win8.1...!

Now that i can confirm the things i have said, i would welcome anyone who is able to analyse hex code to help me decipher what can be done to stop it from spreading?? Tomorrow i should be getting my laptop back and know it will be reinfected if i turn it on..This msi board has been compromised and using the built in efi shell shows it having the nvram tables rewritten and unknown devices using memory to redirect the bios to a modified loader which uses a modified pkey cert inside nvram. I ASKED MSI HOW THEIR VENDOR CODE GOT MODIFIED WHEN ALL I DID WAS TURN ON THE BOARD WITH NO HD OR CDROM CONNECTED?? I want to prove this malware is real, and just how vulnerable all devices are that have efi tables for secure boot, but all my attempts to.copy or modify this code results in the infection wiping my bios!

Anyone game to help me expose this for what it really is? I am done loosing my hardware and still need help tracking down how exactly it propagates to other systems? Right now, i see references to sound frequency which would explain how my dell laptop got infected, but really find it hard to believe this is an actual method of infection. What i can say is this malware seems to have the ability to infect ALL COMMUNICATION DEVICES!

Anyone who would like to help i am happy to tell you what i have learned and maybe this BAD BIOS Vulnerability can be resolved once and for good! ??

Mark

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 PM

Posted 18 September 2014 - 12:15 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/548021 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,099 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:24 PM

Posted 21 September 2014 - 11:22 AM

Hello,

If you still need help, please post the requested logs.

 

Regarding BadBIOS though, you really may want to read this article first: http://www.infoworld.com/article/2609622/security/4-reasons-badbios-isn-t-real.html


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,099 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:07:24 PM

Posted 18 October 2014 - 03:40 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users