Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Potential BIOS+MBR malware


  • Please log in to reply
3 replies to this topic

#1 gingerbob

gingerbob

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 12 July 2016 - 07:37 AM

My experiance from troubleshooting inside windows and linux at this level is limited and I hope to learn some more-  hopefully with your help. I am as curious as I'm devastated over my problem that I will share with you here.

 

My enviroment lately has been dynamic and I've been testing and resinstalling windows 10 a lot. Due to problems really, registry problems i thought at first. been running Linux mint 18 cinnamon also last couple of weeks, disk has been totally wiped now. Win disk and Linux disk has been isolated because i wanted to avoid dualboot.  I've been running tomato/merlin router on asus hardware. Ive been running Pfsense on a gigabyte board most recently Via bridged modem.

 

Affect OSWindows 10 /Linux? Both, for sure, no doubt about it. 
Network? Last up pfsense router installed on a gigabyte board, integrated celeron circuit. Before that tomato, removed tomato it was behaving odd. Pfsense as well recently. 

origin? old PC, Disk MBR or USB MBR. I suspect it's been around for a while but not as severe as it is right now. It seem to slowly getting worse uptill now when it has been escalating rendering the PCs more or less useless.

Hardware affected? Asrock Fatality X99 Extreme, samsung ssd's(did recent firmware updates via samsung tool on dirty win 10,) Gigabyte board with old BIOS. Gigabyte board with new AMI bios.

Anti-virus? EMI Soft security suite, Also tried ESET. Firewall in both Products dosnt seem to be Active and it uses windows firewall instead.

 

What does it do? Im not completly sure but I will try to explain what I've seen and what I suspect. It's MBR based for sure, and might also have spread to BIOS due to recent BIOS update via network. 

Bios loads twice probably, Display port activation is really slow at startup. Interrupting boot sequence, restarting pc in boot seq. After recent changes or after adding new hardware. Bios looks odd probably just "emulated" hacked version of the real copy.  Changes in bios does not apply. If i for example turn off virtualisation or acpi its not really turned off when booted into windows. Usbs that are moved between computers have their boot info magically removed and are shown are unkown devices till reformated with disk part. I've seen a glimpse of startup processess trying to execute PXE boot even though it's turned off. Com port 1 in windows is active and has some part in all this dont know but i never used a comport on my mobo before.. Usb devices does not always work on startup in windows, one has to manually reconnect them before logging in. Cpu fan speed is at 100%. Can no longer control this in bios. Problems booting some rescue disks, not all but some. I never find any traces of infection. Lasy copy of win10 was installed with Secure boot activated.

 

It probably runs virtual machines, servers, ssl server, vpn server and what not in both linux and windows as it seem. It slows down pc, it makes surfing really slow, weird settings and occurances going on all the time. I heavily suspect packet sniffing, usb sniffing and dns redirect. All processes mentioned are processes and services me my self has not manually added to the system, yet they are up and running. Applies to both win and Linux. When installing Linux and reviewing the installation the first thing I notice is a bunch of CGROUPS, Tempfs disks 20+ and viritualbox guests being installed. Last time I was also not able to change Linux software sources. Packages did also not look correct with my limited knowledge, packages had slightly different names and was redirected to archived sources for example.

 

win10 logs has been showing remote logins from windows assistant, weird SMI logs, ACPI logs, logs mentioning remote desktop, unkown disks at \\.\. Overall it feels like my Point of view into whats going on is limited, i dont get the full picture.

every new install of operating system i have made recently has been on a ssd disc that has been secure erased with parted magic genuine copy, if this disc has been Clean or not is impossible to tell, I would assume not.  Discs were then removed right after without creating new mbr.

 

So any ideas of what this might be? any ideas of how to identify or gather more information?

 

edit: cleaned up text


Edited by hamluis, 12 July 2016 - 09:45 AM.
Moved from Internal Hardware to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 13 July 2016 - 06:16 PM

Bios/UEFI (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


UEFI (Unified Extensible Firmware Interface) was introducted as a replacement for traditional BIOS in order to standardize computer firmware through a reference specification. However, there are several companies that develop UEFI firmware and there can be significant differences between the implementations used by computer manufactures. These articles explain the complexity of the UEFI, secure boot protocol and exploitation.Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.

With that said, if you want a more comprehensive look at your system for possible malware by experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 gingerbob

gingerbob
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:23 AM

Posted 22 July 2016 - 12:27 PM

Windows install is barely starting now and it keeps crashing sporadically when logged on. something about whea uncorrectable error. 

Can I gather more info  with a linux live disc perhaps? 



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:23 PM

Posted 22 July 2016 - 02:51 PM

If you follow the instructions provided above and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, our experts will have more information to help determine what is going on.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users