Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

possible cpu cache/bios boot/root kit


  • This topic is locked This topic is locked
4 replies to this topic

#1 jjssmith6656

jjssmith6656

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 18 January 2018 - 12:37 AM

Just a quick run down here. ( and also explanation why no logs included..

Out of some of the research I've done one of the possible candidates of infection is TLD4. I see many of the same symptoms however I also see symptoms that aren't characteristic of it but I do know that it is infecting something pre-boot.

Also let me add that I do not wish to repair this to use Windows. I wish to completely wipe windows and everything involved I've already backed up everything important and probably won't use it anyway in case it's infected. But I'm just trying to wipe everything I'm going to use Linux for now on. Windows is absolutely horrific everything I found out the past days. I just want to make sure I can wipe everything 100%.

I've been dealing with this for the past week I believe I have something that has infected nearly every device on my network. I've only found one other person with similar symptoms in that was a post on the malwarebytes forum.

I came to bleeping computer because most of the research I did online always involved a post here so it seems like this is the most active virus discussion forum and I would appreciate any advice greatly.

The virus seems to infect every USB that is plugged into the computer and also has rooted itself in my previous phone. I'm on a new phone right now and I'm still paranoid.

Also was able to infect live boot Linux sessions on the computer in question.

I either think that it has infected my Motherboard BIOS and created its own partition and possibly infected my CPU drivers so that it can evade windows resets. It seems to dig deeper after the first reboot after reinstalling Windows. It appears to create its own fake Windows copy to boot from and run its services in the background with its own administrative account trustedinstaller.

It added some registry entries and virtual host system in SQL libraries. Honestly I have found so many strange things that I cannot even list them on the past 4 days I have just found more and more things that raise suspicions. I am a developer myself and have never had to reach out for help for anything in this is something I've never seen before.

Of course all virus scans come up negative including tdss in Malwarebytes are the only ones I could actually get to run most are unble to even run. On the Malwarebytes form I heard reports of it emulating the Malwarebytes program with a fake splash screen. Safe mode does nothing because it owns the system and is running its own version.

I have connected the internet to the system maybe once for a split-second since I've known it existed. And this was only two upload screenshots of everything I found. I cannot use USB devices as it instantly adds its own boot sector to it.

I am not too familiar with the inner workings of Windows however I know what something suspicious looks like because of what it is trying to run. I have some very detailed screenshots that I could provide to anyone with know-how. I have blanked out what I think may be sensitive information like Windows keys and can provide those. No diagnostic tools can be trusted as it is most likely altering the output. I even found a log file where it uninstalled Malwarebytes and then ran its own separate installation of a phantom version.

From Reading Forum posts here hundreds upon hundreds of them the past few days I realize a post of this nature would most likely result in being told that I am too paranoid and that Hardware viruses are very rare and most likely need to be tailored to the individual system. However I who believe I am one of the exceptions to this.

Like I said I have screenshots of things I have found to be suspicious and I am 99% sure that I have removed all my sensitive information from it should it be there but if a moderator would be willing to take a quick glance to see if it is okay to post here I would really appreciate it I have uploaded it to an Imgur album I could link you if you would like to take a look. There are some very very interesting items in there including what I believe to be the method it uses to write itself to my CPU cache.

I also have some registry exports showing what I believe to be the Phantom partition in question.

Apologies if some wording here doesn't make sense I'm using speech to text on this phone because I never use mobile except in a situation like this and it would take me hours to tap this all by hand.

I appreciate any and all input and I'm very grateful for the option to post here regarding my nightmare situation. I know this looks like a beast of a problem and I would be more than happy and and absolutely insistent on tipping whoever decides to take this on and provide any assistance.

Edited by jjssmith6656, 18 January 2018 - 01:28 AM.


BC AdBot (Login to Remove)

 


#2 jjssmith6656

jjssmith6656
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 20 January 2018 - 03:42 AM

After using gparted and deleting every single partition I had and writing zeros to it I use the fresh clean USB from another location and downloaded a legit copy of ubuntu to I knew was real. And wiped it one more time the entire hard drive and after I start it up ubuntu it was infected.

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 20 January 2018 - 05:11 AM

I highly doubt your systems are infected, most likely what you see is within the normal function of whatever OS you are using. If what you think is true, your option is simple: buy new hardware that has all firmware vulnerabilities patched.
 

Out of some of the research I've done one of the possible candidates of infection is TLD4.

TDL4 is ancient and not compatible with newer OS versions and disk structures. It's also detected by most mainstream security products.
 

But I'm just trying to wipe everything I'm going to use Linux for now on. Windows is absolutely horrific everything I found out the past days. I just want to make sure I can wipe everything 100%.

If you suspect firmware is affected you can scrub it with bleach if you want, but you don't address the problem. That would involve either using an updated version of the affected firmware (for Spectre/Meltdown these updates are mostly not available yet) or buy new hardware (and before buying, make sure that the included hardware is not affected). As said before that is theoretical, because it is very unlikely you're dealing with malware here. 
 

The virus seems to infect every USB that is plugged into the computer and also has rooted itself in my previous phone. I'm on a new phone right now and I'm still paranoid.

Also was able to infect live boot Linux sessions on the computer in question.

I honestly don't wish to offend you, but you're overthinking and overanalyzing the issues you're encountering. You see "symptoms" of infection that in fact are just normal OS artifacts. The fact that you notice this on multiple devices, multiple OS versions is another clue. If all this really would be a thing, then it would be safer for all of us to just ditch computers, the internet and anything IT.
 


I either think that it has infected my Motherboard BIOS and created its own partition and possibly infected my CPU drivers so that it can evade windows resets. It seems to dig deeper after the first reboot after reinstalling Windows. It appears to create its own fake Windows copy to boot from and run its services in the background with its own administrative account trustedinstaller.

 

This makes no sense whatsoever: a BIOS infection that makes a partition is theoretically possible (but a very simple CMOS reset or firmware upgrade will fix that). Partitions are gone after a wipe of a disk, no malware creates a fake windows copy, why would it bother doing something complicated like that since it is pointless anyway and there are much simpler infection techniques? And TrustedInstaller is a perfectly legitimate windows account that you actually do need for Windows to run normally.

 

It added some registry entries and virtual host system in SQL libraries. Honestly I have found so many strange things that I cannot even list them on the past 4 days I have just found more and more things that raise suspicions.

 

And why would that be malicious? If you look into Windows, the registry, the file system you're bound to find things that may look strange, but after closer research they may turn out to be perfectly normal. 

 

Like I said I have screenshots of things I have found to be suspicious and I am 99% sure that I have removed all my sensitive information from it should it be there but if a moderator would be willing to take a quick glance to see if it is okay to post here I would really appreciate it I have uploaded it to an Imgur album I could link you if you would like to take a look. There are some very very interesting items in there including what I believe to be the method it uses to write itself to my CPU cache.

 

Feel free to PM me the link to make sure you don't inadvertently post sensitive information in a public forum.  

 

I also have some registry exports showing what I believe to be the Phantom partition in question.

 

Partitions aren't stored in the registry, partition information is stored on the first few sectors of a disk. If it were stored only under Windows how could any OS ever recognize a disk's partition structure?


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 jjssmith6656

jjssmith6656
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 20 January 2018 - 10:02 AM

It turned out to be the Meltdown vulnerability with CPUs. It survived a complete hard drive wipe using gparted I wrote zeros to the entire drive and then booted from a fresh USB stick that I just bought with a Ubuntu installation that I got from a non-infected system. Once it was installed I saw A inaccessible part of the system and had Chinese characters in it and an SQL Server and drivers that manipulated my CPU. This is something that I'm not imagining and I've spent an entire week unplugged using my phone Googling for 20 hours a day this is not some random thought I had this is not your run-of-the-mill virus I know what those are

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,985 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:27 AM

Posted 20 January 2018 - 03:09 PM

Since you resolved this issue and things are running fine, this topic will be locked. I'll include a few other details in the PM you sent containing the images to avoid confusion.

 

The file you did find was however this, a legitimate part of the linux OS: http://man7.org/linux/man-pages/man5/proc.5.html


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users