Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Chinese Malware Infecting Bios / Hidden on HDD


  • This topic is locked This topic is locked
6 replies to this topic

#1 MadBrit

MadBrit

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 21 March 2018 - 03:12 PM

Hi,

 

Thanks in advance for your help...

 

Windows 10 1709 - patched and up to date. All AV sigs up to date. 20 years in the security industry and have delt with trojans and viruses before - but that is all for nought at this point.

 

One week ago an email notification came in (I had my email hooked up to Windows Mail unfortunately) then disappeared from the inbox. Immediately Norton threw up and detected malware via heuristics...then barfed. Malwarebytes went silent. System hung. Rebooted and after a long reboot, all seemed normal. I checked the logs but there was no mention of an infection. Scanned with zero results in Safe  / normal mode.

 

The next day I came down in the morning and noticed my system was on even after turning it off the night before. Then the system started bogging down after a few hours and I knew I was infected. The malware appeared to be tunneling through DLL's. Norton and Occulus processes were contacting Microsoft IP's but I killed the processes and the communication moved to other .dll's. Blocking hosts with MVP worked for a while but comms always came back. (TCPlogView, Wireshark).

 

Regular AV was reinstalled but I soon figured out they were trojaned (redirected). Norton account saw my last connection the day the trojan hit. Ran Roguekiller / RKill / ADWCleaner / etc. which are my goto. No joy. I have run and used Combofix in the past with a lot of success - but it won't work on this build of Windows.

 

Booting to rescue CD's hung the system even though I knew they worked. Keyboard and mouse (USB) were experiencing lockout with some disks although I changed the bios options (legacy). Decided to reinstall a backup (EaseUS unfortunately) and deleted the drive volume. On restoring backup, drive was "too small" even though it was a sector by sector backup.

 

On investigating the drive with GParted, the drive could be partitioned and formatted in any FS type (but I don't think it didn't really do it) but once formatted ntfs showed a 99mb (reserve) partition with 79.35mb used. Nothing was copied to the drive. The partition won't delete and keeps coming back. Used Killdisk (free), DBan wouldn't load, EScan boot disk using GParted - same issue. It is impossible to remove.

 

Flashed the ASUS Bios a number of times (up and down graded). Asus Bios Update utility see's 1MB partition on DVD (fs0:\) when selecting the update source - which I think is where the Trojan is hiding. But I could be wrong. The fact that GParted and other formatting tools can't clean the hidden partition makes me think that the bios is infected.

 

It is also infecting USB's.

 

I have reinstalled Windows on the infected drive to see if I can delete the Trojan using any tools you can suggest - in order to restore the backup onto the drive. I have lost 7 days work due to this infection but now I need some professional help. Any help you can offer will be much appreciated.

 

At this point, I just want to recover the hardware and do a restore. Other drives were connected but all are off the system now. Unsure of reconnecting them and in reinfecting.

 

Many Thanks,

 

MB

 

 

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 MadBrit

MadBrit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 21 March 2018 - 03:26 PM

In addition - I also ran through the usual procedures with DISKPART a number of times (clean all, etc.) but no joy either.

 

GParted did show the undetectable partition and the partition name was a bunch of double-byte characters (Chinese?). I deleted these and renamed, formatted, etc. but that didn't work either. It looks to be an UEFI BIOS infection manipulating the HDD and leaving a 71.73 MiB partition that can't be deleted. Whatever it is, it's rather nasty.

 

Has anyone tried CHIPSEC? or something similar?

 

Thanks again!


Edited by MadBrit, 22 March 2018 - 03:19 PM.


#3 MadBrit

MadBrit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 23 March 2018 - 11:34 AM

Further to this problem.

 

It does appear to be a UEFI bootkit / rootkit hiding in slack space. I believe it uses some form of Windows Vista Enterprise SP2 bootstrap due to the 71.73mb hidden partition (default slack space size for that version of the OS) and the fact that I was getting "OS version support" issues when running some tools. I had an AV company support team look at it and run all of their user space support tools on it and they came back clean, but they have confirmed that there is "something there"...  WinHex slack space analysis shows an unknown "compressed or encrypted" file system and Windows defender DB and .DLL files hidden in there....

 

Because the malware is inserting itself between the OS and the hardware, a software disk clone probably isn't going to show the hidden partition as it's intercepting direct disk access hardware calls. When trying to upgrade / downgrade the MB BIOS, I noticed one of the storage options was a 1mb partition on the DVD drives INTERNAL storage - similar to a TDL type trojan. Hardware infecting malware for increased persistence? I am trying to take the disk personally to an AV vendor, but the support guy's I have spoken to don't appear that concerned. 

 

Unfortunately, this infection has gone way beyond the really great help this forum provides (Thanks for helping people out!) and hopefully the information above may help others diagnose the same issue I have had.



#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:56 PM

Posted 26 March 2018 - 03:15 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> https://www.bleepingcomputer.com/logreply/673759 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new FRST log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download FRST by Farbar from the following link if you no longer have it available and save it to your destop.

    FRST Download Link

  • When you go to the above page, there will be 32-bit and 64-bit downloads available. Please click on the appropriate one for your version of Windows. If you are unsure as to whether your Windows is 32-bit or 64-bit, please see this tutorial.
  • Double click on the FRST icon and allow it to run.
  • Agree to the usage agreement and FRST will open. Do not make any changes and click on the Scan button.
  • Notepad will open with the results.
  • Post the new logs as explained in the prep guide.
  • Close the program window, and delete the program from your desktop.


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 MadBrit

MadBrit
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:56 AM

Posted 27 March 2018 - 04:25 PM

Norton support pushed me from pillar to post for 4 days. None of their Support forensic tools would work in user space - so they didn't want to deal. Even offered to drive it 1.5 hours down to their headquarters but no "researchers" were interested.

 

Somehow I broke the hidden file hiding within slack space with a partition manager - only eSCAN is detecting these files. All other rescue disks are not responding / blocked / dropping to Grub.

 

I am beginning to believe this is WinPE based with layers of protection. I cleaned with the eScan boot disk. Now other rescue tools seem to be more open to working/loading after renaming bthudtask.exe, dvdplay.exe, and unregmp2.exe - along with 119 other infected files that appear to have been installed by Trojan.Dropper.RSS.

 

FYI - The forum posts below are showing similar symptoms and now an eScan rescue disk identified a number of infections (Grafton / Strictor / trojan.dropper.rss / Trojan.heur.fu.ju / Barys). These infections are also present on my build.

 

https://www.bleepingcomputer.com/forums/t/628192/possible-bios-infection-need-assistance-please/

 

https://www.bleepingcomputer.com/forums/t/532325/very-desperate-cant-remove-highly-sophisticated-rootkit/

 

 

 

 

Thanks for the help in advance....

Attached Files


Edited by MadBrit, 27 March 2018 - 05:57 PM.


#6 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:56 AM

Posted 18 April 2018 - 01:12 PM

Unfortunately, this infection has gone way beyond the really great help this forum provides (Thanks for helping people out!) and hopefully the information above may help others diagnose the same issue I have had.

 

Thank you for sharing the information.


Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 36,190 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:11:56 AM

Posted 18 April 2018 - 01:12 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users