Previous Thread
Next Thread
Print Thread
Rate Thread
Page 2 of 2 1 2
Re: Crap, my computer has been rootkitted
fredk #382885 09/17/12 01:10 PM
Joined: Oct 2006
Posts: 6,955
axiomite
Offline
axiomite
Joined: Oct 2006
Posts: 6,955
I'm no expert on removals but to add some unwelcome pessimism, be sure to check your system carefully after system restores. Even a full format & reinstall of the OS can be reinfected in seconds after the first full boot up. Some of the more sinister packages out there are now downloading fake bios updates for components. These infected components (once untouchable) remain infected and can trigger the reintroduction of the unwanted package.

For those wondering WTF I am talking about, I'll try to explain.
One of the nice things about being connected to the Internet is that if you buy buggy hardware, there is often an update available as a download to fix it. What used to be permanent ROM on motherboards and components is now up-datable and the extremely ambitious villains are now taking advantage of this.

As a very recent axample that I have seen first hand, a former workmate of mine has been struggling for over a month now after realizing his laptop was hijacked by some malicious code. Even though he is a computer geek of the elite kind, he only became aware of this after becoming a waypoint for a DOS attack and had his ISP send his IP to nullsville land for a while. In short, he was denied any and all Internet access and was told he was part of a DOS attack when he called the support line to see what was up.

After multiple failed removal attempts, restore points, system wipes, installing alternate OSs from USB sticks, etc. He used a utility in Linux to look at all the BIOS loads on his hardware and discovered that the BIOS for his onboard video card had a suspicious looking name to it. Further research showed that this was indeed an infected copy of the manufacturer's BIOS and was likely loaded by a trojan like zeroaccess that has the ability to download and install other items.

So far, the code in the BIOS is holding open thousands of ports that any software firewall can't seem to overcome and if you go so far as to try and format your machine clean, it simply waits happily on the video card for you to reboot and then re-downloads an appropriate virus package for your OS. So far it has instantly infected WindowsXP, Windows 7 and 2 flavors of Linux.

Running an OS from a read only USB drive prevented the full package be reinstalled but its' not perfect and his ports are still wide open so his laptop can only be used for limited functionality.

He tried downloading the BIOS update from a clean machine, placing it behind a hardware firewall, booting from a protected USB and then finally running the BIOS update but the BIOS no longer allows itself to be updated. He tried calling the makers of the card but could not receive anything past the usual scripted support answers to his very specific questions on BIOS updates.

He still has it isolated behind a hardware firewall to keep it clean from the secondary infection that makes him a DOS relay but he can't close his ports or remove the bad BIOS.

My super advanced technical advice was to brick the damn thing. It's a 2 year old laptop that was under 400.00 new. He is determined to figure it out as a personal challenge now. So far, he remains defeated.

Rewriting a BIOS would be no simple task and the location the DOS attack was targeting combined seem to indicate that this was more than just the efforts of a muddling teen in a basement trying to get a few VISA numbers.

ANYWHOOOO
I know that didn't help at all but I thought some people on here might find it to be an amusing story.


With great power comes Awesome irresponsibility.
Re: Crap, my computer has been rootkitted
Murph #382886 09/17/12 01:45 PM
Joined: Apr 2003
Posts: 16,441
shareholder in the making
Offline
shareholder in the making
Joined: Apr 2003
Posts: 16,441
Remind me to check the MD5 hashes of all the firmware/BIOS updates I download from now on.

Re: Crap, my computer has been rootkitted
Murph #382892 09/17/12 03:14 PM
Joined: Sep 2004
Posts: 11,458
shareholder in the making
Offline
shareholder in the making
Joined: Sep 2004
Posts: 11,458
Originally Posted By: Murph
I thought some people on here might find it to be an amusing story.


I think the word you were looking for was scary!


::::::: No disrespect to Axiom, but my favorite woofer is my yellow lab :::::::
Re: Crap, my computer has been rootkitted
Murph #382901 09/17/12 08:44 PM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Originally Posted By: Murph
I'm no expert on removals but to add some unwelcome pessimism, be sure to check your system carefully after system restores. Even a full format & reinstall of the OS can be reinfected in seconds after the first full boot up. Some of the more sinister packages out there are now downloading fake bios updates for components.

Thanks for reinforcing my paranoia. I'll put that second tinfoil hat on now. I was discussing this exact thing with my son last night. I had wondered, but this is the first I had heard of this sort of hack.

Is there an easy way to ckeck if the BIOS has been flashed? Geez I didn't even know that video cards had their own bios.

Cam. I kept asking for agent 99, but they just put me trough to this wierd Max guy.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #382938 09/19/12 12:49 PM
Joined: Oct 2006
Posts: 6,955
axiomite
Offline
axiomite
Joined: Oct 2006
Posts: 6,955
I don't think that this is what you have Fred but if you come to suspect it, he took extensive notes that I can get you.

I can't remember what utility he was using to list BIOS versions but I'll ask tonight and here is what I do remember he said.

He thinks it is something called "Mebromi" although I am probably spelling that wrong. It only supposedly effects BIOS versions created by Award. This makes sense, I guess, as you would have to code your package very specifically to the BIOS code you are targetting. His MB is a Phoenix Technologies so if you have a Phoenix MB with Award BIOS, you might check closer. His video card is onboard on the MB and it appears that is the video BIOS files it seemed to modify. Who knows, it may be infecting the main BIOS as well but it seems to match. Dunno, just going by what he tells me. I refuse to get sucked into troubleshooting this with him as he is extremely obsessive and I suspect this will engulf him for years if he can't fix it. He is already hanging out in the scariest of newsgroups trying to find an SME to help him.

It seems to instantly rewrite the master boot record and then hides downloaders and stuff all over the place. Removal tools tend to just make his drives unbootable and he has to load an OS from a protected USB and reformat then reinstall an OS which instantly gets re-infected.

Until a tool is created that successfully patches his BIOS back to normal, he is screwed. One benefit I suppose, he is learning a lot about the deep intricacies of Linux as he is mainly using that as his safe boot tool from USB.


With great power comes Awesome irresponsibility.
Re: Crap, my computer has been rootkitted
Murph #383007 09/20/12 04:18 AM
Joined: Dec 2007
Posts: 7,786
fredk Offline OP
axiomite
OP Offline
axiomite
Joined: Dec 2007
Posts: 7,786
Originally Posted By: Murph
I don't think that this is what you have Fred but if you come to suspect it, he took extensive notes that I can get you.

::peeks out from under triple lined tinfoil hat::

You don't? Actually I don't either, I just wonder how you figure out if you are. Your friend did not catch the infection until his ISP shut him down.

The plan now is to buy a small SSD and put the OS on there. I can then use the HDD for data.


Fred

-------
Blujays1: Spending Fred's money one bottle at a time, no two... Oh crap!
Re: Crap, my computer has been rootkitted
fredk #383015 09/20/12 11:54 AM
Joined: Oct 2006
Posts: 6,955
axiomite
Offline
axiomite
Joined: Oct 2006
Posts: 6,955
Sounds like Peter could explain that much better than I could. In this case, he started noticing misnamed .DLL files. This didn't lead to BIOS suspicions of course but when he couldn't clean and reinstall without being reinfected, he struggled for a while then eventually remembered his Linux dual boot side had used something called "TPM" to store secure copies of his BIOS and he compared the hashes and they no longer matched. He tried to patch the BIOS but could not. Something like that anyways. Honestly, it is deeper than I have the water wings for.

After that he rambled for about 20 minutes about all the linux based things he tried and lost me. Sorry.


With great power comes Awesome irresponsibility.
Re: Crap, my computer has been rootkitted
Murph #383017 09/20/12 12:56 PM
Joined: Sep 2004
Posts: 11,458
shareholder in the making
Offline
shareholder in the making
Joined: Sep 2004
Posts: 11,458
Originally Posted By: Murph
After that he rambled for about 20 minutes about all the linux based things he tried and lost me. Sorry.

Heard the "peeping frogs", huh?


::::::: No disrespect to Axiom, but my favorite woofer is my yellow lab :::::::
Page 2 of 2 1 2

Moderated by  alan, Amie, Andrew, axiomadmin, Brent, Debbie, Ian, Jc 

Link Copied to Clipboard

Need Help Graphic

Forum Statistics
Forums16
Topics24,940
Posts442,457
Members15,616
Most Online2,082
Jan 22nd, 2020
Top Posters
Ken.C 18,044
pmbuko 16,441
SirQuack 13,840
CV 12,077
MarkSJohnson 11,458
Who's Online Now
0 members (), 402 guests, and 3 robots.
Key: Admin, Global Mod, Mod
Newsletter Signup
Powered by UBB.threads™ PHP Forum Software 7.7.4