Jump to content

cymatechs

Techbench
  • Posts

    11
  • Joined

  • Last visited

Posts posted by cymatechs

  1. On 1/17/2018 at 12:04 PM, AdvancedSetup said:

    The normal boot CD or USB (after a USB wipe) is needed to run the tools. They don't (or should not be, ran under Windows).

    No special compiling, building, etc.

     

    @Ron

    Just a quick update;

    I forgot to mention I am running an Arch Linux w/KDE distro and will have to use the Linux equivalent software in some cases. Most secure wipe tools are Linux based at the core so this should suffice hopefully. I will be installing Win10 into the target device though, as this is the goal.

    • The two top links provided for HDDerase.exe were moved/old and I was not able to find a mirror that was trustworthy.  However, I read the documentation, and after some research decided to go with Parted Magic.
    • Parted Magic, I believe HDDerase.exe was forked off of this. DBAN, DD, Dept. of Defense level wipe tools are all integrated. 
    • 12hours until wipe complete, last pass will verify, and I will submit logs.
    • My built in native file manager verifies the Checksums in SHA256 and MD5. Will this be OK?
    • I will remove wiped HDD from MOBO after wipe and keep it disconnected until advised.
    • A live CD-ROM is being used for this...and I will check out the USB wipe/flash/secure links you provided as well. In a Windows environment, this malware attacks the USB immediately and prompts a "bad device warning, reformat Y or No". So I definitely want to secure the USB's.

    Currently the drive is being wiped by NWIPE , Method: DoD Short (1 pass zero write, 1blanking pass, 1 verification pass) , the Internal ATA wipe command would not commit for Western Digital ATA 1TB HDD Caviar.

    I will still hit it with a shot of DBAN afterwards, I also zapped the MBR etc. before doing all of this.

    ATTACHED: <.docx> file of Computer System Summary before Wipe.

     

     

     

    System Info before Wipe_MBytes01182018.docx

  2. 5 minutes ago, AdvancedSetup said:

    As long as you're the one that set the password on the router there is very little they can do to the router. Check for other accounts on the router.

    A single pass rewrite of zeros should be fine. The HDDerase should clear all the non data areas too so between the two nothing known will survive that. Not even hardware recovery would be able to recover anything.

    I'll check back on you in a day or two and see how where you're at.

    Ron

     

    Thanks, yeah this wipe will take about 16hours to complete approx... I will contact you upon completion for next steps and will keep the <wiped HDD> offline/disconnected from MOBO.

    Not that it matters since no warranty is effective or needed for this device, but will this also erase manufacturer embedded data such as "serial #, dev type etc.?" Just curious, as I will be reading all the link data provided as well to find out.

    Do you think using a live boot cd to initiate the wipe would add any benefit for security? I may be able to compile the wipe tools provided into a bootable USB, but if it's overkill I would rather save myself the time.

     

     

  3. @Ron

    9 hours ago, AdvancedSetup said:

    Not sure what time zone you're in but it's getting late for me and I have a few things to finish. I'll check back on you again sometime tomorrow though.

    Since we're starting over please do the following.

    STEP 1
    User HDDErase first to completely erase all data from the drive.
    https://www.lifewire.com/hdderase-review-2619137

    STEP 2
    Then (overkill, but since you're wanting help) run DBAN to wipe the drive again
    https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

    STEP 3
    Download and run the following software to zero and wipe your USB stick

    Passmark ImageUSB
    https://www.osforensics.com/tools/write-usb-images.html

    STEP 4
    Download and use Fsum Frontend to verify data integrity
    http://fsumfe.sourceforge.net/

    Fsum Frontend 1.5.5.1 (Standard)
    http://downloads.sourceforge.net/fsumfe/fsumfrontend-1.5.5.1-bin.zip

     

    Then I'll get with you tomorrow via Private Message with a time sensitive link to download a legal ISO image of Windows 10 if that is the OS you're wanting to install and you have a full version license for it.

    Thanks

    Ron

     

     

    I am PST timezone and thanks again for your help.  I will start wiping the drives exactly as specified, this will take most of the day on a 1TB spinner. On the erase/wipe options should I select <rewrite zeros>  to overwrite which takes hours?

    I will be getting the system ready for wipe, anything additional that you need me to do with the router?

    Should I stay off of that network?

    Not to fond of using well known ISP default router settings to go online.

  4. 9 hours ago, AdvancedSetup said:

    I would highly recommend visiting the site I linked and reading their documentation on doing a reset. Many of the factory resets are not quite real resets.

     

    I read the links provided and want to ensure that we start as clean as possible. Please advise if I am missing any vital steps. It seems the best option for this particular router (ISP provided telephony/gateway) is to Factory Reset, clear NVRAM is with the onboard GUI,  But since we need to cover all possibilities I also used the 30/30/30 method, then cold start after 8 hours no power, the other methods do not apply. I have 2 of the exact same routers just in case we brick one, and other AP's to use if needed.

    Quote

    "Quoted from Link" Some platforms will completely empty the nvram and depend on another stage of the bootloader or firmware to repopulate it. On some less-supported hardware this may have unpleasant results, so use the following two reset methods cautiously. Note: On some routers, in particular a lot of Atheros based routers (and Asus), this may cause the router to go into recovery mode, instead of resetting the settings. It is often better to do a GUI reset, Admin tab, then factory defaults. Click apply and wait 5 min. The router is now reset and should ask for a password when you log into it at 192.168.1.1

     

  5. Hi Mr. Lewis,

    I have decided to revisit this unresolved matter in light of current events.  Would you mind if I provide the requested logs, videos and research for your viewing? I seem to know the gist of all of the UEFI/BIOS vulnerabilities, but I do not have a full grasp of how to detect, isolate, re-flash firmware, in a methodological way.

    I will gather a lab device to use, and video log it to YouTube. I will provide any logs requested within 24 hours.  Would you like me to start with a "Clean install of Windows"  and take it from there?

    Thank You for any help you can provide,

    cymatechs

  6. @Brewster28

    Haha, same here!!! Forced to learn Linux past few months. I have to say that necessity will force you to learn. At 1st I thought the whole logic was retarded with the weird terminal commands but now it makes sense.

    It sucks because no forum (superuser, github.com, this one and others) wants to even touch it. The mods at StackExchange kept trying to rebuttal my ascertations, and I had to enforce my position. They might know Coding and the back/frontend, but have never done an install. 

    Basically they said if it's true, then we're dealing with something beyond the scope of anyone at Stackexchange and that is a Nation State level occurrence. 

    Wasted lots of time with them explaining my research for a conclusion I already stated in preface.  

    ###################

    My main inquiry is; What is the best order of methodology to isolate, identify,   investigate,  troubleshoot this? Trial and error for months now, and I know this is past my level but I'm close enough if I can get engineer level help. 

    Chipsec does not come with a manual. Self study is of python is barely coming along.  

    **I'm comfortable with Linux now to the point where I'm considering keeping Ubuntu and Kali Linux as the main Host OS and will run Windows in VM if I need to. **

    #################

    Next Steps,  not in exact order. 

    Disable SMM account hijacking, create audit logs , and set strict parameters to inhibit the shell from taking control. Damn thing fights back like it's Alive and is very well written code with more than a few alternative variables to make me look stupid fighting a file for hours and losing like Hillary did when she dumped her email server from the FBI. 

    1. Win10  UEFI installed without hijack. POWERED OFF RIGHT AWAY,pulled cord,drained the charge,remove cmos battery,Jumpers Reset.

    2. Removing peripherals from ASUS UEFI MOBO: GTX650 gpu, unplugged I/O ports, Cdrom,  spdif,  storage drives. 

    3. Will follow manufacturer instr: AMI Motherboard to flash baseboard,  **basically AMI is using a ported version of Chipsec to Whitelist targets by comparing target vs spec sheet then apply a "fuzzer" to track. Lost me here for now. 

    4. Apply Intel firmware to flash chipset, sockets , etc and set some benchmark, stress test. 

    5. Removing 3 of the 4 DIMMS leaving 8GB memory instead of 32, less places to hide. 

    6. Disabled everything I could in BIOS besides 1 USB to LIVE boot various analysis tools. Will have to compile a custom code porTed from Git as soon as I learn how. Hopefully before Christmas!!!

    7. Will have to run as many checksums, integrity checks as possible. 

    Their is an exploit that only changes 1digit in 2 parts of the binary thus it ends up reading the same size,and is falsely approved  (That's the base of this exploit) It's kind of genius but sucks ass for me. 

    **Please take a look at these slides , the BIOS/UEFI they show is my same exact one and every instance is on the money. Just a few customizations set my payload apart such as the ROM image Trojan that is impossible to delete and eats USBs. 

    Suggestions and comments are highly welcome, good or bad, please be candid.  

    Don't forget to check out slides. This was all created  and submitted on android phone but be careful.

    BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf

    DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf

  7. Thank you for responding @Brewster28 . 

    I have not given up. I created another post in an attempt to clarify. I started over, and over.  It's been 3 months now and I can not afford to buy new devices,so I have to figure it out. I'm still stumbling with python and deploying chipsec.

     I've made some progress during research provided by Black Hat Hackers at Defcon conference . I was amazed that their presentation was exactly what I theorized. Even the mighty genius hacker's had a hard time getting anyone to believe this attack even exist, or they think it's very rare. It was sold to the CIA, who then mishandled the code and it is now alive in the Web for anyone nefarious enough to use it. They seen this coming years ago and provided proof of concept. 

    Lately, I noticed hardware vendors support websites have now updated with firmware specifically for UEFI/BIOS SMM exploits. AMI Motherboard,  Intel,  Dell, have all addressed the issue but are not willing to admit any fault in the vague language they use.  You have to take in a ton of information just to wrap your head around how unsafe we all are. World Government's waging cyber warfare and leave their weapons behind to poison the world.  IT SECURITY DOES NOT EXIST. I'll be getting that Comptia Security+ cert next thanks to job security provide by our brightest engineers conspiracy.  

      The leaked documents on Wikileaks prove devices were being embedded with the microcode during production. 

    I thought I was going nuts,because it fits my issue and I am going to prove it,  AND FIX IT, AND VIDEO JOURNAL IT FOR YOUTUBE.  Even my colleagues at work,  IT Security dept guys didn't take me seriously.  I'm just a PC Tech,  but I know hardware if anything else. 

    I have about 4 devices at various stages of infection, and going thru the process of flashing all the MOBOS, UEFI,GPU, and reading all the documentation.

    I'm very excited to hear from you,as this was a big deal to me.  A Nation State Attack on my network,that was probably in my PC for years and only triggered because I adjusted the SMM and noticed a bunch of group policy accounts, dll's , shells emulating,  and all kinds of net traffic.  

    I can go on and on. 

    I have almost completed a VM lab,  and will be submitting logs once they are organized.  This is so methodical and I've started over from scratch almost every day.  

    I will attach a slide from Defcon for now and get logs in order to be submitted later. It's not easy because USB get attacked,  and .logs get mounted with hidden files that hijack permissions and will infect anything.  

    Join me in this journey,  I don't feel so crazy and alone anymore. 

    I may need help extracting dump logs safely.  It's hard to stay organized.   

    To be continued.... 

    DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf

    Aptio_4.x_Status_Codes_(beep_checkpoint).pdf

    After firmware_bios rootkit_ what hardware can be saved_ _ Wilders Security Forums.pdf

  8. Several devices on network have been infected (Windows 10, Windows 7 pro editions)Initially I discovered several Windows folders that stuck out from normal (install dates, certificates and drivers are fake or modified). Registry has a lot of modifications, and User accounts have been modified with "Trusted Installer" and other Admin, and System user accounts with full control permissions for unknown file folders, dll's etc during troubleshooting.  When attempting to delete or modify, I run into "denied access" or similar errors. I suspect Windows Management Console, SMM or something of that sort, along with a shell is being run.  Suspect BIOS/UEFI based malware attack.  CD-Rom, USB ports, i394 port, pci cards, gpu, is either infected and being used to store data, devices are emulated and restored if I attempt to modify. I finally decided to reinstall OS.

    During OS installs from several verified Microsoft cdroms (I tried Windows 10, Win7 ultimate, pro, and Win 8.1) with same results = During install, the initial boot program is loaded, then emulated, while a similar (fake) OS begins to install alongside it. From research, I suspect the malware/rootkit is embedded within the firmware of any device with storage,rom,ram available because in device manager I see 12 USB controllers of various types for communicating, devices modified with sophisticated drivers to create internal modems using internal hardware, and several other connections of all sorts that I am not knowledgeable enough to ascertain. Windows updates only go so far and it seems that certain Windows update kb's will not apply.

    System control, WMI or SMM seems to be corrupted and in control either in some sort of Shell, and system communicates when online using several different methods during updates which further enhances the attack. Suspect ACPI is being used as the weak point to corrupt legacy devices to force compatibility issues with UEFI's known exploits.

    If you run Malwarebytes, it is also hijacked and replaced with an alternate. The current GUI image is used but the actual program seems to run in a shell and does not detect, acts weird, requests restarts, infects system tray, creates folders that are not consistent with Malwarebytes behavior. Any additional rootkill, cleaning attempts are not successful as the files will rebuild.  Registry seems to have a ton of modifications and entries not normally found in a clean Windows install, modifications to the registry are quickly repaired by the System.

    I believe the firmware of several devices are corrupted and possibly even the cpu itself may have been microcoded with a kernel based malware operating at low levels during post and avoiding detection while injecting exploits to the BIOS. Inserting a USB stick prompts a Window asking to clean or format any drives that are external and will wipe out the USB contents or corrupt the device.

    All devices on the network have been affected and it is a high probability that the router/modem has been compromised as well. All infected devices are inoperable, I've taken apart modules, disabled unneeded ports/devices, attempted/applied bios updates, firmware, chipset, control modules etc. to no avail.  Had to install learn Linux and have been using Ubuntu as primary OS in an attempt to figure all this out.

    mb-check-results.zip

    msinfo32_loadedmodules.txt

    msinfo32_modem.txt

    msinfo32_runningtasks.txt

    msinfo32_systemdrivers.txt

    msinfor32_results_10232017.txt

    setupact187.txt

  9. First off- using a vm machine, host OS is ubuntu linux- the logs attached are from Virtual Box of a Window 10 machine.

    I have to use a linux machine because;

    - can not reinstall any Windows without the infection hijacking the install, I've tried installing WinXP, 8.1, 7, 7 pro, WinUltimate,

    -during reinstall, at the cd/rom loads, then at a point the install instructions are taken over, and a similiar gui appears to complete install.

    -infects any device attached physical of network, usb will be formatted automatically (fake warning posted gui)

    -registry is infected

    -possible firmware exploited, usb and pci seem to be used as alternate devices,

    -system32 files are unusual

    -unable to flash bios

    -appears as hidden sector or directory, hijacks the mbr,

    -has the ability to replicate if deleted or core files, registry is changed

    -suspected WMI Shell running with TRUSTED INSTALLER

    -Possible ChipSec related?

    I think I've tried everthing as far as scans, rkhunter, Hirens Boot Cd, Process Monitor, msconfig, BIOS settings, hdd replacement. 

    All my machines at home are down/infected. Only way to get back was Linux, and using VM to start Windows 10.

    This is from a enterprise PC Tech Level 2 working at home. 

    FRST.txt

    Addition.txt

    mbt first scan.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.