Malware/Rootkit Survives Disk Wipes and Hijacks Any New OS Installs

[cymatechs]

First off- using a vm machine, host OS is ubuntu linux- the logs attached are from Virtual Box of a Window 10 machine.

I have to use a linux machine because;

- can not reinstall any Windows without the infection hijacking the install, I've tried installing WinXP, 8.1, 7, 7 pro, WinUltimate,

-during reinstall, at the cd/rom loads, then at a point the install instructions are taken over, and a similiar gui appears to complete install.

-infects any device attached physical of network, usb will be formatted automatically (fake warning posted gui)

-registry is infected

-possible firmware exploited, usb and pci seem to be used as alternate devices,

-system32 files are unusual

-unable to flash bios

-appears as hidden sector or directory, hijacks the mbr,

-has the ability to replicate if deleted or core files, registry is changed

-suspected WMI Shell running with TRUSTED INSTALLER

-Possible ChipSec related?

I think I've tried everthing as far as scans, rkhunter, Hirens Boot Cd, Process Monitor, msconfig, BIOS settings, hdd replacement. 

All my machines at home are down/infected. Only way to get back was Linux, and using VM to start Windows 10.

This is from a enterprise PC Tech Level 2 working at home. 

FRST.txt

Addition.txt

mbt first scan.txt

[cymatechs]

Several devices on network have been infected (Windows 10, Windows 7 pro editions)Initially I discovered several Windows folders that stuck out from normal (install dates, certificates and drivers are fake or modified). Registry has a lot of modifications, and User accounts have been modified with "Trusted Installer" and other Admin, and System user accounts with full control permissions for unknown file folders, dll's etc during troubleshooting.  When attempting to delete or modify, I run into "denied access" or similar errors. I suspect Windows Management Console, SMM or something of that sort, along with a shell is being run.  Suspect BIOS/UEFI based malware attack.  CD-Rom, USB ports, i394 port, pci cards, gpu, is either infected and being used to store data, devices are emulated and restored if I attempt to modify. I finally decided to reinstall OS.

During OS installs from several verified Microsoft cdroms (I tried Windows 10, Win7 ultimate, pro, and Win 8.1) with same results = During install, the initial boot program is loaded, then emulated, while a similar (fake) OS begins to install alongside it. From research, I suspect the malware/rootkit is embedded within the firmware of any device with storage,rom,ram available because in device manager I see 12 USB controllers of various types for communicating, devices modified with sophisticated drivers to create internal modems using internal hardware, and several other connections of all sorts that I am not knowledgeable enough to ascertain. Windows updates only go so far and it seems that certain Windows update kb's will not apply.

System control, WMI or SMM seems to be corrupted and in control either in some sort of Shell, and system communicates when online using several different methods during updates which further enhances the attack. Suspect ACPI is being used as the weak point to corrupt legacy devices to force compatibility issues with UEFI's known exploits.

If you run Malwarebytes, it is also hijacked and replaced with an alternate. The current GUI image is used but the actual program seems to run in a shell and does not detect, acts weird, requests restarts, infects system tray, creates folders that are not consistent with Malwarebytes behavior. Any additional rootkill, cleaning attempts are not successful as the files will rebuild.  Registry seems to have a ton of modifications and entries not normally found in a clean Windows install, modifications to the registry are quickly repaired by the System.

I believe the firmware of several devices are corrupted and possibly even the cpu itself may have been microcoded with a kernel based malware operating at low levels during post and avoiding detection while injecting exploits to the BIOS. Inserting a USB stick prompts a Window asking to clean or format any drives that are external and will wipe out the USB contents or corrupt the device.

All devices on the network have been affected and it is a high probability that the router/modem has been compromised as well. All infected devices are inoperable, I've taken apart modules, disabled unneeded ports/devices, attempted/applied bios updates, firmware, chipset, control modules etc. to no avail.  Had to install learn Linux and have been using Ubuntu as primary OS in an attempt to figure all this out.

mb-check-results.zip

msinfo32_loadedmodules.txt

msinfo32_modem.txt

msinfo32_runningtasks.txt

msinfo32_systemdrivers.txt

msinfor32_results_10232017.txt

setupact187.txt

Edited October 23, 2017 by cymatechs
edited title for grammar

[cymatechs]

Quote

Please disregard this topic, I understand using a guest VM is not adequate for the purpose of troubleshooting an infected host.

Quote

 

 

[Brewster28]

cymatechs,

Don't disregard. I have THE exact same symptoms. And you are the first i've found in 6 weeks of fighting this thing. I'm no programmer or coder, but I've learned quite a bit already just tryin to get rid of this thing. CHIPSEC last night was pretty much my last hope. I've researched and applied, studied, applied, everything relevant I could find on the net for a couple hundred hours ids say now.... I can share my experiences results And I've found the malware scripts and codes all over the files everywhere, and had some actualy interesting "live interactions" with it too. It's like it's alive....

Im hoping you don't give up. I can't yet. Had this PC 7 years now I put too much time into it to throw it out.

Looking forward to hearing something about this Monster soon.

 

 

 

[cymatechs]

Thank you for responding @Brewster28 . 

I have not given up. I created another post in an attempt to clarify. I started over, and over.  It's been 3 months now and I can not afford to buy new devices,so I have to figure it out. I'm still stumbling with python and deploying chipsec.

 I've made some progress during research provided by Black Hat Hackers at Defcon conference . I was amazed that their presentation was exactly what I theorized. Even the mighty genius hacker's had a hard time getting anyone to believe this attack even exist, or they think it's very rare. It was sold to the CIA, who then mishandled the code and it is now alive in the Web for anyone nefarious enough to use it. They seen this coming years ago and provided proof of concept. 

Lately, I noticed hardware vendors support websites have now updated with firmware specifically for UEFI/BIOS SMM exploits. AMI Motherboard,  Intel,  Dell, have all addressed the issue but are not willing to admit any fault in the vague language they use.  You have to take in a ton of information just to wrap your head around how unsafe we all are. World Government's waging cyber warfare and leave their weapons behind to poison the world.  IT SECURITY DOES NOT EXIST. I'll be getting that Comptia Security+ cert next thanks to job security provide by our brightest engineers conspiracy.  

  The leaked documents on Wikileaks prove devices were being embedded with the microcode during production. 

I thought I was going nuts,because it fits my issue and I am going to prove it,  AND FIX IT, AND VIDEO JOURNAL IT FOR YOUTUBE.  Even my colleagues at work,  IT Security dept guys didn't take me seriously.  I'm just a PC Tech,  but I know hardware if anything else. 

I have about 4 devices at various stages of infection, and going thru the process of flashing all the MOBOS, UEFI,GPU, and reading all the documentation.

I'm very excited to hear from you,as this was a big deal to me.  A Nation State Attack on my network,that was probably in my PC for years and only triggered because I adjusted the SMM and noticed a bunch of group policy accounts, dll's , shells emulating,  and all kinds of net traffic.  

I can go on and on. 

I have almost completed a VM lab,  and will be submitting logs once they are organized.  This is so methodical and I've started over from scratch almost every day.  

I will attach a slide from Defcon for now and get logs in order to be submitted later. It's not easy because USB get attacked,  and .logs get mounted with hidden files that hijack permissions and will infect anything.  

Join me in this journey,  I don't feel so crazy and alone anymore. 

I may need help extracting dump logs safely.  It's hard to stay organized.   

To be continued.... 

DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf

Aptio_4.x_Status_Codes_(beep_checkpoint).pdf

After firmware_bios rootkit_ what hardware can be saved_ _ Wilders Security Forums.pdf

[Brewster28]

cymatechs,

Don't disregard. I have THE exact same symptoms. And you are the first i've found in 6 weeks of fighting this thing. I'm no programmer or coder, but I've learned quite a bit already just tryin to get rid of this thing. CHIPSEC last night was pretty much my last hope. I've researched and applied, studied, applied, everything relevant I could find on the net for ha couple hundred hours ids say now.... I can share my experiences results And I've found the malware scripts and codes all over the files everywhere, and had some actualy interesting "live interactions" with it too. It's like it's alive....

Im hoping you don't give up. I can't yet. Had this PC 7 years now I put too much time into it to throw it out.

Looking forward to hearing something about this Monster soon.

 

 

 

[Brewster28]

I'm right beside you man, it's so funny reading what you write. Everyone I told about what I'm dealing with I could tell thought I was over exaggerating about it's capabilities and how deep it's infected, even betterwhen I break the CIA and nsa's "all seeing eye" subject on them...... 

 I never posted about this yet anywhere, (didn't have the patients to start over yet lately with the typical fixes,  virus scanner, reformat, full hd wipe, reset cmos etc lol) 

I'm on Ubuntu, loaded it last weekend, I think a day went by and it slowly creeped into that now. All last night's it's been full blown, even eufi shell... Linits my commands, I get bogua errors, this malware I found loves it's fake conditions, triggers,  errors. 

Well I tried python in shell, I get 3 lines and then a "import error generic path" I also tried some startup commands with Ubuntu, because the malware owns that now... I tried some kernel commands I learned. Mainly acpi stuff, seems like it's pretty well dug into that. Well It didn't like my kernal alterations too much and shut me down. Specially acpi=off. Well I've got a few Ubuntu disced burned, I'm gonna nna try a fresh copy for a little headstart. If you got any tips on how to properly properly run that chipsec ide love hear em.

 

[cymatechs]

@Brewster28

Haha, same here!!! Forced to learn Linux past few months. I have to say that necessity will force you to learn. At 1st I thought the whole logic was retarded with the weird terminal commands but now it makes sense.

It sucks because no forum (superuser, github.com, this one and others) wants to even touch it. The mods at StackExchange kept trying to rebuttal my ascertations, and I had to enforce my position. They might know Coding and the back/frontend, but have never done an install. 

Basically they said if it's true, then we're dealing with something beyond the scope of anyone at Stackexchange and that is a Nation State level occurrence. 

Wasted lots of time with them explaining my research for a conclusion I already stated in preface.  

###################

My main inquiry is; What is the best order of methodology to isolate, identify,   investigate,  troubleshoot this? Trial and error for months now, and I know this is past my level but I'm close enough if I can get engineer level help. 

Chipsec does not come with a manual. Self study is of python is barely coming along.  

**I'm comfortable with Linux now to the point where I'm considering keeping Ubuntu and Kali Linux as the main Host OS and will run Windows in VM if I need to. **

#################

Next Steps,  not in exact order. 

Disable SMM account hijacking, create audit logs , and set strict parameters to inhibit the shell from taking control. Damn thing fights back like it's Alive and is very well written code with more than a few alternative variables to make me look stupid fighting a file for hours and losing like Hillary did when she dumped her email server from the FBI. 

1. Win10  UEFI installed without hijack. POWERED OFF RIGHT AWAY,pulled cord,drained the charge,remove cmos battery,Jumpers Reset.

2. Removing peripherals from ASUS UEFI MOBO: GTX650 gpu, unplugged I/O ports, Cdrom,  spdif,  storage drives. 

3. Will follow manufacturer instr: AMI Motherboard to flash baseboard,  **basically AMI is using a ported version of Chipsec to Whitelist targets by comparing target vs spec sheet then apply a "fuzzer" to track. Lost me here for now. 

4. Apply Intel firmware to flash chipset, sockets , etc and set some benchmark, stress test. 

5. Removing 3 of the 4 DIMMS leaving 8GB memory instead of 32, less places to hide. 

6. Disabled everything I could in BIOS besides 1 USB to LIVE boot various analysis tools. Will have to compile a custom code porTed from Git as soon as I learn how. Hopefully before Christmas!!!

7. Will have to run as many checksums, integrity checks as possible. 

Their is an exploit that only changes 1digit in 2 parts of the binary thus it ends up reading the same size,and is falsely approved  (That's the base of this exploit) It's kind of genius but sucks ass for me. 

**Please take a look at these slides , the BIOS/UEFI they show is my same exact one and every instance is on the money. Just a few customizations set my payload apart such as the ROM image Trojan that is impossible to delete and eats USBs. 

Suggestions and comments are highly welcome, good or bad, please be candid.  

Don't forget to check out slides. This was all created  and submitted on android phone but be careful.

BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf

DEFCON-22-Bulygin-Bazhaniul-Furtak-Loucaides-Summary-of-attacks-against-BIOS-UPDATED.pdf

[Brewster28]

Hey sorry I missed you yesterday. I checked on here every few hours to see if there is an update from you looks like I overlooked your last. I'm at work right now,  I haven't had a chance to look over your packages but I will tonight. 

   I had a few things  I thought of that may or may not be of interest. 

[Questlove22]

Made a malware bytes account just to reply here.

I have been dealing with this for MONTHS and have poured hundreds of hours into trying to figure out a way to rid my PC of this thing. Symptoms are exactly like those described. Has any further progress been made on an actual solution to this? I just bought a new HDD today and am scared to do anything for fear of ruining it and the money being wasted.

I cannot believe how incredibly malicious and persistent this malware is. Any help appreciated guys.

[cel01]

I believe I may be experiencing something similar. No security programs are finding a thing yet I know for a fact that I am no longer in control of what this computer does.  Has me totally baffled.  Good luck guys.  I am making a boat anchor of mine and going out and buying new.  The only resolution I know should hopefully solve my issue.  Makes buying groceries hard this month but I love having a puter I can use and trust.  Happy New Year.

C

[SyCo]

I also had to sign up to say I have this beast of destructive Malware, it all stared at the begining of December 2017, I am no IT professional but I have owned and built my own PC's for 20 years.

So start of December my system didnt seem right, I lost around %30 of my throughput on my connection and so started looking for malware etc, most scanners returned nothing, but I did eventually find a dodgy Regkey hooking in to my Realtek ctrl panel and also another

HKU\S-1-5-21-756301165-289591905-1094589985-1000\Control Panel\Desktop\\Wallpaper ->
DNS Servers: 192.168.1.1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System => (ConsentPromptBehaviorAdmin: 2) (ConsentPromptBehaviorUser: 1) (EnableLUA: 1)

I noticed loads of strange files on my system and the more I attempted to clean the more it seemed to come back.

I tried FRST, Combofix, Malwarebytes, TDDSkiller, Sophos, Rougekiller etc etc etc

I eventaully found out about the Intel ME backdoor and figured I had finally found how this rootkit malware had gotten on to my system:

https://www.theregister.co.uk/2017/11/20/intel_flags_firmware_flaws/

The only fix is a BIOS update, to update the Intel firmware, so I did that thinking a clean install and I'll be good as gold.

How f-ing wrong was I, I reinstalled windows from scratch, boom, it all came back, it must have been hiding on either my 2nd sata drive or some of my usb drives with programs on, when I got back in to windows the 2nd hard drive was only showing the 2nd partition as active and the first was there but had to be initiallized, and somehow both partition were at a 4096MB offset...hhmmmm.

So I immediatley wiped that whole drive in diskpart and made it gpt, I thn noticed at least 4 extra HID (human interface devices) in device manager, no idea what the hell they are.

My system is still not right, it appears I may have to bin this whole i7 skylake system including my samsung evo 850 ssd, a 2TB sata III drive, my Asus MB, my i7 6700 and all my usb flash drives.

£700 system, 18 months old and it is a bloody liability and essentially useless, how can I do anything on it when I cannot even stop this infection, it has survived a BIOS update, format (both drives), clean install (all done without the Ethernet cable plugged in).

I am livid, there is nothing I can do to clean this system, I may as well bin the damn thing, buy a cheap FM2+ AMD MB and CPU and run Linux.

 

 

 

 

 

 

[Ithoughtiwascrazy]

Okay guys now I know I am actually sane, I think. When I read the original post here it was exactly what I'm experiencing. Same weird installs on Windows same 12 USB drives and bios same stray processes and of course no malware detectors will find it. But from my past 3 days of literally all day long trying to fix this I have come to find out that even your live boot Linux sessions will be compromised as well. So don't think you're safe using that, just open netstat and take a look, that is if you're connected to the internet. If you are not connect to the internet, don't. I'm posting this from my phone but I'm sure this is compromised as well. This is the most sophisticated attack I have ever seen in my 20 years of being online. I have found a few other bits of info but I'm reluctant to share it on here in case "it" sees. I have never been this paranoid in my life. I wish I had a way to talk to you guys and know it was Secure because yeah, this thing is something else..

Also I know exactly how I got it now. I really want to share it with you guys but I'm afraid to, this freakin thing is like skynet.

[cel01]

Hey, now I can stop taking the psych meds, I am not nuts.  Having the same problems reported above.  Something has total control over my systems but nothing finds it. Ready to stop using computers it has taken the fun out of using one. Thanks for confirming my suspicions.  I do not have much puter knowlege or training but I know enough to recognize something very serious was occurring.  Good luck.  I think I will just trash my puter buy new and not use it with any ccards or banking and not purchase anything over the internet ever again. Take care

C

[Ithoughtiwascrazy]

Cel01, be sure not to use anything at all that was ever connecting the computer and I mean anything at all that was ever connected to the computer.

[cel01]

Thank you for the guidance.  I will have to throw out everything I have done for 20 years, all my websites, images, blogs, writings, photos I took, music I transferred from records to mp3 and cd, basically 20 years of my working on computers because of this critter. 

I think most likely I am going to hang up my work with the technologies and education and website and blog work.  Just is no longer worth the hassles.  Isn't fun any more. To much of a pain in my ars.

I don't own a smart TV, nor smart phone just a $5 flip up track phone that uses minutes etc.  That is good enough for me and I can still listen to the AM/FM radio (I think) and read books  Grin.

Best of luck to all you folks and thanks for getting on the forum and confirming what i thought all along.  This latest security problem is just too huge and not worth spending the money and my time on security programs that DO NOT CATCH it and do not protect me.

Best to all

Celeste

PS In my 1000 Watt amplifier I used my usb stick with music on it to play through it now I wonder if that somehow will be compromised, oh well, they won.

Edited January 15, 2018 by cel01
additional text

[AdvancedSetup]

Hello @cymatechs

Sorry I'm late on the reply here. Looks like your first topic was overlooked, but then once other replies happened it looks like you're being helped.

First step is to do a hard reset of the router. Then ensure it's set with a strong password. Once that's done, we can go from there.

 

Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware at this time, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

Once you've completed that let me know.

Thanks

Ron

 

 

[Questlove22]

Alright I've pretty much reached my limit with this,

I was/am SOOO glad when I found this thread because I likewise thought I was going insane. Guys, I seriously don't even know how this is possible but I'm just going to share this with you guys so none of y'alls time or money is wasted.....On Friday (1/12) I BOUGHT A BRAND NEW $800 DESKTOP COMPUTER FROM BESTBUY AND!!!!!

Well you guys can guess what happened next, I brought the PC back to my apartment and as soon as I got it all hooked up and turned on I knew something was wrong. Like IMMEDIATELY. One of the symptoms of this insane stuff (as noted by others) that I noticed on the original PC was that no matter what OS Boot Drive I would put in, i.e. Windows 7 or Windows 10, in order to load the OS onto the computer, the installer was always this one weird generic one that had a purple background and also only seemed to ask personal preference setting questions that had to do with the things that I have issues with. For example, instead of asking me Fresh OS set up questions like I'd think it would do normally, it only asks about location services and Cortana, or sending diagnostic data to MS anonymously, etc etc

But anywaayyysss, the exact same damn "Windows" OS installer popped up as soon as I turned on the brand New $800 PC, didn't even see any BIOS option of any kind. And of course when I start it up and get into the desktop, its somehow ALREADY infected with identical malware. The only thing I can possibly come up with now is that (and this doesn't really seem that far fetched) my apartment complexes completely open/Passwordless WiFi Network that gives internet to all 1 or 2 hundred apartments is infected,,,maybe...?? Idk but I'm really tired of this. I'm a college student and 800 bucks is quite a bit of money for me. Thankfully best buy let me return the desktop so honestly guys I'm sorry to admit defeat but I'm probably just gonna buy a PS4 lol.

[AdvancedSetup]

@Questlove22

If you don't have control of the router then you're at the mercy of the settings of the router that supplies you access to the Internet. However, so far you've not shown or said anything to indicate any infection.

Post some logs showing an issue.

 

Please download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system.
You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

 

Take a video of what you're talking about with your phone and upload it to YouTube
 

 

[cymatechs]

Hi Mr. Lewis,

I have decided to revisit this unresolved matter in light of current events.  Would you mind if I provide the requested logs, videos and research for your viewing? I seem to know the gist of all of the UEFI/BIOS vulnerabilities, but I do not have a full grasp of how to detect, isolate, re-flash firmware, in a methodological way.

I will gather a lab device to use, and video log it to YouTube. I will provide any logs requested within 24 hours.  Would you like me to start with a "Clean install of Windows"  and take it from there?

Thank You for any help you can provide,

cymatechs

[AdvancedSetup]

Thanks @cymatechs

As I said above. The very first step is to ensure you're router is reset and you and only you are in control of it.

 

Please review the following website and read it before continuing and then do a Hard Reset back to Factory Defaults for your router.
This information is only for resetting the router DO NOT erase, install, or update the firmware at this time, just reset your router to factory defaults.

Reset And Reboot

Hard reset or 30/30/30

Once you've completed that let me know.

 

Thanks

Ron

 

[cymatechs]

@Ron, factory default settings have been restored on the router using the on board GUI.

 

[AdvancedSetup]

I would highly recommend visiting the site I linked and reading their documentation on doing a reset. Many of the factory resets are not quite real resets.

 

[AdvancedSetup]

Not sure what time zone you're in but it's getting late for me and I have a few things to finish. I'll check back on you again sometime tomorrow though.

Since we're starting over please do the following.

STEP 1
User HDDErase first to completely erase all data from the drive.
https://www.lifewire.com/hdderase-review-2619137

STEP 2
Then (overkill, but since you're wanting help) run DBAN to wipe the drive again
https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

STEP 3
Download and run the following software to zero and wipe your USB stick

Passmark ImageUSB
https://www.osforensics.com/tools/write-usb-images.html

STEP 4
Download and use Fsum Frontend to verify data integrity
http://fsumfe.sourceforge.net/

Fsum Frontend 1.5.5.1 (Standard)
http://downloads.sourceforge.net/fsumfe/fsumfrontend-1.5.5.1-bin.zip

 

Then I'll get with you tomorrow via Private Message with a time sensitive link to download a legal ISO image of Windows 10 if that is the OS you're wanting to install and you have a full version license for it.

Thanks

Ron

 

 

[cymatechs]

9 hours ago, AdvancedSetup said:

I would highly recommend visiting the site I linked and reading their documentation on doing a reset. Many of the factory resets are not quite real resets.

 

I read the links provided and want to ensure that we start as clean as possible. Please advise if I am missing any vital steps. It seems the best option for this particular router (ISP provided telephony/gateway) is to Factory Reset, clear NVRAM is with the onboard GUI,  But since we need to cover all possibilities I also used the 30/30/30 method, then cold start after 8 hours no power, the other methods do not apply. I have 2 of the exact same routers just in case we brick one, and other AP's to use if needed.

Quote

"Quoted from Link" Some platforms will completely empty the nvram and depend on another stage of the bootloader or firmware to repopulate it. On some less-supported hardware this may have unpleasant results, so use the following two reset methods cautiously. Note: On some routers, in particular a lot of Atheros based routers (and Asus), this may cause the router to go into recovery mode, instead of resetting the settings. It is often better to do a GUI reset, Admin tab, then factory defaults. Click apply and wait 5 min. The router is now reset and should ask for a password when you log into it at 192.168.1.1