Jump to content
cymatechs

Malware/Rootkit Survives Disk Wipes and Hijacks Any New OS Installs

Recommended Posts

@Ron

9 hours ago, AdvancedSetup said:

Not sure what time zone you're in but it's getting late for me and I have a few things to finish. I'll check back on you again sometime tomorrow though.

Since we're starting over please do the following.

STEP 1
User HDDErase first to completely erase all data from the drive.
https://www.lifewire.com/hdderase-review-2619137

STEP 2
Then (overkill, but since you're wanting help) run DBAN to wipe the drive again
https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148

STEP 3
Download and run the following software to zero and wipe your USB stick

Passmark ImageUSB
https://www.osforensics.com/tools/write-usb-images.html

STEP 4
Download and use Fsum Frontend to verify data integrity
http://fsumfe.sourceforge.net/

Fsum Frontend 1.5.5.1 (Standard)
http://downloads.sourceforge.net/fsumfe/fsumfrontend-1.5.5.1-bin.zip

 

Then I'll get with you tomorrow via Private Message with a time sensitive link to download a legal ISO image of Windows 10 if that is the OS you're wanting to install and you have a full version license for it.

Thanks

Ron

 

 

I am PST timezone and thanks again for your help.  I will start wiping the drives exactly as specified, this will take most of the day on a 1TB spinner. On the erase/wipe options should I select <rewrite zeros>  to overwrite which takes hours?

I will be getting the system ready for wipe, anything additional that you need me to do with the router?

Should I stay off of that network?

Not to fond of using well known ISP default router settings to go online.

Share this post


Link to post
Share on other sites

As long as you're the one that set the password on the router there is very little they can do to the router. Check for other accounts on the router.

A single pass rewrite of zeros should be fine. The HDDerase should clear all the non data areas too so between the two nothing known will survive that. Not even hardware recovery would be able to recover anything.

I'll check back on you in a day or two and see how where you're at.

Ron

 

Share this post


Link to post
Share on other sites
5 minutes ago, AdvancedSetup said:

As long as you're the one that set the password on the router there is very little they can do to the router. Check for other accounts on the router.

A single pass rewrite of zeros should be fine. The HDDerase should clear all the non data areas too so between the two nothing known will survive that. Not even hardware recovery would be able to recover anything.

I'll check back on you in a day or two and see how where you're at.

Ron

 

Thanks, yeah this wipe will take about 16hours to complete approx... I will contact you upon completion for next steps and will keep the <wiped HDD> offline/disconnected from MOBO.

Not that it matters since no warranty is effective or needed for this device, but will this also erase manufacturer embedded data such as "serial #, dev type etc.?" Just curious, as I will be reading all the link data provided as well to find out.

Do you think using a live boot cd to initiate the wipe would add any benefit for security? I may be able to compile the wipe tools provided into a bootable USB, but if it's overkill I would rather save myself the time.

 

 

Share this post


Link to post
Share on other sites

The normal boot CD or USB (after a USB wipe) is needed to run the tools. They don't (or should not be, ran under Windows).

No special compiling, building, etc.

 

Share this post


Link to post
Share on other sites

https://discord.gg/gRd5hYb

^ all right guys enough of this playing phone tag on this message board. I made a Discord room so we can talk about our experience and * fixes for this in real time.

 I have counted the amount of people in this thread and if I see more than that amount join the server I'm going to cut off invites cause I only want it to be us in there I don't want strangers. Please be smart and do not give any personal details,  I actually just used a filler email to make the server . Server name is "werenotcrazy-malwaretalk".let's stick to the technical aspects and hopefully we can fix this once and for all.

Edited by Ithoughtiwascrazy

Share this post


Link to post
Share on other sites
On 1/17/2018 at 12:04 PM, AdvancedSetup said:

The normal boot CD or USB (after a USB wipe) is needed to run the tools. They don't (or should not be, ran under Windows).

No special compiling, building, etc.

 

@Ron

Just a quick update;

I forgot to mention I am running an Arch Linux w/KDE distro and will have to use the Linux equivalent software in some cases. Most secure wipe tools are Linux based at the core so this should suffice hopefully. I will be installing Win10 into the target device though, as this is the goal.

  • The two top links provided for HDDerase.exe were moved/old and I was not able to find a mirror that was trustworthy.  However, I read the documentation, and after some research decided to go with Parted Magic.
  • Parted Magic, I believe HDDerase.exe was forked off of this. DBAN, DD, Dept. of Defense level wipe tools are all integrated. 
  • 12hours until wipe complete, last pass will verify, and I will submit logs.
  • My built in native file manager verifies the Checksums in SHA256 and MD5. Will this be OK?
  • I will remove wiped HDD from MOBO after wipe and keep it disconnected until advised.
  • A live CD-ROM is being used for this...and I will check out the USB wipe/flash/secure links you provided as well. In a Windows environment, this malware attacks the USB immediately and prompts a "bad device warning, reformat Y or No". So I definitely want to secure the USB's.

Currently the drive is being wiped by NWIPE , Method: DoD Short (1 pass zero write, 1blanking pass, 1 verification pass) , the Internal ATA wipe command would not commit for Western Digital ATA 1TB HDD Caviar.

I will still hit it with a shot of DBAN afterwards, I also zapped the MBR etc. before doing all of this.

ATTACHED: <.docx> file of Computer System Summary before Wipe.

 

 

 

System Info before Wipe_MBytes01182018.docx

Share this post


Link to post
Share on other sites
5 hours ago, DigitalEbolaInfected said:

Did y’all happen to resolve this by any chance?? I have the same thing

Yes, it was resolved. It does not exist. Once again there was zero proof provided that any such persistent threat attack exists. SNAKE OIL 

Follow normal procedures to remove all partitions and create new partitions and there is no infection that can survive.

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.