The reality of persistant rootkit/bootkit infection.

[Fast_Eddie]

I was reading a thread here about some guys suffering from a rather persistant malware infection, only to have the thread closed on them by the root admin of this site with a statement about it being hysteria or snake oil or whatever...

 I certainly respect the opinion of someone with unquestionable experience like running malwarebytes... That carries some series cred in and of it self.... BUT, the persistant rootkit/bootkit does exist, and not just in  the crazed imagings of paranoid whackos or whatever. 

i know this to be true from personal experience as well as the mountains of proof that exists in the form of proof of concept demonstrations, white papers and other articles dating back to the early 2000's.

 

 These things are not really new either...  Johnathan Brossard demo'd Rakshasa at Blackhat, Defcon, CCC, BHCI and i am guessing everywhere else touting it as the : 

"epic evil remote carnal pwnage(of death)"

In 4 weeks he was able to build a persistant rootkit/bootkit/romkit that out of the box could boot any 32 or 64bit OS on any one of 230 motherboards... And is almost completely stealth... Having a filesystem footprint of exactly 0.

The capabilities of this thing are frightening... You can replace the os, the hd.. And still be pwnd instantly on the next boot..

I am no engineer or whatever but i think the basic premise was all in writing a little bit of code... One line into the nvram and reflasing the firmware of anything an everything connected to it..  He put out a detailed pdf if anyone wants to be forever paranoid and unsure just how secure there computers are.  

He did it all to illustrate that if a single person or even small group can make something this brutal... Think of what any of the many state sponsered outfits have come up with or are capable of.

Did i mention this was in 2012?

Plus there have been things like subvirt and othet vmbr rootkit/bootkits that can turn the host os into a virtual machine... easily remote backdooring at will, flashing a router would allow something like that to spread like the black plague hitting phones, tvs and any other smart devices that it can connect to. Just hitting a couple smartphones could create a scenario where something like that could get WAY out of hand.

All that being said, i had no idea that stuff THAT malicious even existed outside of hollywood... Until about 6 months ago when my whole home network seemed to get possesed by the devil.. Overnight.

In the end hardware had to be RMA'd... And the manufacures decided replacement was the best option, and uhh zero notes or discussion on exactly what they found.

Mine was some sort of bootkit written into the spi flas i am guessing... and it was totally capable of pwning anything you wanted to install windows, linux, hirens boot cd... You name it i tried it.. only to be pwnd like a boy in a mans world. I still have a couple laptops.. Some old junk pcs and a BUNCH of hardware that is full on infected / contaminated and would like nothing more in this world then to learn how to recover them... But after what ive seen in the past 6 months, and what iVe read while trying to find a way to get my hardware back out of the rabbit hole... I'm not so sure that any of it is recoverable one an attack starts reflashing device firmware.

Its been a truley disheartening experience to say the least and the full reality of the who, what, where and why is probably much worse then the average enthisiast has even considered.

I mean absolutely no disrespect and i am not fear mongering, i sincerely hope you can use some anti hacker kung fu to help me recover some hardware... and maybe restore my faith in IT Security.

Anyone wanting to read that pdf about Rakshasa will have to google Rakshasa rootkit.  Its like the first or second link.. I tried to copy the address but my phone has been acting weird. 

Thanks for you time, 

Fast_ Eddie

[Chicken]

4 hours ago, Fast_Eddie said:

I was reading a thread here about some guys suffering from a rather persistant malware infection, only to have the thread closed on them by the root admin of this site with a statement about it being hysteria or snake oil or whatever...

Malwarebytes staff have seriously called it that? Unbelievable. They off all people definitely should know better. Frankly, if anyone should be completely paranoid it is them, as it is pretty much their core business to defend against these and other malicious practices that most people would call "hysteria". Sadly, it is anything but hysteria.

The unfortunate reality is that security software like Malwarebytes will always be several steps behind reality. That's simply the nature of it. The possibilities to infiltrate systems are close to endless, all you need is a bit of creativity. Something nobody else has thought about yet (bonus points if you think of something that others would refer to as "hysteria"). Your defensive strategy has to get it right 100% of the time while an attacker only needs to get "lucky" once. I tend to call IT security purely symbolic for this reason*. There is simply no feasible way to be sure you haven't been silently pwned already by some obscure attack vector (BIOS/firmware injection as you have outlined definitely being one of them), not for the average consumer at least. Well, unless you have the equipment and time to indepedently read the contents of flash memory/storage devices and the ability to analyze the tiniest of microchips.

* Not claiming IT security is not important, it very much is.

[Aura]

Can you link the thread you're talking about?

Quote

 These things are not really new either...  Johnathan Brossard demo'd Rakshasa at Blackhat, Defcon, CCC, BHCI and i am guessing everywhere else touting it as the : 

Most of these were POCs to prove that it is possible to create something like that, but not a lot, if not any of them made them in the wild and were used.

[AdvancedSetup]

It's called paranoia. The only known potentially in the wild UEFI attack was based upon a chipset from 2008, 1 year after UEFI came out. If you're running hardware that old then no doubt it might be susceptible. Beyond that there is just "talk". We have offered and worked with users before that thought they had this magic non-sense too and when it got down to the details they could not produce anything even close to what they were talking about. Often these discussions go on about how this attack affects the UEFI then it jumps and attacks the GPU of the video card. Sorry folks but that's pure Snake Oil and if you believe in that type of conspiracy then please go visit the USENET groups where that type of discussion goes on. We will not entertain any such discussions here without proof, not he said/she said, not I read here, or I read there, etc. If you don't physically have a computer you're even potentially will to ship to a team of Security Experts to review then it does not exist.

 

[exile360]

7 hours ago, Aura said:

Can you link the thread you're talking about?

Most of these were POCs to prove that it is possible to create something like that, but not a lot, if not any of them made them in the wild and were used.

Yep, the difficulty lies mostly in the fact that each of these BIOS infectors must be coded to attack a particular BIOS version/manufacturer, and with so many in use today across different boards and systems, creating a threat capable of infecting a large number of targets in any generic fashion the way more traditional attacks and exploits do wouldn't be feasible.  That's the reason we haven't seen any of these in the wild yet.  Also, recent evolutions in the realm of OS boot loaders like EFI/UEFI have further complicated things making it much more difficult to get underneath the hardware than it used to be, especially for more modern operating systems like Windows 8/8.1 and Windows 10.

Today, especially with the massive increase of mobile/smartphone use on the web, attackers are far more focused on exploiting browsers and browser plugins which are much easier to develop as cross-platform threats (i.e. capable of infecting Windows PCs as well as mobile devices running Android and iOS etc.).

Are such infections possible?  Absolutely, however the access required and coding needed for targeting your specific hardware elevates the cost and specialization to a level that, unless you are a particularly high value target, no one is going to go through all the hoops and difficulties to develop those threats to attack you with.  It's much more realistic in the business/enterprise and government space where they face more targeted attacks like APTs, but even then, there are much stealthier methods which require less privileged access to infiltrate and infect systems without having to get write access to the hardware's firmware to infect devices, so even across that landscape these types of attacks are not very likely.  Do keep in mind that we're not talking about some kind of simple computer worm, file infector or generic exploit here where rapid propagation is a high probability.  These kinds of attacks are extremely specialized and require very low-level/privileged access to a system and its components to pull off, and if an attacker has that level of access already there are a wide array of other, much easier and more conventional infection vectors for them to exploit that would be far more cost effective both in regards to the time and effort to develop the attack, and the financial cost of R&D to develop a successful attack.

With all that said, I've always seen the greatest risk factor with these types of threats to be on the manufacturing side of things.  If someone were to infiltrate a factory where a particular piece of hardware is produced, they could distribute infected firmware to the devices being made there to have their malware distributed to whoever the hardware was intended for.  This is also why governments tend to be mindful of their hardware vendors and equipment providers as they must have reliable chain of trust in place to prevent such attacks.

[Fast_Eddie]

I am absolutely in posession of, in multiple locations, hardware thet i would be willing to ship. I would LOVE to have you prove me wrong... And outline how to recover other my other hardware and data. Keep in mind when i have rmad hardware over this... It is consistantly replaced with only the most obscure notes exlinations.. Like skewed cpu pin and stuff. Lol.

You want to try and liberate a laptop via logs and software applications first, or skip straight to shipping?

 

-Eddie

[AdvancedSetup]

No, we would need to see logs of what is going on and you'd need access to USB to rebuild the system, etc.

 

[Amaroq_Starwind]

One solution to recovering from a potential firmware hack: Producing BIOS chips which have an unflashable Mask ROM storing a backup of the original BIOS to be recovered in emergencies. Also helps protect from damage to the BIOS by a faulty installation, or even just a faulty BIOS.

Also, HP made a laptop that has a solution similar to this as well, called Surestart:

Spoiler

 

 

[exile360]

Yep, that's a good idea.  The only potential issue would be if the original BIOS contains vulnerabilities and/or bugs that need to be patched since it can't be written to/updated.

[Amaroq_Starwind]

I'm sure there are ways around that.

[WhiskeyPete]

I realize this topic is a bit old, but around about last February, I started tinkering with my network. I had neglected it for a few years after shutting down an internet radio station I had built and run for a decade. I was relieved not to have to deal with the servers anymore and pretty much didn't use the PCs except to access the music stash. 

I had inherited a pretty rad gaming rig that I did set up but didn't use and I wanted to rebuild the network with updates and I was going to convert one tower into a pfsense box which i had started fiddling with on VM. I had also set up a small music server which was probably my downfall, but I'll get to that. 

My router started getting hammered. Some days were worse than others and the connection would drop out. My log would fill up in 20-30 minutes with pings and ddos attacks. Having been out of the PC world for a while, all my nerd friends said it was normal, but I just knew it wasn't. 

Fast forward a few more months to about late April, early May and I am absolutely going nuts with this. I'm basically being told I'm crazy and there's nothing wrong. I'm paranoid and I'm scaring my spouse. 😂 Who, by the way, stopped nerding about ten years before I took a break. But by this point, my admin rights have been revoked. My drivers are being replaced. I have formatted three computers each 4 times over and it's still happening, so I get into the file structure and start reading code. This is when I'm certain it's at least a bug of some kind and I'm not trippin'. But I'm totally obsessed to prove it. 

I was getting bent because I would try to do clean installs of windows 10, but no matter what I did, it would boot up with my previous settings, though my files were all gone. Having not been real savvy on 10, I sort of just shrugged it off until that point in time. So now I'm freaking obsessed by this point to not only prove my sanity,  but I want my damn computer back. And the last few months, I had been getting a refresher crash course against my will in networking, security, windows 10, linux, the whole 9. I was going to find this thing. 

One night, about 3am, I cracked it open. I finally gained access to the boot sectors on all my drives and I saw this deployment all wrapped up in a windows wrapper. It's winPE/miniNT based. Skeletal on actual windows files. I figured out they depended on my windows installation to embed their garbage into. 

When whoever had control of this thing figured out what I was up to, they stopped trying to hide it and came in swingin'. They had been stealing my bandwidth and using my network as a server, which explains why my stuff wouldn't work. And now they were going to fight me. 

Then I figured out they were in the Androids, too. They were even brazen enough to download apps they needed to hop from one device to the other. A mouse toggle app was installed on my friends tablet that she left here three months prior to this discovery. It was needed to control my Amazon box that has for some reason disabled the use of a wireless mouse. This app makes it possible. So I started looking into my file structures and systems on the my phones and my mind was blown. My whole operating system had been replaced. Reading the bootloader logs, it's all there in black and white. 

In an attempt to help me fight this, I've had friends and family send me old pcs and hardware. I have taken the pcs off the internet, but somehow the new (to my household, virgin from my network) stuff was getting infected, too. It was making my flash media executable.  %@#^#& I couldn't transfer files. Every time I plug in media, the PC "searches for driver" but it's embedding an executable script on the flash. It's the original API deployment that starts everything and it's as small as a few lines of code in the form of a certificate key. I saw that, too. 

So a few days ago, I formatted all my sd cards with an old camera. Low level. Then took them to the library and did it again. I loaded them with an arsenal of clean downloads and write protected them. I had also pulled the power, hard drives and ram from a couple old laptops a couple days ago. And I mean, one of them is Compaq, came with XP pro, old. The other came with vista, but is still 8-9 years newer than the Compaq. 

Tonight I started with the newer doorstop, popped the ram back in it, left the drive out and booted hiren 2012 live. It loaded a dirty miniXP complete with zero admin rights, false errors that the path could not be found for the file you tried to execute. So, tell me, if that's not coming from the bios, where the hell is it? I have been fighting this thing for months. Now I know its number, I just don't know where it lives. And I can show you everything. I have been documenting it from the moment I knew there was an actual human or humans on the other side of this kit. 

And Eddie, if you have found anything out, I'd appreciate to hear from you. Right now I'm looking into a tool to force flash the bios. Everything I had downloaded from here (my home connection) would get swapped out for something else. Sometimes it was hard not to laugh at the absurdity, but if you didn't know it was swapped and installed it, it was just one more hook in the system. 

Heck, I even pulled the graphics cards because 6gigs is a lot of space to raise hell on when I read the registry they install on the boot sector  and the workarounds are incredible. It will even make the disk spin in the CD rom, but not actually download a single thing from it. 

Seeing all the records and logs they keep on me, the access to my surveillance system, the absolute control over all of our phones (with cameras, and GPS and data I cannot turn off anymore) makes my skin crawl. My NFC and Blutooth is a means of transfer, too. And the last install of windows I did, I read the legal agreement. There is a line in there about the infrared and how they are going to install it as part of the windows agreement. Which is not uninstallable. Well, nothing is now. I have no rights. It's totally absurd and I really thought I was losing it. Sometimes I still do until I turn on a PC. 

Paranoia and snake oil. In my bios. Or...? I'm open to suggestions. 

[AdvancedSetup]

Please post in the malware removal forum if you want assistance with malware removal.