Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  123 18>
Author
Message
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Topic: Gpu based paravirtualization rootkit, all os vulne
    Posted: 21 September 2011 at 6:50am
     

Edited by RFC Rudel - 21 February 2013 at 4:44pm
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 4:58pm
Cool story, bro 

Now drink some milk and get back to the bed, time to sleep.
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 6:07pm
Its that a joke?
 
 

 



Edited by RFC Rudel - 21 February 2013 at 4:42pm
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 6:31pm

 



Edited by RFC Rudel - 21 February 2013 at 4:43pm
Back to Top
[TheFlash] View Drop Down
Groupie
Groupie


Joined: 23 July 2010
Status: Offline
Points: 41
Post Options Post Options   Thanks (0) Thanks(0)   Quote [TheFlash] Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 6:45pm
Maybe I missed it, but I did not find anything strange in that dmesg log. If you think your computer is infected by a rootkit, you should check the IDT (Interrupt Descriptor Table), and search for kernel modification.
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 6:53pm

I will give you the dsdt file,

 
it was a hard night, I remove it, it came back, it acces my 4 ssd in raid0 directly, use the cache as disk and my lsi almost die.
 
 
have many info, all the modded bios it use, files whit config, I may not have experience in linux, but I kwon my hardware.
 
I have an intel firmware check cd, it reports lots of erros.
 
by the way my x58 do not have isa bus, I see lots of fake hardware.
 
it record data on the os cds, I kow that, one even run out of space during intall....


Edited by RFC Rudel - 21 September 2011 at 7:15pm
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 6:54pm
Originally posted by RFC Rudel RFC Rudel wrote:

Its that a joke?

No, no, no joke. I'm serious like a wall.

Later tomorrow we will play in "MS IT senior consultant" if I have some spare time - ok :)

But now - drink your milk and get back to the bed right now like your mom said.
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 7:14pm
play? mcp 1436312.
 
I see the code using developer tools like cuda etc,the connections whit netstat, or capturing packets.
 
 
 
 
 
 
 
 
Back to Top
[TheFlash] View Drop Down
Groupie
Groupie


Joined: 23 July 2010
Status: Offline
Points: 41
Post Options Post Options   Thanks (0) Thanks(0)   Quote [TheFlash] Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 7:32pm
By "DSDT" you mean the ACPI DSDT? So this rootkit added it's own code to the AML? If so, for the rootkit to be of any use it had to modify the kernel somehow. That's why you should check the IDT and syscall table.
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 21 September 2011 at 7:38pm
uploads/3335/dsdt.zip
 
dsdt resume
 
Intel ACPI Component Architecture
ASL Optimizing Compiler version 20100331 [Mar 31 2010]
Copyright (c) 2000 - 2010 Intel Corporation
Supports ACPI Specification Revision 4.0
dsdt.dsl   413:     Method (\_WAK, 1, NotSerialized)
Warning  1081 -                 ^ Reserved method must return a value (Integer/Package required for _WAK)
dsdt.dsl   441:             Store (Local0, Local0)
Error    4051 -                         ^ Method local variable is not initialized (Local0)
dsdt.dsl   446:             Store (Local0, Local0)
Error    4051 -                         ^ Method local variable is not initialized (Local0)
dsdt.dsl  8638:                 Name (_WDG, Buffer (0x14)
Warning  1099 -    Unknown reserved name ^  (_WDG)
ASL Input:  dsdt.dsl - 9398 lines, 297378 bytes, 3204 keywords
Compilation complete. 2 Errors, 2 Warnings, 0 Remarks, 1315 Optimizations
[Completed]
Back to Top
 Post Reply Post Reply Page  123 18>
  Share Topic   

Forum Jump Forum Permissions View Drop Down