Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  <1 45678 17>
Author
Message
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 27 September 2012 at 9:49am
the only hdd app that can see the partitions
is partition guru.

Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 27 September 2012 at 10:23am
Originally posted by SystemPro SystemPro wrote:



@Flash: I must instruct you. They usually destroy the possibility of reflashing.


I my case, I notice that the bios flashing was ultra fast,(it was not wrinting the chip.....)

if you have some artifacts during post,(and I try 4 gpus) that's a bad sing.


that's was ultra resume. I can explain all in detail.




Edited by RFC Rudel - 27 September 2012 at 10:26am
Back to Top
bishopdevnull View Drop Down
Newbie
Newbie
Avatar

Joined: 07 November 2012
Location: Vancouver
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote bishopdevnull Quote  Post ReplyReply Direct Link To This Post Posted: 07 November 2012 at 6:52pm
I REALLY WISH THIS GUY WAS NUTS OR DRINKING THE CRAZY COOL-AID...
unfortunately.

He's way toooo legit. 
I have never ever seen anything like this before in all my years as a tech, Someone please help.
This thing is on all of my systems, i've managed to contaminate my parents, gf's machine and the local internet cafe. DVDs come out of systems blemished cloudy and messed up, and I'm constantly finding myself browsing the content of installation discs trying to parse file-structures and binary data in notepad in spiraling whirlwind of paranoia.... 

Windows, Linux and BSD live Discs are getting rooted within 20 minutes of boot on systems that i've removfed all drives from. I've blind fliashed my BIOSes and the thing keeps recurring. reinstated long retired workstations and laptops  transfering nothing but CPU, memory and PCI-X GPUs...  still Windows installation DVDs show a creepy ass once super-quick, then once normal speed "windows is loading files..." progress bar... selecting repair install and browsing the disc contents via comand prompt > notepad > File - Open > reveals a RAMDISK and ISO image full of foreign PE / clg / WIN info with XML data and reg scripts set to domain non-existant domains off a retial disc that should be a home premium install. Loading an Ubunto live disco resultrs in it being rooted within 30 minutes. Shows ARP and network activity w/ the loopback and 0.0.0.0 addresses simulteanous to video drivers loading in TAIL and DMESG ... 

What the EFF is going on . 
I just bought an Alienware M17xR4 to start fresh. Its infected too now. Dell is saying Malware --> Software --> Unsupported. Even though it persists without any physical media in the system. I cant flash the bastard away. and this >$2K machine has its locked fancy ass Dell BIOS + Nvidia 660M GPU + some crazy Ivy Bridge CPU integrated secondary GPU + Ethernic + WLAN + WPAN + HDD + SSD + Optical controllers and other integrated peripherals.. how the hell can i flash all of these firmwares in the same reboot cycle as a bios flash?? Am I screwed? ?? Any help would be much obliged!
Back to Top
bishopdevnull View Drop Down
Newbie
Newbie
Avatar

Joined: 07 November 2012
Location: Vancouver
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote bishopdevnull Quote  Post ReplyReply Direct Link To This Post Posted: 16 November 2012 at 12:15pm
were you able to get back to bare metal with this malware? I am dealing with the same and I am loosing my mind. Please give me any help you can. I have an i7 laptop w/ dual GPU . one integrated into the i7 Ivy Core  chipsets and another nVidia 660M on an Alienware M17xr4.
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 06 December 2012 at 4:12am
bishopdevnull:
The ramdisk you saw is interesting. It is normal for a sysprep install (which is NOT the standard, it is used purposely by the malware). I might try that and look.
The DVDs being blemished or cloudy is the same thing one other guy said here.
I find it impossible. Even if you programmed the DVD drive to do that it wouldnt work. The head would have to slam into the disc and it would ruin the drive. I havent seen anything like that here.
The first thing you did wrong was to use any old hardware, especially the vid card.
The board you have with GPU integrated is toast. Forget ever fixing that one.
Unless you can remove the bios chip (socketed on mine) and replace the vid card, dvd drive and hard drive you arent going to win.
The network activity on loopback and 0.0.0.0 in linux I saw also.



Edited by dlux - 16 December 2012 at 11:39am
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 06 December 2012 at 4:13am
RFC Rudel:
partition guru didnt see anything here.



Edited by dlux - 16 December 2012 at 11:19am
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 06 December 2012 at 4:17am
I send an email to Dan Goodin at arstechnica about 4 days ago.
Apparently he does not think this is news worthy and ignored it.



Edited by dlux - 16 December 2012 at 11:40am
Back to Top
doublez View Drop Down
Newbie
Newbie


Joined: 08 December 2012
Location: Portland OR USA
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote doublez Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2012 at 11:00am
Greetings, I've been following this thread for some time now, and although I'll admit that I'm skeptical of some of the claims being made (it's obvious there is some trolling going on) I am interested in learning more about the ideas being discussed here.

I'd like to share some information regarding an experience I've had recently. I also have a few questions for the original poster as well.

Several months ago, I received a notice from Windows Security Center that some malicious software was detected on my laptop computer. I had just arrived home on a tuesday afternoon and found this message open on my display. This tuesday was indeed a "patch tuesday" as it is popularly known. The message referenced several security bulletins regarding recently disclosed vulnerabilities affecting Java which had been made public in the week prior to patch tuesday. One of the files found on my laptop matched a signature associated with the black hole exploit kit. The Java exploits I am referring to are well known for their high success rate, working reliably across a wide range of platforms and software configurations, and it is reasonable to assume that the injected code ran successfully. In all likelyhood a dropper pulled in some components of the blackhole kit and enlisted my machine into some kind of minecraft gold mining scheme or other similar activity.

Prior to that afternoon, I had not paid much attention to computer security for a long time. I used to be employed as a sysadmin / unix systems programmer in the 90's, working for an internet service provider. I was familiar with computer security issues for many years before pursuing a different career path in 2001. Nearly 12 years had passed since I'd heard the term "0-day" used in a discussion. Recently, as I began to research the issues that led to my system being compromised I was suprised by the level of organization and sophistication common among current exploit platforms. Again, in the 90's when I was subscribed to bugtraq and employed to patch systems against exploits, people were using scripts to scan the network and search for vulnerable systems and exploiting vulnerabilities in an automated fashion, however these were a far cry from what exists now. Typical modern vulnerability exploit frameworks are scanning for and exploiting hundreds of vulnerabilities (one package is equipped to exploit 600+ vulnerabilities), in an autonomous fashion, across a wide spectrum of hardware platforms and software installations, with capabilities for receiving updates as new vulnerabilites are discovered. Likewise, I was suprised to learn about the vast criminal industry that is flourishing in this landscape of opportunity.

I decided to download some software to scan my laptop (running Windows 7 SP1) to see if I could determine what had been installed on my machine. I was not satisfied with the performance of any of the tools I tested. I spent a few weeks exploring the file system, looking through files with hex editor, monitoring the system, becoming aquainted with the sysinternals suite, analyzing network traffic with wireshark, saving logs, researching Windows 7 security information and taking lots of notes. After some time, it became clear that I was not going to "get to the bottom of it". I could tell that something was wrong but I could not figure out where the malicious code was installed.

I reinstalled Windows 7 on both my laptop and my workstation (my workstation, which had been exhibiting similar suspicious behavior). I performed clean installs from the original licensed installation DVD's (Windows 7 Professional 32bit and Windows 7 Home Premium 64bit). I spent the next day holding Windows hand while it downloaded and applied 100's of security updates via Windows Update on both machines. I configured the Windows Firewall to block all incoming connections, and all outgoing connections with only outgoing/incoming DHCP, outgoing HTTPS to Microsofts IP address blocks used for their Windows Update servers, and outgoing HTTP/HTTPS for Firefox. I disabled all services that can be disabled, went through all of the configurable options for the systems, MMC, group policy, automated tasks, winevt, in short I did everything I could to secure the systems.

The next day, I left my home with my laptop, and sat down to use it at another location. I opened Firefox for the first time to connect to Gmail. I was connected for a few moments, reading and replying to a single email message when my machine began to run very slowly. I could hear the hard drive working nonstop with read/write access. I opened one of the sysinternals utilities and observed some processes executing, at first I had the impression that all of the .NET framework object files were being recompiled or relinked. In the area of the display where GPU utilization is displayed, I observed sawtooth shaped waves which showed GPU utilization climbing from 0% (normally always at 0%) to 100% and back to 0% in about 10 seconds time, this occurred over and over again for approximately 3 minutes creating a long line of uniform sawtooth shaped waves on the GPU utilization display. I had been using this same utility for weeks and had never before seen any GPU activity, nor have I observed any since that time. The system continued to run close to 100% CPU/Disk utilization for approximately 1 hour. A large number of processes were executing with read/write access to a large number of system files. Near the end of this activity, the system ground to a halt where the mouse would not move, the display went black for 2 seconds, and then the display lit up again (not a reboot, my applications stayed open) and everything was working normally. By normally, I mean that everything was working the way it did before I re-installed windows, which is to say that the bootkit persisted through the windows re-install. When I returned home, I observed that my workstation (clean install Windows 7) also was affected by the bootkit again. It would seem that the bootkit was inactive for 48 hours after a clean install before  resuming activity.

I have a few questions for the original poster:

Do you notice anything unusual happening in userland on your Windows 7 installations on the systems affected by the BIOS/GPU resident bootkit?
Have you noticed any odd behavior which would indicate bootkit is hooking routines related to Windows Search functions?
Likewise have you observed any behavior that would indicate bootkit is hooking routines related to Automatic Tasks triggered by Windows System Events?
Have you noticed any files signed by Windows Terminal Service?

Thanks,

-z





Back to Top
doublez View Drop Down
Newbie
Newbie


Joined: 08 December 2012
Location: Portland OR USA
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote doublez Quote  Post ReplyReply Direct Link To This Post Posted: 08 December 2012 at 1:04pm
I would like to share another brief note which I hope will be of interest to persons dealing with bootkits exhibiting persistence across operating system installation (indicative of BIOS/GPU resident component).

In the course of attempting to analyze what I believe may be a bootkit which includes a BIOS/GPU based component I have bricked 2 motherboards (both are older Intel Desktop Boards). When I use the term "bricked", I mean to say that these boards are now non-functional and non-recoverable using Intels recommended BIOS recovery procedures. When power is applied to the system they will not perform any useful function. The system powers up in the sense that the cpu, system memory, fans, and peripheral devices all receive power, but the display remains dark (no self test, no BIOS startup messages) indicating corruption of the BIOS. Each board was tested and functioning correctly prior my using them in for this purpose. I have been the sole owner of both boards since purchasing them many years ago (yes, these boards are pretty old).

The point that I believe may be of interest or significance is the fact that these two boards both likely have the same (or nearly identical) BIOS firmware as they were both manufactured around the same time by Intel.  If there is a component of a bootkit which alters BIOS/GPU memory, and it is incompatible with certain BIOS (causing corruption) then it would certainly stand to reason that it would affect two similar or identical BIOS in the same way.

These are the model numbers:
Intel Desktop Board D915GEV
Intel Desktop Board D865PERL

Setup proceedure:
I entered the BIOS setup and screen and selected the "reset to factory defaults" option, saving and exiting the BIOS to restart. I entered the BIOS setup screen again to disable the quickboot feature, and to disable the feature sometimes named "silent boot" or "startup image" which replaces the display of useful system information with a splash screen graphic. I connected a hard disk likely to be affected by malicious software to the system and booted it. I entered the BIOS setup screen again to verify that the disk was detected. I booted the machine from the hard disk. I placed the original Windows install DVD in the DVD drive and shut the system down. I then rebooted the system. It booted part way before hanging. Upon cycling power, I discovered it was bricked.

Same exact steps with both boards.

-z



Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 09 December 2012 at 11:09am
doublez:
As for your situation, I would not expect this malware to brick the board. It's possible it's a different malware. I've seen this malware on 4 different machines, all different chipsets.
It is extremely well written to be able to do what it does on Award and AMI BIOS first of all and second of all it can virtualize at least 4 chipsets.
The first thing that sticks out is that you connected a known infected drive.
I did the same, although I didn't know except in hindsight when I figured out my old machine had actually been infected with this and I never knew.
It could be that the drive (malware) was expecting different BIOS or something to that effect.
In the case of the malware me and RFC are talking about the machine would boot "fine", but infected.

The simple conclusion here is that there is no organization that will admit that all hardware is wide open. There is nobody who can tell you that their BIOS or GPU ROM or any firmware is physically write protected. That means it is wide open to be hacked. What they WILL try to do is hide behind the TPM chip and say it will prevent it. It wont. It just closes off a few attack vectors.



Edited by dlux - 16 December 2012 at 11:22am
Back to Top
 Post Reply Post Reply Page  <1 45678 17>
  Share Topic   

Forum Jump Forum Permissions View Drop Down