Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  <1 678910 18>
Author
Message
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 599
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 30 December 2012 at 6:03pm
@Brentavery
 
The way you posted your account on this makes this seem more like a Hoax. I am just saying.
 
@Fourm Readers 
 
On the other side: If this is real then; between my brother and I, we manage over 900,000 computers worldwide some with the biggest companies on the planet, mid-size and small as well. So far we have never seen anything like this and we should if it exists. What's more; that makes this seem like a hoax is if this has really has been reported to the virus companies they would look into it, we have done this many times and they always take it very seriously.
 
Just my two cents: No Flames. -WS
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 31 December 2012 at 6:48am
Brentavery:
It seems that if you are seeing any sort of "files" from malware then you have either a variant or something in addition to the one me and Rudel are discussing. There are no files or any such evidence here. The fact that you are seeing such "instant" infection indicates to me that it's the "bios/gpu/hypervisor/whatever" and since you can't see that you chase your tail as you say. You need to use ProcessHacker and watch the disk tab (kernel mode driver enabled) after using for example Firefox, goto any website, close the browser. You will see "unknown process (pid)" accessing the browser cache and other browser files. Also Excel upon close will show "unknown process". Sort the disk tab Z-A to see things better. Also look at ProcessExplorer in the standard "task manager" screen and collapse all process trees down, do properties on each tree base process and see if ALL of them show Parent: <non-existent process>(pid). It is normal to see some with this as the parent was killed off but Explorer.exe and any other non-windows process having it's own tree base should not.
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 31 December 2012 at 7:26am
WindowsStar:
If you followed this thread from the start you would see many links to White Papers and Proof of Concepts on GPU malware dating back to 2006. RFC Rudel listed his numerous certs and I myself have managed and deployed thousands of PC's in many Fortune 500 companies since 1993 not to mention servers. None of any of our qualifications makes any difference as I have a live machine and can demonstrate this malware and show proof showing indisputable evidence. I have tested 5 machines and the only 1 that wasn't infected with this was my neighbor's.
Do you think for a second that any Anti-Virus company would disclose that there is NOTHING they can do about preventing or removing HARDWARE malware? They WONT! I have proof of that as well and RFC Rudel and others have complained about this as well. I have emailed Kaspersky who denied it even after seeing proof, I have a phone contact at Symantec who forwarded my proof to the engineers and she never heard anything back.
Did you notice all the recent "news" about malware that attacks governments? None of any of those have any BIOS component. In fact the ONLY one reported was an isolated Mebromi affecting only China. Certainly a BIOS that is not physically write-protected can't be hacked. Certainly a GPU ROM that is not physically write-protected can't be hacked. So it's all a hoax. Right? I see in my GPU Option ROM a copy of my BIOS, RAID firmware and NTLDR. Certainly all of those should be in a normal GPU ROM right?
The mode of thinking you have is one of the pillars that has prevented this news from getting out.
You don't see it because you don't have any reason to look for it. Unless you know what to look for you will never see it.
The only thing I currently cannot verify and probably will never verify is the HDD firmware or DVD firmware. I have no tools to look at them and even if I did I could not be sure I got a true dump as the hypervisor has proven in other tests to return clean or fake information.
What I can prove is BIOS, GPU and filesystem tampering, and I can also prove that unless every piece of hardware is replaced the system will be reinfected at first boot.
This thing is a cancer and I've had to live with it for over 2 years.
If I had money I could get out from under it with running some very careful testing in order to figure out exactly what does not infect. It would probably require 3 or 4 machines getting wasted.
I don't take kindly to any skepticism by high level engineers especially since I can prove not only technically but also the brick wall I have encountered with AV and news orgs.
In the end you will be forced to understand once I get this story out and subsequently your understanding of security will be turned on it's head.
Hardware is not physically write-protected. It's a fact.
No flames, just sayin'.

Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 599
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 31 December 2012 at 6:52pm
@dulx
Well sounds like you have a real problem, and I am sorry you are going through it. I do not take your issues lightly; I am not trying to say there is NO issues here just that I find it strange to have not see it. Strange, when I/we have seen just about everything that has ever come out due to how many systems are managed. If there was a way I could help I would. But since we have not seen anything like it I have no options for you. I posted an email throughout my network downstream and asked all managers to contact all their high level techs posing this issue to see if this has happened but just did not make it back to tier 3.

 

So far every email has been clear.

 

Here is why I am/was skeptical:

 

#1 This is being posted on a Microsoft Forum which is read by some of the top Microsoft Engineers. I know some of them, so why wouldn’t they look into this and talk about it, explore it, work on it, understand it. Etc. Denial, if so why? How does this help Microsoft? If computers are not working it does not help them in any way.

#2 In the full thread there are links to articles stating that this is all theoretical, not real but could be created. Ok, so could, can and are all subjective I know that.

#3 In one of those articles it states that this is very possible, however you would HAVE to have physical access to the machine to install it and get it going. Plus it needs access to older types of BIOSes most newer BIOSes are encrypted to protect from this type of thing happening.

 

Again, I am not saying you are not experiencing this, but if those articles are true (I have no proof they are). Then one must ask how you got this nasty rootkit?

 

I appreciate your time and I will keep this in high alert, as I have seen the Stuxnet virus in power systems and SCADA systems so I know that there are real threats out there. -WS



Edited by WindowsStar - 31 December 2012 at 6:54pm
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 01 January 2013 at 8:10am
WindowsStar:
To answer your questions,
1) I informed Microsoft about this in Dec 2011, the tech took complete notes, never a response from MS but he did say that they probably wouldn't respond. I am certain they know about this as they pressed hard for TPM in Windows 8 as well as an "attempt" with the preboot malware driver. TPM is a good start but it will only complicate one of the attack vectors until it is worked around. TPM was shown to be vuln to attack by Team Rutkowska at least 3 years ago. Microsoft really has no way to defend against a hardware attack when they are in Userland/Kernelland. The onus is not on them but it is clearly on the hardware manufacturers who still refuse to simply offer a physical write-protect switch on their firmware/BIOS. As a side note, my email to the TCG (TPM) Director regarding Rutkowska's TPM discoveries has gone unanswered. Microsoft would be better served explaining why they still have so many open doors pre-configured such as auto-play/auto-run and the huge list of RDP/TermSrv/WinRS/WSman/PPTP/sua/PowerShell/eHome RDP and the SxS "vulnerability repository". It's hideous. Once a machine is owned it's already setup to do everything the attacker wants. To remove all of those open doors requires weeks and expertise. Not to digress...
2) Brossard just a month ago presented his proof of concept at BlackHat 2012. It was basic and crude but worked. It was somewhat amusing to me because a fully refined version has been out for over 3 years. By the way, a few weeks ago in an interview the TCG Director spoke of this type of malware matter-of-factly and it was not even asked about after his statements.
3) No you don't need physical access. Any number of zero-day vulns could by used as the attack vector. Pick one or wait in the coming days/weeks to see more OS/Browser/JAVA critical vulns come out. Older BIOSes? Try Gigabyte X58-UD5 or ASUS Sabertooth X58, both owned, Award and AMI. Newer BIOSes are not encrypted they are signed and that's only with the TPM chip involved. Have you seen any TPM shipped on any motherboards besides laptops or maybe a Dell? UEFI BIOS? Rudel already said UEFI was owned.

Yes, one must ask how I got it. I don't know for sure but I am fairly certain it was on my old P4 XP machine going back at least to 2009. That machine was in very high security mode. It had to be a zero-day vuln. How it got to my new (2) machines would have to have been through plugging in an old drive from the old XP box. Another thing (the big thing) I have concluded is that it is very likely that this "hypervisor malware" is the foundation of TDL-4/TDSS. I have seen 3 machines infected with that and after removing TDL-4 I ran my tests and lo and behold this hypervisor was there. TDL-4 has been extensively analyzed (check TDL top bot on securelist.com) and this malware matches many of the capabilities I found in the TDL-4 research. I'm willing to bet huge amounts of money Kaspersky and others were able to see this but they never mentioned the BIOS/GPU component and it was on purpose. They had 6 copies of my old machine's BIOS to look at, all of which were poly-morphic and they refused to reply to my above assertion about TDL-4.



Edited by dlux - 03 January 2013 at 9:40am
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2013 at 10:15pm
New Facebook page dedicated to this:

Search Pages for Unknown GPU Hypervisor Malware

or just go here:

https://www.facebook.com/pages/Unknown-GPU-Hypervisor-Malware/131545397008622

Back to Top
alpinestarless View Drop Down
Newbie
Newbie
Avatar

Joined: 18 January 2013
Location: bayonne nj
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote alpinestarless Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2013 at 9:54am
I finally found same problem here I would like to add to this I have been sitting on this rootkit/bioskit for 2 months 4 android phones infected 1 HP machine damaged to junk 2 laptops unbootable from messing with bios and beeing unfortunate now I just built another machine and infected from using dvd burned on infected machine with drivers I needed, I know few things it resides in BIOS as DMI extension it does sit on Most devices portable Hard drives and such its spreading pretty quickly I recieved a replacament phone with this rootkit on it it was refurbished but apparently it went unnoticed I paid for subscribtion from bitdefender for a whole year installed it on my mothers laptop yet it somehow went unnoticed to her laptop from dd-wrt flashed router that was also infected even though it was reflashed before I gave it to her, MIcrosoft surface running windows 8 rt also infected I returned it just before return policy expired. HP gave me a hard time returning their laptop after spending a few dozen hours with level 2 tech support on the phone (they are very poorly educated about such things) I don't even know where to start with removing this (you can call it hardware based infection) I want some answers no antivirus software picks it up NONE!
I have 2 usb drives that I know are infected with it you plug it in windows machine even with autoplay off disabled it still somehow manages to force it self onto a machine as a PCI device or virtual card read floppy drive and or sound device or bluetooth I have lots of logs for it including some of the network traffic dumps from it, Please can someone point me to a bigger group of people with this infection that are trying to get money back for hardware beeing bricked?
Back to Top
alpinestarless View Drop Down
Newbie
Newbie
Avatar

Joined: 18 January 2013
Location: bayonne nj
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote alpinestarless Quote  Post ReplyReply Direct Link To This Post Posted: 19 January 2013 at 9:59am
I can also add it has to do with markmonitor.com alot of websites that rootkit/bioskit/malware points to this organization. This is truly huge pocket sponsored malware welcome to 1984, funny thing is alot of PIDs on windows machine are related to this malware running PID 1984.....


heres first dmesg after fresh install of UBUNTU 10 x64

http://pastebin.com/v1D5KpbA


Edited by alpinestarless - 19 January 2013 at 10:05am
Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2013 at 6:47am
how do you detect paravirtulization? thats the key for standar use of VM, the os cant feel the diference.
the key is not to be seen....
 
if the pc is infected all you see on the monitor is relative.
one variant fake bios menus...
 
power of is suspend, it have many self defence tricks.
 
I sniff network of clean install pc (hardware infected) and I find malware trafic.
 
 
this is no joke, and is a understable path to virus makers.


Edited by RFC Rudel - 20 January 2013 at 6:52am
Back to Top
netsec View Drop Down
Newbie
Newbie


Joined: 20 January 2013
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote netsec Quote  Post ReplyReply Direct Link To This Post Posted: 20 January 2013 at 9:52am
If someone wants to infect your hardware device they first need to download the driver for it. then they need to decompile it using software and then allow you to download the modified driver and install it.

It's not easy or simple...it's complicated and it's probably only useful if you want to target "common" hardware that is used.


http://www.youtube.com/watch?v=G26oZtzluAQ
Back to Top
 Post Reply Post Reply Page  <1 678910 18>
  Share Topic   

Forum Jump Forum Permissions View Drop Down