Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  <1 89101112 18>
Author
Message
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 29 January 2013 at 4:46am
Come on brother RFC Rudel...pm
Back to Top
alpinestarless View Drop Down
Newbie
Newbie
Avatar

Joined: 18 January 2013
Location: bayonne nj
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote alpinestarless Quote  Post ReplyReply Direct Link To This Post Posted: 29 January 2013 at 5:49pm
I bet first ANTIVIRII company is in for some major popularity and market steal, I am offering infected USB drive for grabs for those that want to analyze the malware and hopefully come up with a cure e-mail me to discuss it at patrykk@gmail.com make sure to state company name in "Subject" I already have 2 major companies that requested the infected Network Interface Card, I hope someone comes out with a cure it will probably involve some sort of boot disk or reverse engineering the thing and using its way of connecting for updates to remove it, Dlux the malware recently updated it self I can see new devices on my PC and on wireshark theres alot of toredo protocol packets flying around which was not here before....
Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 617
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 31 January 2013 at 5:39am
Originally posted by dlux dlux wrote:

A lot of people will know about this maybe as soon as next week, maybe the week after.
TV meeting was resched for Tuesday, prof couldnt make it Friday.
Yes it makes much more sense now thanks to Brossard.
I tend to think his is more advanced but this thing keeps getting updates every week.
My illuminated keyboard keeps lighting up for no reason now.
Lots of hiding going on and 1 ultra-high level statement of "not interested" has me confused and worried. (not referencing anyone here, separate reference)
I'm excited and scared at the same time.
This is huge and I dont want to be involved but I'm forced to now.
There is only 1 way out.

edit: this thread is getting 100 views a day now.
 
How did the Tuesday TV meeting go?? We are on the edge of our seats :)
 
Back to Top
machetazos View Drop Down
Newbie
Newbie
Avatar

Joined: 01 February 2013
Location: Teh Interwebz
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote machetazos Quote  Post ReplyReply Direct Link To This Post Posted: 01 February 2013 at 1:55am
Hello. I've been monitoring/studying/reverse engineering our little problem since Oct. RFC Rudel and Dlux are definitely on the right track I can verify everything they have posted.  Fake BIOS loaded via GPU, I know a few ways to bypass but its a temporary bandaid at best and other components still load within OS just with limited control over your system. You can tell when it loads becaus BIOS slash screen will change between very low and very high resolution. I intercepted a few cleartext packets early on that gave me some valuable intel on this and have noticed the FBI on the line following the trail as well using a few network forensics tools. Now, it appears that they are running a VPN through my system that  that terminates in a datacenter physically located in Stockholm, Sweden. This thing is being distributed via torrent files and is very widespread. Affects Android phones as well (have gone through 2 and 2 PC's as well.  Not gonna say too much more here because I'm sure our little friends are reading this but I have managed to flip this thing a couple of times and view their desktop remotely (has happened twice entirely by accident and I am working on reproducing this bug. PM me is you would like to know more.  


..I will strike down upon thee with great vengeance and furious anger those who would attempt to poison and destroy my brothers.And you will know my name is the Lord when I lay my vengeance upon thee.
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2013 at 8:38am
WindowsStar:
I gave it my best shot. I thought I did very well. I was up against a phd Professor for 90 minutes and he wouldn't even look at my materials. He said I would need to produce infected hardware in a lab and I said no problem. He seemed to be irritated with me and the TV station sided with him and put the story on hold. They had both of us on camera. Good reporter. Still possible to run the lab test, will need to wait and see...



Edited by dlux - 02 February 2013 at 9:10am
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2013 at 8:46am
machetazos:
I trust you have some knowledge of this. Much of what you say sounds right but when you got into the FBI VPN stuff and torrent files I am thinking you have something different. The reason is we dont know what the infection vector is. An argument I had with the Professor was that he thought it probably came from the hardware manufacturer. I'm thinking more of a 0-day vuln. (or 1000 day in many cases) It seems possible the FBI is targeting you with this same technology.

I'm gonna go ahead and post 2 main tests here for everyone...
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2013 at 8:48am
Everyone:
Please run the following tests and post your results.
(These tests assume you have Vista or Win7 x64. XP or any 32bit Windows I cannot get valid answers from. Windows 8 I have no idea, it might work, try it out and let me know)

1) From Microsoft's own sysinternals.com get the program ProcessExplorer.
Run it (it's a standalone exe, no installer), you will see a taskmanager like screen with all processes expanded in a tree like display.
Collapse each of the trees so that you only see the process tree bases.
For example explorer.exe should have processes running from it, we dont care about those, explorer.exe is a base.
Now from the top process in the list right click and choose properties.
(system idle process and system you can skip)
You will see an area in the bottom half of the box that says "Parent:"
Some of the processes will show "<Non-existent Process>(xxx)"
This is normal for some but NOT ALL OF THEM.
If you see ALL process tree bases showing "Parent: <Non-existent Process>(xxx)" then it is very likely you have an infected machine.
These processes are in fact NOT non-existent but they are malicious process hosts running from the malicious hypervisor. Again, at least half of them WILL show non-existent because their parent was killed off in normal fashion. The point is that NOT ALL should show this.
I have observed a CLEAN machine so I know what to look for.

2) From Sourceforge get ProcessHacker (the exe installer).
Run the installer with default options, no changes. (need all plugins enabled and kernel mode driver set).
Run ProcessHacker (as admin if you can, I can't be sure we will see proper results otherwise but it might work).
Assuming you have the proper .NET version installed you should see tabs near the top, the one on the right is named Disk. Click the Disk tab and click the bar titled "Name" so that it will be sorted from Z to A.
(we need that to see things we are interested in showing up at the top)
We are now watching for "Unknown Process(xxx)" popping up accessing files.
Under NO CIRCUMSTANCES should you see "Unknown Process" showing up on a clean machine!!!
Open a web browser, IE and Firefox works in my tests. Go to a website, exit (close) the browser and watch the Disk tab! An infected machine will immediately show "Unknown Process" (more than 1) grabbing the browser cache files and other DLLs. If you see this you are infected!
You can also put a shortcut to ProcessHacker in your startup folder, reboot and as soon as it comes up after boot switch to the Disk tab, sort Z-A and just watch. If you are infected you WILL see "Unknown Process(xxx)" accessing
files.

What I need from you:
Please tell me your results of test #1.
If you see process tree bases with a real running parent please make note of that process name and it's parent name. Again, I'm only interested in the process tree BASES, NOT processes hanging off of a base.
Please tell me your results of test #2.

Back to Top
WindowsStar View Drop Down
Senior Member
Senior Member
Avatar

Joined: 30 June 2010
Status: Offline
Points: 617
Post Options Post Options   Thanks (0) Thanks(0)   Quote WindowsStar Quote  Post ReplyReply Direct Link To This Post Posted: 02 February 2013 at 5:23pm
For test:
#2 (Process Hacker): None showing on many machines (I looked a several machines). However I can create unknown processes. If you schedule a job in task manager for 2 minutes in the future (make sure you create something that will run or do something for a 1 minute or two or you may NOT see anything); wait for it to fire off you will see unknown processes. After the job finishes the unknown go away and never come back even after watching the machine for hours. Starting Firefox or IE does not create unknown processes. I also noticed on a machine that was missing the FlashPlayer Updates that the FlashPlayer update scheduled job did the same thing. This was after watching the machine for a long time and just by chance catching when the FlashPlayer Update started.
 
#1 (Process Explorer): This is a fun one to play with. On a fresh booted machine I see a clean machine but I can make the machine look as you state. Boot the machine log on with an Admin Account. Run As Administrator CMD.exe. Then end all Explorer.exe processes. Wait about 15 seconds then from the CMD.exe type Explorer.exe <enter>, wait for explorer.exe to start and bring back your desktop and then close CMD.exe. You will see that Explorer.exe is now as a Parent Unknown Process. The same thing happens if Explorer.exe crashes and the System Automatically re-starts it, as I am sure we have all seen at one point in time.
 
I hope this helps in figuring this all out. What should be added to the instructions above is to shutdown as in POWER OFF your machine, then power it up and do the tests as the first thing. This way you can avoid the possibility of a process that has ended from a machine that has been on for a long time. -WS
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2013 at 9:12am
WS:
For test #2 are you sure you were looking AFTER you went to a website AND after you closed the browser? You can also test by opening an Excel spreadsheet (an actual file) (Excel 2010) and closing Excel. For Firefox you should see the Unknown Processes instantly grabbing the browser cache files and other things. It will even make a folder called Cache.Trash in the folder where the cache files are. This Cache.Trash will NOT be visible even if you have the explorer window open to try to see it. It's a reparse point (injected) and even if you search deep in the OS it will not be listed. Yes, Firefox STARTING will not create Unknown Procs, closing it will if you went to a website.
Try again with ProcessHacker set to run at boot in the startup folder. If you are infected you will see Unknowns pop up during boot for a few mins. Let me know please, thanks.
Interesting about the task sched jobs. I don't like how that sounds, it shouldn't be that way. In any case let me know about the PH at boot. That one is a clincher.

#1, yes you can make non-exist parents. I know, the procedure you described is correct to create those. No problems there. Power off YES true but also make sure the power cord is removed. The RAM and GPU will retain contents otherwise. Yes, do all tests as first thing.
You mentioned that at first boot you see a clean machine for test #1.
Please give me details about which Process Tree Bases (my own term) show an actual running parent. This is very important to me. I have only seen 1 machine that shows bases with real parents and that machine also passes test #2 with NO Unknowns.

These arent the only 2 tests. There are 6 total but if these first 2 dont pass then I'm pretty sure of infection already. In your case right now I cant make any conclusion. The Unknowns in PH I think should not be there in any circumstance at all. If you tell me you have specific process tree bases with real parents then I will need to contemplate further. ie: it would look good but seeing Unknowns in PH causes some confusion.
Please let me know.
Thanks man

Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 03 February 2013 at 9:24am
Alpine:
I don't see any funky devices here. The only thing I can see are suspicious duplicate entries for devices in PCIScope that show "Unknown Arbiter of (device whatever)". That looks like chipset virtualization to me. If you see things in DeviceManager then my thinking is very strong that you have a Ring 0 rootkit. This malware is below ring 0 and injects code into objects as it wants. Nothing seen there.
As far as Toredo packets, yes I suspect IP6 too and there is no way to actually block that. I have disabled and even removed system files and drivers related to IP6. TCPIP.sys still has IP6 built in so it is not known if any of my preventions are working. Since you are actually seeing IP6 packets on the machine it again leads me to think you have a Ring 0 rootkit. My malware has updated in the last year to prevent me from seeing anything with my old "fishing mode" methods.

Back to Top
 Post Reply Post Reply Page  <1 89101112 18>
  Share Topic   

Forum Jump Forum Permissions View Drop Down