Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  <1 1011121314 18>
Author
Message
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2013 at 9:08am
WindowsStar:
System Idle Process and System are to be ignored.
Did you find any bases with running parents at first boot?
I'm not clear on that yet.
If you did which one was it?

I did your test with CMD and I made note of what CMD's pid was. The new explorer.exe had that pid for the parent. (expected). After re-starting ProcessExplorer you would see that parent was non-exist with that pid. (expected).
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2013 at 9:13am
RFC Rudel:
Yes the setup logs show strange things regarding errors, setup makes an assumption then resumes setup with that assumption.
The easiest thing for me to see is that it is clear the setup was done as a sysprep.
I'm not able to decode the logs to determine the things you are looking for.
I would need to know more about the cryptic output first.
It's totally obvious about sysprep though.


Edited by dlux - 04 February 2013 at 9:18am
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 04 February 2013 at 9:27am
To all:
The 2 tests I have described are what I found to be tell tale signs.
1 machine I know looks totally normal on these tests.

I know 4 things with absolute certainty:
1) The BIOS is hacked. I got 6 copies of my old machine BIOS and all are totally different at each boot.
2) The GPU option ROM contains everything needed to boot the machine, BIOS, NTLDR, Windows BCD.
3) Windows is forced to install as a sysprep in order to bypass driver signing reqs.
4) The machine connects to other machines all over the world on many ports and no connection is visible using standard methods. I've tested numerous times and tested today for an hour, found 1 connection to 88.151.x.x on funky port outside of my set ephemeral range, no daemon running on that port. I have observed hundreds of connections to and from my machine from many places including China and Russia, TCP, UDP, ports 1-65535. No it is not software updating. I killed all that a long time ago, I update manually. WUS is killed and removed on my system. I've seen artifacts from attackers RDP sessions, ie: recycle bins that have sids that arent mine.

Those 4 things are iron clad 100% positive and that's all the proof anyone needs.



Edited by dlux - 04 February 2013 at 9:38am
Back to Top
cellobrew View Drop Down
Newbie
Newbie
Avatar

Joined: 03 February 2013
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote cellobrew Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2013 at 3:48am
@dlux:
I followed you directions. ProcessExplorer was run at cold boot. All trees were collapsed. Skipped System Idle  and System. ALL other processes show unknown parent.

Results are essentially the same for all three laptops in my home: a Lenovo, a Sony Vaio, and a HP Pavilion.

Don't know how to read or flash my BIOS. How do you know "it" stole your credit cards?

Someone in this thread mentioned that their Android smartphone was infected. I'd like to hear how you can determine that. That possibility actually upsets me more than the compromised computers. I'll just keep using them (but without any sensitive data, banking, shopping, etc) until an AV company comes up with a way to prevent a clean machine from being infected, then I'll buy a new one.

By the way, Process Hacker has a "processes" tab which seems to give the same information as sysinternals process explorer.
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2013 at 10:29am
cello:
Thanks for the info.
I have only seen 1 machine that shows running parents. (sorry to keep saying it)
I based my assumption that there is "something strange" on that, since machines I knew were infected showed non-exists and the clean one did not. The clean one also did not have any unknowns in PH. Until WindowsStar and maybe others confirm their machine has or has not running parents I am waiting to draw a conclusion. It may be that there is nothing of value to assume results of tests 1 or 2. Test 2 with the Unknown Process is cause for concern or at least question. On my end I clearly see Unknown Process doing things that are NOT normal. There is absolutely no question those processes are malicious on my machine. I have watched them closely for months and their only purpose is to steal information or run things that get information. Why they seem to be on everyones machine (except 1) is the big question.
As RFC Rudel said, he does not trust what the OS tells him. I'm finding that true in almost all cases but a few. I was told by 1 engineer that the Unknown Procs are simply terminated processes. That cannot be true because of the pids they show never existed and the procs cant be seen normally. Maybe someone at Microsoft can explain why they are there? Nobody I have talked to knows anything about it.
For your BIOS you need to look at the manufacturers website for tools.
We don't know if you are infected at this point. If you are then flashing BIOS is either not possible or pointless. Even if I replace my socketed chip it will re-infect it. PCIScope shows me BIOS Shadowing Enabled and I see it copied to GPU option ROM.
I know "it" stole my credit cards because of the timing of the card charges were exactly when I was using the machine to buy numerous things online and I was able to observe all the browser cache tampering with hidden connections going all over the world. I was thinking a local vendor was stealing them but as soon as I stopped using the machine for banking it stopped. When you see Unknown-Process accessing your old-old-tax returns buried deep in mounted volumes away from the C: drive you know something isnt right. I know some of the key words it looks for and I'm considering writing a program to read a txt file over and over with all the key words in it so I can watch how it acts. For example "archive", "sessions", "cache", "lists", "bank", "financial", "forex" are just a few. Copying large files with those strings in the name makes my 585meg/sec transfer go down to 10meg/sec whereas others dont do anything.
I have seen 3 or 4 reports of this infecting smart phones. My position is that I dont know that for sure because I dont know for sure if those people have the same malware but I do know that it is possible at least. My new GS3 isnt coming near this PC I'll tell you that much.
Yes, PH has the same process tab like PE.
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 05 February 2013 at 10:49am
For those knowledgeable, here are all my proof files.
BIOS dumps, BCD, CBS.log from old machine,
New machine: entire Panther folder, ACPI binary dumps (2 formats), GPU option ROM (low ASCII only).
This should be enough to see what is going on.
I cant access my new machines BIOS.

uploads/45310/Old-Infected-Machine-BCD-CBS.rar
uploads/45310/AWARD-BIOS.part01.rar
uploads/45310/AWARD-BIOS.part02.rar
uploads/45310/AWARD-BIOS.part03.rar

uploads/45310/New-Infected-Machine-ACPI-PCI-GPUoptionROM.zip
uploads/45310/New-Infected-Machine-Panther-Logs.zip

Back to Top
cellobrew View Drop Down
Newbie
Newbie
Avatar

Joined: 03 February 2013
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote cellobrew Quote  Post ReplyReply Direct Link To This Post Posted: 07 February 2013 at 5:30am
@dlux
I sucessfully flashed my BIOS with a new version from the Lenovo website, using their utility for flashing. New version number shows on boot. But previous behavior is unchanged: collapsed processes still have unknown parents, and PH shows unknown processes doing disk accesses in the same manner as before.

Back to Top
RFC Rudel View Drop Down
Newbie
Newbie


Joined: 07 November 2005
Status: Offline
Points: 37
Post Options Post Options   Thanks (0) Thanks(0)   Quote RFC Rudel Quote  Post ReplyReply Direct Link To This Post Posted: 07 February 2013 at 5:56am
greate tool to analyze you hardware
http://heexe.phpnet.us/
Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 07 February 2013 at 10:25am
cello:
I am interested, did the BIOS flash take some time (not 1 or 2 seconds) and finish properly?
Just to clarify my current opinion/conclusion regarding the 2 tests:
Since everyone is seeing the same thing I can't conclude anything.
At this point it doesn't mean you are infected with anything or not.
I am putting those 2 tests on the back burner until some sense can be made of it.
(it simply doesn't make sense and 1 machine is found to "make sense".)
I will be focusing on the hardware from here on out.
There is 1 test you can run however, if you know what to look for, you can boot the Win7 install DVD and choose "repair", get a CMD prompt and examine the files in drive X:\, you will be looking for evidence of sysprep instead of normal install. No need to re-install the OS. If infected the install or repair will be running as sysprep, ie:autounattend.xml or unattend.xml. A freshly installed infected machine will clearly show that the install was a sysprep as can be seen in the CBS.log and other logs. The Panther folder is where to look. Your laptops were probably sysprep from the factory so dont get excited. That would be normal. As a note: The malware forces sysprep in order to do things like disable x64 driver signing and other things, so simply booting the DVD, repair, CMD can show you what the repair is setup for. It always comes up sysprep on mine and RFC Rudel's.

Back to Top
dlux View Drop Down
Groupie
Groupie


Joined: 24 July 2012
Status: Offline
Points: 55
Post Options Post Options   Thanks (0) Thanks(0)   Quote dlux Quote  Post ReplyReply Direct Link To This Post Posted: 07 February 2013 at 10:30am
RFC:
Great tool. I will get it and try it out!
If I can make good dumps with it I will post them here.

All:
NVIDIA has been notified and has access to all info on this forum and the Facebook page.
It has been escalated above level 2 and it was indicated to me that they might want my infected GPUs to analyze. I am hopeful. This could be great news.
I update the Facebook page sooner than I update here by the way.

Back to Top
 Post Reply Post Reply Page  <1 1011121314 18>
  Share Topic   

Forum Jump Forum Permissions View Drop Down