Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Gpu based paravirtualization rootkit, all os vulne
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Gpu based paravirtualization rootkit, all os vulne

 Post Reply Post Reply Page  <1 192021
Author
Message
JackMove View Drop Down
Newbie
Newbie


Joined: 14 February 2017
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote JackMove Quote  Post ReplyReply Direct Link To This Post Posted: 20 February 2017 at 8:22pm
Good point. I have a lot of notes on paravirtualization as well, but nothing compelling yet.

Some other key points I wanted to mention:

Display

I don't know know exactly what or how, but how the system is communicating with the display I'd bet my bottom dollar has something to do with how air gapped machines are being breached. I've noticed that if I boot with no display connected, then wait a while and connect one, it seeems that the system begins waiting for a display and then continues booting right after the initial OS loading screen. It immediately continues the boot up process from that point when a display is connected.

Colors

Also, I've noticed something peculiar about colour profiles I haven't seen addressed anywhere. Now this is particularly tin hatish, I know, but just one look at the colour profile files on any of my systems and anyone who has had even a little experience with networking would probably notice that the numerical values found in there look an awful lot like IP addresses. There are usually four digit, comma separated numbers and none of them ever go over 255 (but regularly go right up to it, as is common with IPv4 addresses). Sometimes I find them separated by another number sequence that looks exactly like geo coordinates. The ones I looked up (which were only 2 or 3) were in Russia. But when looking up the IP addresses (or what I believe are IP addresses) I discovered that about 30% of them belong to the Department of Defense. The UK's ministry of defence was another, and of course some anonymous addresses that I couldn't track down an associated responsible party of.

If I'm missing something obvious that explains the above please let me know. I know this is a pretty wild theory but just in case I'm right I thought I should mention it somewhere.

It would explain why color profiles are so explicitly laid out in seemingly every OS when most people will probably never even consider them. If anyone is looking for less conjecture and more real evidence, I have endless screenshots highlighting just about everything you could imagine so just ask.

Edited by JackMove - 20 February 2017 at 8:24pm
Back to Top
Torgue View Drop Down
Newbie
Newbie


Joined: 01 March 2017
Location: Canada
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote Torgue Quote  Post ReplyReply Direct Link To This Post Posted: 01 March 2017 at 8:28am
oh my gosh, I cant believe this forum isnt redirected! i just read a couple pages from back in 2012 posts and immediately registered to say this: ive been fighting this rootkit since 2010, although it took me a log time to realize what i was actually dealing with! i honestly feel like crying right now, to know im not going crazy. i have many many notes on this... but for now Im just saying hello!!
Back to Top
hey View Drop Down
Newbie
Newbie


Joined: 06 May 2013
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote hey Quote  Post ReplyReply Direct Link To This Post Posted: 01 March 2017 at 5:19pm
Today
 
people post
 
friends
activitys
pictures
 
and are adicted to have always a remote controlled microphone and a camera with them..........
 
 


Edited by hey - 01 March 2017 at 5:21pm
Back to Top
genjuu View Drop Down
Newbie
Newbie


Joined: 17 March 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote genjuu Quote  Post ReplyReply Direct Link To This Post Posted: 17 March 2017 at 9:17pm
Got infected by this back in January. As some of you mentioned I also didnt do too much else besides truing to get rid of it. Cant be calm knowing that your whole family infi is out there.

And its even worse now because with devices like ipad or cellphones being way more popular now, they can see you everywhere you go. They interacted with me through witch chat and can see me through webcam/listen to me trhorugh mic. Formatting my pcs doesnt help and yes my pcs are now basically VMs. I know who did this but can not do anything about it yet.

I got infected when tring to install a program called manageiq. That, and had previously installed some videogame related programs that started acting weird before the "big attack". What about you guys? Is there any progress about how to remove this or are we out of luck?
Back to Top
cb3 View Drop Down
Newbie
Newbie


Joined: 22 March 2017
Location: sweden
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote cb3 Quote  Post ReplyReply Direct Link To This Post Posted: 22 March 2017 at 2:27pm
Hello, this thread is no surprise to me. I have my reasons to be here as well. I want to learn how to validate my machines to hopefully be able to exclude this evilness. Is there any easy way to check whether my machines has been compromised? Unfortunately im not a high end windows admin, I would probably not even be able to tell if my machine is a VM or not unless someone guided me in the right direction

 
Back to Top
lil_king420 View Drop Down
Newbie
Newbie
Avatar

Joined: 05 July 2010
Location: MN
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote lil_king420 Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2017 at 2:12am
Absolutely!!!  Clap

Smartphones are FAILsec 100%.
Back to Top
lil_king420 View Drop Down
Newbie
Newbie
Avatar

Joined: 05 July 2010
Location: MN
Status: Offline
Points: 34
Post Options Post Options   Thanks (0) Thanks(0)   Quote lil_king420 Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2017 at 2:23am
Vault 7 was released by Wikileaks this month... Titled

Vault 7: CIA Hacking Tools Revealed

https://wikileaks.org/ciav7p1/index.html

I think it is safe to say this thread is beyond justified and very important to all of us.  I hope it remains available indefinitely and should never be removed for any excuse.

Knowledge is free... understand it... THEN SHARE!!!

Disobey... together... we remove the control!   Expect us all.   ✌ 👊



Back to Top
hey View Drop Down
Newbie
Newbie


Joined: 06 May 2013
Status: Offline
Points: 9
Post Options Post Options   Thanks (0) Thanks(0)   Quote hey Quote  Post ReplyReply Direct Link To This Post Posted: 26 April 2017 at 1:19am
Originally posted by RFC Rudel RFC Rudel wrote:

I only pray that smart tv malware allow my tv to boot....Tongue
 
UPS
Back to Top
 Post Reply Post Reply Page  <1 192021
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.