After firmware/bios rootkit, what hardware can be saved?

Hello all. I've come across this form during the frustrating battle I've been locked in with a rootkit over the past 6+ weeks. This seems like the place where I have the best shot of getting a knowledgeable answer and not dismissed as misidentifying a simple MBR rootkit as something more complex. I value any and all thoughts on the matter.

Essentially, what I have infecting my six home PC's is not repairable with the tools and skills available to a casual system builder. I've flashed the BIOS, full formatted the disks in any number of ways, flashed the GPU firmware, and still this thing keeps coming back. I can be running a clean live disc with no networking components connected and no hard disks in place, and still find traces of the background tasks going on. I think it's virtualizing the BIOS in some way that involves the GPU, but I won't further speculate needlessly. The real question is this: what components/peripherals are safe in my situation, ideally as a function of lacking non-volatile storage?

If abandoning the infected machines for new builds, what can I reuse if anything? Are the CPU, RAM, and DVD drives safe to move to a new platform? What about a Logitech K800 keyboard if I replace the wireless dongle with an unused one? It seems silly to throw out new 8-core processors on one hand, but on the other if the microcode could carry over a virus and ruin thousands more dollars worth of hardware, it's not worth risking.

Thoughts? Thanks again!

 

I would have thought that the only thing you need to do is swap the motherboard with a UEFI compatible one no?

 

1) I really suggest you to investigate further, even though you are pretty sure it is a hardware infected rootkit. The cost of not doing so it is too great, because you will end up paying money on new hardware.

2) I never heard of a virus/malware/etc. that can infect one hardware component (i.e. motherboard) and spread itself to another kind of hardware component (i.e GPU). So in theory you could replace the component that you fear was compromised without fear... This way you could try to replace the motherboard first, then see if the infection persist, and so on... But still, apply the point above first, otherwise you might spend a lot of money.

 

@ glasspassenger11

Hi & sorry to hear about your troubles. I think it would be useful to learn more about this, if it is what you think it is.

How do you think you got infected ?

EXACTLY what traces, & can you post screen shots ?

What tool/s did you use to see these ?

 

Thanks for the feedback all. I'll look a bit closer into the assistance links provided. The issue for me is that without understanding programming, all I've got is the ability to test and observe behavior resulting from my own trials as a means of determining route of reinfection. If I were able to isolate each individual piece of hardware from the rest (an example would be GPU from the motherboards) and reflash firmware, I know I could resolve this. The issue is the equiptment and knowledge that may call for.

I don't suspect I have something that is jumping across many platforms- rather something that may be exploiting my specific chipset, which all of my motherboards use (990FX). Or, the Asus UEFI Bios and its writable storage space, normally intended for user profiles and customization of things like splash screens.

I will try to do this tonight. I've been hoping to find a knowledgeable set of eyes to review what I'm seeing and confirm or correct my conclusions for a while now. The easy example would be the way this thing takes hold in any Linux live environment, where it tries to write data to the virtual hard disk with such high volume that it fills the space and disallows anything to be downloaded. If i plug in something like a USB drive to serve a storage space for the session, it fills that up immediately. Talking about 16gb of useless bulk in an hour or two. In a Windows PE environment, it's DComLauncher running System Service tasks by the dozen eating up most all of the CPU capacity. In both cases the GPU will be running around 60C or hotter rather than the 30C it should be at under normal conditions.

The how I got infected is a bit embarrassing. Essentially I was running zero security software for over a year leading up to this event, so I can't give specifics of when or how it came in the open door. My mindset was that as someone who built everything from scratch and does clean OS installs multiple times a week as part of competitive overclocking benchmark events, I didn't need to worry because worst case would mean an hour of formatting the OS disk and re-configuring. That worked for everything including a ZeroAccess infection I had picked up along the way, since my data is always on entirely different media than my programs and OS. It finally bit me here when I came across something that isn't resident only on the hard disk of the system, and I managed to spread it across every platform with my USB drives I normally use for ISO files when doing installs.

 

I did indeed hard reset it with the pinhole, and also changed its access password and the addressing for devices inside the network (not sure if the last part did anything useful or not). How probable is it that someone with the information from having been behind the router could be reinfecting or accessing the machines connected by way of the information gained (IP's and Mac's)? Is there a way to actually sweep it for a firmware infection that survived the reset?

Anything to be said about there being hundreds of the following entrys to the router security logs recently? Blanked some of the numbers to not give full addresses.

192.168.1.50 to 107.xx.47.35:xx0 is droped.
192.168.1.50 to 209.xx.47.61:xx0 is droped.
192.168.1.50 to 209.xx.47.62:xx0 is droped.
192.168.1.50 to 107.xx.47.35:xx0 is droped.
192.168.1.50 to 74.xxx.239.134:xx0 is droped.
192.168.1.50 to 74.xxx.234.175:xx0 is droped.

 

Also about a hundred of these incoming all to the same port:

xxx.165.xxx.237 port 34126
xx.193.xx.182 port 34126
xx.101.xxx.248 port 34126
xx.243.xxx.235 port 34126

 

If you have any JMicron chipsets on that motherboard e.g. usually used for eSATA ports, there is where I would start looking. I saw strange activity from the JMicron drivers; like outbound connections from SearchProtocolHost service initiated by its driver that made no sense.

What I did was set my one IDE optical drive to use the JMicron IDE driver provided by WIN 7 and the SATA ports that previously used the JMicron SCSII driver to the default WIN 7 achi driver.

 

Here also is an interesting read: http://www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf.

 

Thank for the Info.

 

You're not going to like my suggestion, but...

Most people who frequent security forums have, over the years, seen their share of people who are convinced they're infected with some sort of hardware malware, from BIOS rootkits to CPU/GPU virtualization malware (or preferably, both at the same time, with additional hardware infecting abilities, naturally). Most of these threads seem to just end up unresolved, with the original poster vanishing. Now, what I suggest is this. If you're really convinced you've got a bug this bad, why not contact the nearest anti-virus software vendor or CERT and explain to them you've got a sample of a nasty hardware malware that's in the wild? Obviously, cut the infected system from networks physically before you do this, and don't use the infected system to communicate with said parties, so there's no... unexpected case of the malicious hacker noticing the communication and deleting the malware without a trace. I'd bet those AV or CERT guys would love to get their hands on an evil ITW hardware malware. Might even pay you a reward for finding it.

But a further thought on the subject... If I were a malware writer, and I happened to have the knowledge required to write a highly resistant and stealthy hardware rootkit... the thing that I would not do is make it write media so full you can't even download a file. Because that sort of thing tends to tip the user off that something's not quite right in the realm. It would be considerably smarter to not do such things, and just hang in there all stealthed up, collecting useful data or using the system as a proxy for other illegal activities.