Malware that hijacks / uses the advanced properties of a Broadcom NIC

Hi

I've come across a piece of "malware" that, so far, avoids detection by any antivirus, anti-rootkit and antispyware software. Since I do not know the infection vector here, it could well be some sort of hack-tool instead, but it certainly is more difficult to deal with than any I have ever encountered before in over 14 years of system administration.

Two weeks ago I discovered that some entity in a customers' network had "stolen" the IP address of one of the domain controllers in the network. This resulted in a DOS situation, as the packets were not forwarded to the DC afterwards. Strangely there was no IP conflict reported anywhere, but instead a rogue device were using ARP to advertise it's own MAC address as the MAC address associated with the DC's IP. I implemented a pretty basic countermeasure by adding static arp entries for the DC's IP address in domain clients, and started looking for the device in question.

I found it after a brief hunt, using Wireshark and some creativity, and it came up in my captures as WistronI_45. It turned out to be the integrated network controller card for a Acer laptop computer, and as I started looking into the problem, it got more and more confusing.

Firstly, it was now advertising itself as another server on the network (no longer the DC) and sending out ARP broadcasts for a unused IP on the network (192.168.1.50/24). That was strange in itself, and in retrospect seems to indicate a level of sophistication. As i proceeded to run every anti malware tool I could think of agaist it, it found a few pieces of mildy annoying adware / potentially unwanted applications, but nothing very serious. But the problem persisted.

I finally isolated the source of the packets to the NIC (a Broadcom NetXtreme embedded card), and I have discovered the following behaviour:

1. The network card will start sending out ARP broadcast requests for 192.168.1.50 while advertising itself as 192.168.0.0 initially (no ip) and then as 192.168.1.2 (the server IP) to other hosts on the network. It will do this even when the computer is off, and then if it receives a response it will proceed to send heartbeat packets to the 192.168.1.50 host using SNMP packets. It appers to do little else.

2. This traffic is hidden from the computer operating system and they do not show up if one runs Wireshark on the stricken machine, so the card hides this traffic from the user and any tools run.

3. I initially though it might be a misconfigured ASF and disabled the ASF function in the BIOS of the machine. The behaviour persists even if the BIOS reports that ASF is disabled. ASF should also be disabled by default according to some sources, but on this machine it seems to be enabled by default. It certainly is active, and I suspect that it somehow compromised.

4. If I disable both nework cards at the OS level, the LAN card will continue to send packets as long as a cable is attached to the LAN interface. If I disable both network cards in the BIOS, it will still send out packets.

5. It will survive a BIOS flash.

As to other disturbing behaviour I have noticed that it also goes after a 10.0.0.0/8 address, which I am assuming it has aquired in the users home network.

I tried to attack it with Broadcoms own Advanced Configuration Tool, but the card reports back that everything is fine and, stangely, if I try to access any SNMP configuration information, it throws an error message.

So, basically, this is a network card which will bring itself online, and report in using SNMP, to an unknown host (we certainly never configured any of this), even when ASF is disabled, the network card is disabled in BIOS and in the OS, and even if the network card is uninstalled at the OS level. It survives a BIOS flash, disguises its operational status to the BIOS and OS and hides certain traffic from the host OS.

I am aware of the hack.lu 2010 proof of concept Broadcom Firmware hack, and since this is indeed a Broadcom NetXtreme card, this is a bit worrying. If you are not familiar with it you can read a presentation on the Sogeti ESEC lab website (url below). I was however unaware that this was successfully implemented in any rootkit / malware currently in the wild.

My question to you is: Is there any known malware in the wild that has this kind of capabilities? Or is it just a NIC gone bad, which I find increasingly unlikely.

I am nearly at the end of the line with this computer, which will surely have to be discarded, but it annoys me GREATLY not to figure out what this is and what it could potentially be capable of.

Any insight or suggestions will be greatly appreciated.

B.

Link to the hack.lu proof of concept presentation:
http://esec-lab.sogeti.com/post/201...:-Reversing-the-Broacom-NetExtreme-s-firmware

 

That is pretty weird, and sounds convincingly like a firmware rootkit ought to behave.

Due to the specificity to the hardware I kind of doubt it would be ITW malware, but I don't really know enough about the circumstances to say. From what you say though this smacks of a targeted attack, not the usual drive-by stuff.

You might want to get in touch with some security researchers on e.g. Twitter. This really does sound like a legit firmware rootkit, and everyone in the field would be interested in that.

Edit: Hmm. Actually these Broadcom cards seem kind of ubiquitous on certain Dell workstation models, the sort typically used in offices. I wonder if you're looking at part of a larger scale operation.

I think you should definitely get in touch with some researchers, directly and as soon as possible.

 

Yes. I have done that. We shall have to see what comes of it. I'm putting my tinfoil-hat on, for now at least, because this is pretty weird. I have also discovered that the infected machine will reply to arp broadcast for the "stolen" ip address, but not to regular ping packets to the same ip. All of this while being powered off, with both network cards disabled in BIOS. Now that is some weird behaviour for your average network card.

 

Wait, while powered off? Do you mean just turned off, or when not getting any power whatsoever?

Hmm.

https://help.ubuntu.com/community/WakeOnLan

Maybe that is involved somehow?

OTOH if you mean it's doing stuff when it cannot possibly be getting any voltage, then I must profess skepticism. In that case it would be more likely that you're doing something wrong.

 

No, I mean with the computer switched off but with the power cable attached. I can trigger the behaviour by plugging in the power cord or the LAN cable. Both will work. The machine does nothing when on batteries only and powered off. I have been thinking about the WOL thing myself.

 

If you really want an expert opinion on this, post to kernelmodeinfo forums.

 

Oh, laptop... I was thinking desktop.

Pretty weird stuff in any case. Good luck finding answers (and when/if you get any, I'll be interested in hearing them too...)