is this real or bogus and paranoia ?gpu-based-paravirtualization-rootkit

Discussion in 'malware problems & news' started by snort, Apr 12, 2013.

Thread Status:
Not open for further replies.
  1. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
  2. Total garbage IMO. If such a thing existed, the authors would be blackmailing governments and stuff, not targeting random people on the internet.
     
  3. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    1-but if there is an evidence why not look at it by major companies like kaspersky etc...
    2-the original poster doesn't seem to be a total noob also there are other people in that topic have the same problem
    also he made two tests to find out if you are infected or not and according to his tests i'm infected by this :(

    anyway if such thing exist it will be very plausible not to be detected
    also he is offering to send proofs and sample

    i really would apreaciate a company opinion on this
     
  4. I would guess because the "evidence" is highly inconclusive.

    Not being a total newbie doesn't mean you can't fool yourself.

    Think about it. How would you happen get infected with a GPU rootkit from hell that only a dozen people know the existence of, is all but undetectable, and works a variety of OSes and hardware? How would someone even write something like that? Most cross-platform malware last I checked is strictly proof-of-concept.

    I'm not even sure it's possible to write broadly compatible hardware rootkits like that. Different GPUs use different instruction sets, how would you translate between them?
     
    Last edited by a moderator: Apr 12, 2013
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Oops, looks like i'm infected too :D

    x1.png

    It's all gone quiet over @ Sysinternals ?

    Now this might just turn out to be a misread of the data etc. But unless some people actually do check & test etc, then nobody would ever discover anything. And as the OS & Apps "supposedly" gets more resiliant to attacks etc, the bad guys will need to get more & more sneaky/clever with their coding etc. So more indepth probing etc is/will be required ;) Sure sometimes phantom discoveries will be made, as "seemingly" in this case, but there Will be times when the digging etc will definately pay off :)
     
  6. pandorax

    pandorax Registered Member

    Joined:
    Feb 14, 2011
    Posts:
    386
    So could someone explain to me why i see all the parent processes as <Non-existent process> ?
     
  7. Techwiz

    Techwiz Registered Member

    Joined:
    Jan 5, 2012
    Posts:
    541
    Location:
    United States
    I am in no way an expert, but I'd tend to be cautious of these "you may be infected" forums and threads. A lot of time they turn out to be system errors either caused by an application or by windows itself. I'd imagine this could happen with other OSes as well. Even if you run a virtual machine there is no guarantee against such false positives. Hardware wears down over time and computers makes mistakes. I wouldn't say I'm paranoid, but I've always wondered if some of the unexplained bugs we see are actually being caused by applications we install. A lot of them try to update and patch automatically (in spite of user settings). I get that the data shouldn't write outside the virtual memory space (unless permitted), but you've got an application attempting to block write access to physical memory. That has to leave some kind of finger print each time this happens. Even if that finger print is in a different a place depending on the application attempting to write data. I'd imagine those finger prints could look suspicious if you didn't know what was causing them. Then again, I'm not a student of forensic analysis.
     
  8. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    anyway as pandorax said

    can someone explain why there is :
    Non-existent process
    and hidden processes in processhacker test ?
     
    Last edited: Apr 13, 2013
  9. Possibly this:

    http://forum.sysinternals.com/definition-of-nonexistent-process_topic10446_page3.html

    Seems odd that that would happen with a Microsoft program, but Windows is a big OS and has plenty of room for bugs. Or it could be an issue with Process Explorer.

    It could also be actual malware, some of which is very hard to detect - but frankly I doubt any of it is cross-platform, omni-compatible technothriller material.

    Say, you're able to see the process ID number right? (In CloneRanger's screenshot it's 1476.) How about opening up a cmd.exe window and running

    Code:
    tasklist /v | findstr "$PID"
    Where $PID is the process ID. If it shows up as a named process, then we know the problem is with Process Explorer.

    Edit: Okay, my Windows 2000 box presents the supposed symptoms too, so I have something to work with.

    In the current session, Windows Explorer is listed as having a nonexistent parent process with PID 1180. I'm pretty sure there's no such process on the system currently.

    I'm not certain, but I suspect that PID 1180 was a process that was launched and terminated during login, and which isn't running any more. I don't know the details of the Windows login process, but it wouldn't surprise me if something spawns the Explorer desktop session and then terminates, leaving Explorer with a "nonexistent" parent.

    tl;dr I don't think this is abnormal. Especially as I've yet to see any weird activity on my network, and my bank account isn't doing anything odd.
     
    Last edited by a moderator: Apr 13, 2013
  10. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    @Gullible Jones

    tried looking for those undetected processes using Gmer v2 didn't find anything

    also don't forget about the Processhacker test which shows a lot freaky stuff undetected process with PID
    accessing data on the disk those processes are not viewable with Gmer v2

    I really like to see if this is bogus on technichal basis
     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I doubt Gmer or any scanner will find anything if this be a bonafide GPU rootkit. Those tests I think will just bring a lot of false positives. The best bet will be wireshark to detect those mentioned packets.
     
    Last edited: Apr 14, 2013
  12. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,063
    Location:
    Canada
    Why would the Base process even have a parent?? The Base is the parent, at least according to what the properties of the processes residing below the Base processes reveals in PE.
     
  13. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    so nothing ??!
    i'm not an expret at these stuff
    at all what should i do o_O
    those test came back positive and no one seem to say anything !!!

    no one confirming or denying this !! ??!!??!
    which raise a lot of questions
     
    Last edited: Apr 14, 2013
  14. Probably because the people who are experts don't want to waste their time chasing phantasms.

    Do you actually have any reason to believe your computer is infected, other than what you've mentioned so far? e.g. packets going off to strange places? Mysterious payments from your bank account? Phone bills that don't make sense?

    Mind, I don't count myself an expert either; but based on what I do know of computers, what we're talking about here is vastly impractical, if not outright impossible. I'd also be interested to see what the experts have to say, but I hope you can understand my skepticism in the face of what sounds an awful lot like a conspiracy theory.
     
  15. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    and we know what will happen if we look into it with the OP. When the OP is sure that something that does not exist is actually there you cant get them to do anything that proves decisively that they are wrong.

    "antihacker101" hackings

    ^do a google search for that^

    This guy was the poster child for thinking that his personal computer was the center of the shadow malware universe and there was no way to convince him otherwise.
     
  16. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    I think this is still possible because of coreboot. Hence, cross-platform or architecture. If the GPU or any firmware is infected, then various malware platform modules is downloaded afterwards appropiate for the system. Undetectable GPU rootkits or blue pill or malware in the firmware has been talked about for decades. Flashing firmware or vbios seems trivial for the sophisticated hackers after a remote code execution for eg. Hardwares are sometimes bugged. We hear so many stories like some state-owned companies making those and evidence proving as such. Sometimes life is stranger than fiction. So, I wouldn't disregard the possibility.

    But it seemed fiction regarding those CDs being infected too and the likes. And why big AV business so silent? Because there's no money or rather the impossibility of developing any credible software to scan accurately such undetectable blue pill like rootkits in those firmwares or there's no remedy other than to thrash the hardware? (Vendors/hardware makers will like that so that frustrated customers will buy a new hardware instead.) Theoretically, big brother police states or the corporatocracy making use of such will be understandably be so quiet or will deny vehemently as such is their dream comes true.

    Edit:
    By googling, I found this that we can get more FAQs and interesting links from: Unknown GPU Hypervisor Malware | Facebook http://www.facebook.com/pages/Unknown-GPU-Hypervisor-Malware/131545397008622

    also

    http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf

    I also did one of the tests(PE), I found out that if I open a sandboxed explorer. The spawned Explorer.exe will be found as a base entry and have a parent as unknown process too. Obviously, I assume it is Sandboxie's start.exe which exited immediately. The other two base or root entries are started by batch(cmd) or in other words started by their own cmd parents which exited too. Hence, the false positives since there are no other weird behaviors as described.
     
    Last edited: Apr 15, 2013
  17. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Phantom entries

    I "think" some, or all of these Phantom entries, "might" be due to this ?

    I used DiamondCS Deep System Explorer, from the makers of ProcessGuard, to view Zombie Processes.

    I first ran PE to find one of those entries = Explorer.exe

    ex.png

    & then looked for that PID in DSE

    dse.png

    Sure enough, there it was :D

    By the way, if you're wondering why IE is showing, it's because i used it to view some DSE HTML's i'd saved. I only allowed it on a Temp basis via PG ;)
     
  18. Good find. Though it looks like hardware vendors have brazenly ignored the issues making this possible, so maybe we can expect BIOS rootkit droppers soon. :mad:

    Re large-scale conspiracies, I tend to doubt their existence; mostly because sweeping conspiracy theories have ludicrous requirements for competence on part of the perpetrators.

    Edit: in view of Rakshasa, it suddenly strikes me that the proliferation of ARM-based devices may be a very good thing.
     
    Last edited by a moderator: Apr 15, 2013
  19. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    I've those too ->

    csrss.exe
    explorer.exe
    wininit.exe
    winlogon.exe
    explorer.exe

    I'm paranoid enough, I don't need to add fuel to it.
     
  20. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    thanks to all of your posts i know how hard it is for a security researcher to chase a phantom that may or not be there
    security reasearcher like to get a .excutable samples
    i don't know where to look for those in order to supply them ??
    i would really like to be helpful as much as i can to solve this issue

    i really want to debunk this once and for all

    anyway ifbluepill was out there for what 2-3 years now ? rakashse too ?
    i think a motivated black team could be able to pull somthing like that
    so let's see if this was real the maker of this would be very skilled coder or coders

    any

    well i had my share of getting hacked on the past 3-4 years
    anyway currently experincing router hacks i don't know if this realted to this or not
    but according to murphy's law :S

    anyway let's say if there is a phantom
    what is the best way to chase that phantom ?
    hiring a forensic team ?
    i just want my peace of mind and i really want to know that there are skilled people after this
    so i don't worry more

    because i'm paranoid enough and i had my share of hacks in the past
    now i'm just in the state of :S i don't know what to do next beside freaking out


    p.s : i'm not acociated with the OP on sysinternel
     
    Last edited: Apr 15, 2013
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,027
    Location:
    Texas
  22. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    No, the hardware vendors didn't ignore the issues. They created the UEFI Forum and have been improving the UEFI spec - including, for example, the Secure Boot feature.

    The attack described on that paper doesn't work against a Windows 8/RT machine with Secure Boot-enabled UEFI and all, for example.

    No bootkit bypassed the latest UEFI spec with Secure Boot and all so far AFAIK.

    Bypassing it is currently considered the "holy grail".
     
    Last edited: Apr 16, 2013
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    But let's be reasonable. How would you've gotten the hostile code in your BIOS / GPU in the first place? Unless your hardware was tampered with from factory, or if you have flashed your BIOS by downloading the codes from obscure sites, I see no reason to be worried.

    I know there is this newer feature on modern motherboards where you can flash BIOS from user space but I fail to see how this could have been done remotely and without your noticing. Does flashing BIOS from user space require administrative credentials?
     
  24. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    Actually, the Brossard paper is from 2012. UEFI, TPM, Full Disk encryption, etc are all discussed there.

    See my sig. He he
    Mammon works in mysterious ways. When money talks, everyone follows. See the money masters from youtube. :)

    I don't know if his is really a BIOS infection. His looks clean except for the router hacks as claimed by him. What's so special in his case to be targeted by a BIOS infection or be given a bugged hardware? If not, just to part of a botnet with all this effort and sophistication. I don't think so. He he

    Clearly, those tests gave false positives.

    The requirement for flashing the BIOS requires root. One gets rooted remotely from arbitrary code execution and privilege escalation exploits in order to drop a malware.
     
    Last edited: Apr 16, 2013
  25. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Sorry, I confused the years. But anyways, I read the whole paper and it doesn't touch on UEFI, Secure Boot or even Windows 8. The attack doesn't apply to a Windows 8/RT certified machine with latest UEFI spec and enabled Secure Boot.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.