ACPI and Malware

I had an issue I raised in this post.

Apparently there are ACPI fan control scripts that can control temperature through fan control. I can't access the real website that contains the scripts but I can see the cache. here.
I can't go to this original website, http://www.thinkwiki.org/wiki/How_to_control_fan_speed
Maybe more thoughtful control.

Is it possible for malware to utilize a fan control script, for laptops of course, as detection prevention? By executing a fan control script when it detects a scan in progress causing a thermal shutdown.

 

I dug a little deeper this time.

What is ACPI?

The Advanced Configuration and Power Interface (ACPI) specification is an open standard for unified operating system-centric device configuration and power management.

What does ACPI do?

The ACPI standard brings Power Management into operating system control (OSPM), as opposed to the previous BIOS central system, which relied on platform specific firmware to decide power management and configuration policy.

The ACPI specification contains numerous related components, for hardware and software programming, as well as a unified standard for device power interaction and bus configuration.

If ACPI can program hardware, How does it talk to the hardware?

ACPI compliant systems interact with hardware through either a "Function Fixed Hardware (FFH) Interface" or a platform-independent hardware programming model which relies on platform specific AML provided by the Original Equipment Manufacturer.

Reference 1

And

The major kernel-level components of the architecture include:

• AML Interpreter
• AML Disassembler
• AML Debugger
• ACPI Table Manager
• ACPI Namespace Manager
• ACPI Resource Manager
• ACPI Fixed and General Purpose Event Support
• ACPI Hardware Support

User-space utilities built upon the kernel components include:

• ASL Compiler & Disassembler
• ACPI Simulator (AcpiExec)
• ACPI Table Extractor

Reference 2

How would Malware leverage this access and control?

If it could reprogram device power management firmware, which isn't needed while ACPI is functioning, then the Malware would have places to store malicious code.

I also think that a Malware having access to ACPI on the infected system would be able to disable the OS to prevent scans by AV software.

Annoying but not harmful.

It could also cause overheating issues leading to component failure.

Now they're hitting the pocket book.

Continuous and excssive component failure could be used to incur financial pressure on cash restricted targets.

Tailored Malware can go undetected by current scans leaving hardware issues as the only symptoms.

Malware residing in firmware would remain until called.

Many people use hardware failure to rule out a malware issue, stating "Sounds more like a hardware problem", refusing to look any deeper. With this perspective it would be possible for malware to persist. Most people once faced with a hardware issue will go back to using old install media or back up media from the hard drive which may be infected and causing these hardware failures.

Excessive emphasis for those with ADHD.

 

Post #2 by searching , the link problem:

If I make Google traduction, and click on link 'Reference 2' - Avira AntiVir says: 'contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus.'

In my case: Deny access, OK.

This link 'Reference 2' in English original version - is OK.
Other links, in English or with Google traduction - all OK.


P

 

I had a similar issue some days ago. Thermal shutdown but normally impossible I have one of the best coolers on the market. Speedfan showed 120°C, crazy. Three thermal shutdowns. I still think it is a wrong temperature that the bios measures, sometimes degrees switch to -20°C.

I think secret orgs misuse ACPI by default, also those S-states.

 

I guess this proves the contemporary situation and it smelled again like burned electronics, phantom overheating

http://i42.tinypic.com/os5xxu.jpg

and another amazing (never seen before) bsod

http://i44.tinypic.com/345yfdk.jpg

The supposed webside is not registered, crazy.

 

Here is a link for the ACPI device/hardware/software interaction diagram.

http://common.ziffdavisinternet.com/util_get_image/1/0,1425,i=10764,00.gif

If Windows defaults to APM when ACPI is not present, is that an indication that the ACPI BIOS has been reflashed and filled with rootkit code?

 

Do you know that this technique is known already for years? It is only the peak of the iceberg.

 

I had a condition where I had a 50gb formatted for windows which, later, I did format the remaining space to use for data storage. Not too much after that, the second partition developed it's own OS not visible from primary partition. A Spanish Windows Starter Edition. Prevxhelp was assisting me at the time because Edge would lockup on scans and freeze the system. He recomended I start from scratch.

That's why I've been researching ACPI stuff, because it always seems to be involved. Then I saw how ACPI has access to all hardware and stealth by design, It's own components, makes me want to stock up on P3's.

 

Does it not strike you as odd that all stealth techniques converge on you? I could accept one or two, but just about any special hacking technique ever mentioned, and you seem to have been hit by it.

So:

1. Statistically, it does not fit.
2. If you can detect it, it ain't stealth.
3. All detection methods mentioned are in vivo in Windows, which makes the whole thing an absurd game, because if this "malware" was truly stealth, you would a) not be able to find anything about it b) you would require Linux live CDs and whatnot
4. You have faulty hardware or bad cooling, which explains the multitude of hardware related problems.
5. No need to get hysterical, simple bios flash works ...
6. Do you know why all of this is just a nice story, because for instance you can boot Linux with kernel parameter acpi=off and oops, no more malware. And Linux is nowhere mentioned, so we have acpi-windows-dependent crap, which means live CD and it's gone. Or better yet, the hardware won't function at all ...

Mrk

 

As I said but wasn´t related to the topic, Acpi is only one little part of a multitude of specific undermining attacks.

There exists nothing really undetectable, so stealth is a common term for things that are well hidden.

 

ACPI has OS independent technologies, interfaces, code and hardware.

The OS independent technology portion of ACPI operates before the (Phoenix) BIOS Power On Self Test. It starts before everything, including Linux and Live CD.

Plausible deniability. "You have a hardware problem, no need to look for malware", could be a side effect of bad malware coding.
A rough chop vs. minced, to use a cooking analogy.

The OS independent ACPI BIOS is not flashed when flashing your (Phoenix) BIOS.
In much of the information about ACPI BIOS on most websites, there is a misunderstanding, intentional or unintentional, that it is a part of the BIOS that everyone knows about. Award, Phoenix, AMI etc.
But, in the ACPI specification documentation it states the ACPI has a seperate BIOS.

Awaiting your Actuarial analysis on the probability of these events.

 

Exactly, always these narrow-minded linux junkies, they don´t realize that they are already subverted by default.

 

Subverted as in subversion ... svn commit and that sort of style?
Mrk

 

Someone tested it on one of my systems as it seems. I doubled checked if my cpu cooler wasn´t the cause I unmounted the cooler tower and remounted it from the scratch with arctic paste but didn´t help then I changed some settings and the temps were normal. We talk about +/- 80 °C difference in Bios. Usually 42 °C with this malicious bios script that some insane mind plugged in 122 °C. That leads inevitably to auto shutdown. I think this bios script is remotely controlled by radio or satellite, they probably use the oa in cmos, cpu direct access or audio device as c&c transmitter.

 

This shutdown stuff has been plaguing me when performing malware scans with various tools. They get in with no alerts or alarms, then buggy symptoms appear.
That's why I want to determine if they are persistent or a fresh attack each time.
A fresh system install has no problems, no overheating, no shutdowns.
I used Radix to take base lines after every program install. Between 2 installs something appeared, patched modules that no one could explain.

Everything that has been occurring in my system is explainable, without RF c&c.
By attacking ACPI it may be possible to control hardware functions.
Some checking on Winbond ACPI controller chips, I have found some newer chips with as much as 4 megabytes (32 megabits) flash storage.
I have been looking at SMSC chips but here is less quick info on them.
Combine it with the http smuggling/splitting from the other thread adds up to a lot of mischeif potential.

 

Radio, satellite I see ... How about you build a copper mesh around your house and then see how the aliens probe your hardware, eh? Damn those Maxwell equations! Oh, for radio transmission, you need an an an antenna! I have looked recently, did not see any antennas on a mobo ... Hmmm ...

Maybe tachyon radiation?

Mrk

 

Bluetooth only one example for invisible antennas but wireless transmission.

 

I did not see your answer. Which modules showed Radix? Pay attention on all subsystem components session manager sub system as well as system shadow table and win32k.sys. That´s their playground for years.

It is persistent if it is bios related.

For how long? Always a matter of time until "sub-bios-hack" comes back.

You are one of the few who understand the truth and are dedicated to.

That is also what was told to me from one of the archs. This bios thing subverts any os and combined with http smuggling and poisoning it does its work all around the globe on nearly all systems that are connected to the internet.

 

Offhand I don't recall. I've wiped the OS, but have a backup of it. Could load it up later in a VM and check.
Haven't decided which OS I want to install yet. Back to Windows, maybe try Linux, or go deep with BSD.

Here is me playing around in Linux trying to dump some ACPI info.
Can't open table.dat.

Code:

root@youknowho:~# acpidump >acpidump
root@youknowho:~# acpixtract -a acpidump
Acpi table [DSDT] - 30346 bytes written to DSDT.dat
Acpi table [FACS] - 64 bytes written to FACS.dat
Acpi table [FACP] - 244 bytes written to FACP1.dat
Acpi table [SSDT] - 528 bytes written to SSDT.dat
Acpi table [APIC] - 84 bytes written to APIC.dat
Acpi table [SLIC] - 374 bytes written to SLIC.dat
Acpi table [MCFG] - 60 bytes written to MCFG.dat
Acpi table [HPET] - 56 bytes written to HPET.dat
Acpi table [XSDT] - 84 bytes written to XSDT.dat
Acpi table [FACP] - 116 bytes written to FACP2.dat
Acpi table [RSDT] - 60 bytes written to RSDT.dat
Acpi table [RSDP] - 36 bytes written to RSDP.dat
root@youknowho:~# iasl -d TABLE.dat

Intel ACPI Component Architecture
AML Disassembler version 20061109 [May 16 2007]
Copyright (C) 2000 - 2006 Intel Corporation
Supports ACPI Specification Revision 3.0a

Could not open input file TABLE.dat

 

How many layers are there on a motherboard anyway?
One layer could contain the antenna/s, conceivably.

I've seen antenna in US currency! Why not a motherboard?

 

Don´t expect too much insider knowledge from him, he is stuck in his linux dimensions.

Also we shouldn´t forget the report about the manchurian chip.

That are the temps displayed shortly after acpi s3 wake up:
http://i39.tinypic.com/2e151le.jpg
Extra frost simulation.

Some times later we see this:
http://i44.tinypic.com/2zstdmg.jpg
Hot as hell.

But both values can´t be nothing then wrong. That´s a malware trick or total failure of a company called phoenix award. The last possibility who is responsible for this mess is either Intel or Gigabyte but I bet the core problem is award bios.

With linux the temp read out is impossible.

 

Power management isn't handled by "Phoenix/Award" Traditional BIOS. That function has been move out of the BIOS beginning in 1999 and later, to have it's own hardware/software infrastructure called ACPI.
ACPI has it's own BIOS which is pre POST of Traditional BIOS; Some chips contain up to 4 Mbytes of flash.

Traditional BIOS issue is the inclusion of a complete network stack built for hidden communication, supposedly for updating EFI.

Leveraging ACPI gives them overall direct device access to all power managment functions. At the least a harassment tool.
Traditional BIOS may offer a hidden communication channel on an infected system, for hackers, visible only by sniffing.

*Please keep the Anti-Moron Patrol comments out of all threads.
*Thoughtful Counter Point is always welcome and helps us re-evaluate our ideas.
*Logic can be valid or invalid. So it is possible to be totally logical, but invalid.

 

I know that there is a covert comm channel through bios but
where is this acpi chip located? Is it the board vendor who placed it? I thought it is part of the cmos chip.

Actually the bios seems to show correct temperature, only windows is right now fooling around +20 up to +30 °C.

Two thermal shutdowns they must be induced by vista or cpu, I guess.
Any idea how to disable this shutdown from software side?

 

What if I told you that I know the number of layers on a mobo and what each one contains? Would that convince you to take off the tinfoil hat?
Mrk

 

Your silly,

The tin foil hat only protects me from the magnetron pulse cannons, it doesn't do anything for my computer.

Look for a chip printed with Winbond or SMSC, could be other vendors.
See diagram here.
Also, ACPI specification says it has its own hardware.
If ACPI is damaged or not present OS will use APM.