is this real or bogus and paranoia ?gpu-based-paravirtualization-rootkit

Discussion in 'malware problems & news' started by snort, Apr 12, 2013.

Thread Status:
Not open for further replies.
  1. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    I couldn't get a grip on how the guy at sysinternals' forum not only managed have his BIOS compromised, and on top of that also discovered that the ROM chips on his graphic card was storing a secondary BIOS etc. To me it sounded too science fiction-ish, something that went beyond realistic paranoia.

    But I'm very interested in this topic!

    I did the Process Explorer test on a W7 machine at work and got a bunch of parent non-existent processes on it too. What seems strange to me is that a "simpler" tool such as the Process Explorer would manage to find traces of this rootkit(?) but dedicated anti-rootkit tools fail to discover that there are processes in the system that have no parents*.
    Obviously, the hostile code writers were very sophisticated, why didn't they pay attention to what traces their code would leave on the system via the Process Explorer?

    * If having no parent really indicates that your system has been compromised by hostile code or rootkit.
     
    Last edited: Apr 16, 2013
  2. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    It mentioned UEFI but not Secureboot or Windows 8.
     
  3. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    A router hack -> somehow jumping to BIOS and GPU -> Planting malware /code tampering on GPU ROM chips = Yes it's far-fetched. Unless this guy is a very important person and this was indeed a very sophisticated and targeted attack. Or malware writers trying out new grounds.
     
  4. Am I missing something? Secure boot protects the boot sector. This is firmware stuff. How would secure boot do anything?

    Duckduckgo'd... and skipped. This is more overarching-long-range-plan stuff. I don't see the need to invoke hidden masterminds for what can be adequately explained by greed and selfishness.

    But something tells me neither of us is going to convince the other, so I'll leave things at this, i guess.
     
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    Take another look @ my Post #17

    PID = 1728 = Explorer = Userinit.exe = Winlogon.exe = a Zombie/Phantom Process = Terminated but still in Memory !

    *

    Maybe that guy did have something/s funky happening with his comp ? Exactly what though, we'll probably never know !

    A Video Card Rootkit was available in around 2004/5 on rootkit.com ;)
     
  6. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    What about your

    csrss.exe
    explorer.exe
    wininit.exe ?

    Yes googled VC rootkit and back then it seems it was in development stage. Now? Who knows. :-D
     
  7. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Interesting read:

    -http://www.wilderssecurity.com/showthread.php?t=344856
     
  8. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    From the paper:
    "Rakshasa is comprised of a custom version of Coreboot for the BIOS backend, of a custom SeaBIOS BIOS-payload to create..."

    You don't even need to read more than this to know that it doesn't work against latest UEFI spec with Secure Boot-enabled.
     
  9. Wild Hunter

    Wild Hunter Former Poster

    Joined:
    Oct 13, 2012
    Posts:
    1,375
    Yeah, but that absolutely doesn't mean that Secure Boot was bypassed:

    ...
    Who “Owns” The System
    Security Keys?

    • PK – Key pair is created by Platform Manufacturer

    Typically one PK pair used for a model or model Line

    • KEK – Key supplied by OS Partner,
    Optional: Include 2nd key created by OEM

    • db – OS Partner supplies Key,
    CA Partner supplies Key,
    Optional: OEM App Signing Key

    Signature Tests using db Keys Block Rogue S/W!

    ...
    UEFI Plugfest – May 2012

    www.uefi.org
     
  10. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    okay great to see the security guys on this thing ;)

    anyway i didn't post in systeminternal topic so i didn't know about this paravirtulization rootkit till now

    anyway i have a hacked router don't need to explain how it got hacked because i don't know and i don't know what to do about it i keep resetting + formatting the computer
    the problem keep getting back

    while looking around found that topic on systeminternal which blow my mind and made me freak out a little i won't lie so for that i started asking around

    anyway a simple trick that will prevent firmware rootkit is called a Pin jumber i don't know why no one considers it

    so let's say if there is a malicious code on a networkcard or something
    what to do next o_O

    thanks for everyone who posted here
     
  11. taleblou

    taleblou Registered Member

    Joined:
    Jan 9, 2010
    Posts:
    1,349
    I tried the tests. The process explorer passed according to his test.The next part process hacker test I only had 2 unknown that popped up after closing the IE and one was in sandboxie and other was a log? So according to his test I do not know if its a fail or pass?

    By the way this a clean and formatted wind 7 done yesterdayo_Oo_Oo_O

    I am confused now.
     
  12. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    There's one in the wild though not on VC but on another firmware. http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/

    Greed and selfishness, those are exactly the reasons for this web and the root cause. Carrots and stick, soft touch ops, blackmails and the perks, that's exactly how they work. Not every rank and file knows, info is compartmentalized for their plausible deniability. Just see who benefits for every false flag.

    ~ Removed Off Topic Comments ~

    A router hack is the start before the computer gets rooted eventually. Perhaps his router is bugged or indeed hacked with the many vulnerabilities that are discovered? We can just speculate if his has a mebromi variant(bios virus) or not. For a start, he can scan from a bootable disk after doing cmos(bios) reset.

    Not to mention, torrents, cracks, hacked websites, etc for the possible vectors.
     
    Last edited by a moderator: Apr 17, 2013
  13. JRViejo

    JRViejo Super Moderator

    Joined:
    Jul 9, 2008
    Posts:
    97,427
    Location:
    U.S.A.
    Removed Off Topic Posts. We Urge All Wilders Members to Report A Bad Post to Keep Threads On Topic.
     
  14. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    Even if your router was hacked, it's still a pretty big jump to infect your computer. Do you run your system as Admin? Do you have a firewall? Did you approve UAC elevation for something you didn't ask for? Etc.

    I think this could also boil down to the question whether the guy at Sysinternals bought hardware that had infected chips on it/them from factory. It has happened before afaik, and the question is do we trust our hardware? If so, do we only trust hardware from certain producers (countries!) and if so why..
     
  15. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    363
    As Brossard says, decision makers should be more aware about this possibility. Supply chain should be thoroughly checked.

    How about this suggestion(bolded) from the other guy from sysinternals which the OP also suggested:
    FAQs - unknown GPU Hypervisor Malware... http://www.facebook.com/pages/Unknown-GPU-Hypervisor-Malware/131545397008622?sk=info&_fb_noscript=1
     
    Last edited: Apr 17, 2013
  16. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    Once infection becomes more prevalent protective measures will be taken by the hardware producers. Probably too late by then. I agree there should be a physical on/off switch /feature on cards that have flashable chips on them.
     
  17. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    I am the RFC Rudel from sysinternals
    IT was shame that the tread have so many bad people.
    I was forced to retired becouse I was target but many jokers or hackers.

    the router is easy, once they have your ip (provided by the malware) they modify the router so it can register your ip on dns or to provide dns redirection.

    the key to bios infection is not hard, dont let the gpu part like a hard part.

    if you look at the people that develop hackintosh, they use acpi and acpi tables to create layers of compatibility, (nothing extrange there).
    they last nvidia driver read the card bios create a modified copy acording to the hardware and thats the gpu bios the system use. (shadow bios, or another trick)
    of course thats the bios you dump, not the bios on of the gpu.

    acpi and dsdt can create buffers and storage to load phantom hardware.
    if you read the documentantion the config remains in cmos and a litle trick to get that config back and no flash is required.

    please loock at the loaders they create to emulate hardware.


    once a bug that can manipulate mbr, or hd geometry to hide data is hard to get it out. not to mention the holes in the os to get back in.


    It is hard to prove becouse it use normal emulation.......


    my first reserch was a efi loader, and old variant usa that.

    please, donwloas xen hypervisor, read how can be installed, also xen,kvm adn qemu can share some components.
    xen docs have the part of the code.....

    if you read the official docs, is not only normal emulation, ok with some tricks to reside, but the hard part is get evidence, dsdt can provide buffers,and stores.

    I can write all day, but there is no magic. more security less usability, and work the other way arroud too.

    sorry for the broken englinsh

    RGDS


    the cd infection in no hard, once bug inside it donwload more components.

    the hard part is that it use all the compatibility acpi have, for example a windows driver tha it use is a real MS driver that was created for compatibility to diferent hardware.

    it use normal tricks, to get inside.

    I have follow this bug from 2010 and at that moment was very unique, now there is out there and in many shapes.

    is very well documented how to remain acpi tables whit a store (defined in DSDT table) and the old fake hardware they emulate is becouse its low level acces to the system.

    AV cant do SH, its a plataform hole.

    it is clear that we encounter some false posives, but this is real. I am a MCSE security since 1999. I dont have all the hardware info, and I am not a linux expert, but the more you learn the more logical path to malware is.
     
    Last edited: Apr 17, 2013
  18. snort

    snort Registered Member

    Joined:
    Apr 12, 2013
    Posts:
    10
    well first of all it's a relief to see some of the guys from the main topic are here
    because as i said i don't know about it anything other than i'm hacked well i won't turn this
    on my hack thing i want to get this paravirtulization issue solved or debunked once and for all

    anyway DHRF you can take it from here wilders froum is more active and have a lot of sec guru and legends also there is Mrk the linux master ;)

    1-anyway what do you think the best way to detect this ?
    other than the two that already posted

    2 - because it infects CD/DVD we can use other media to examin the CD/DVD
    like a disc man or something ??
    how do i know for sure if i have or not o_O

    also after looking at malwarebyte getting launched while looking at process hacker i found that unknown processes tampering with malwarebyte
    and other antimalware / antivirus

    look https://www.wilderssecurity.com/showthread.php?t=345568

    and i say i have no seucrity knowledge at all i'm just a simple guy that surfs the net i would really apreciate the help guys
     
    Last edited: Apr 17, 2013
  19. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    Ok
    I fight several versions of this malware so that’s my experience.

    I can post bios or acpi tables but I consider all data that the os can provide as compromised, still I will do it.

    The target was a legal firm in 2010
    I detect traffic one night from 1 pc, I start capturing data and close the connection at the firewall, the next packet the pc send was a dhcp release renew, machine was inspected and besides the network traffic all look ok, after wiped, new install media, I notice that the malware not only remains but it keep files of the os that was installed earlier.
    That give me the clue of HD geometry modification, and that the bug was not nice….
    Network traffic jump from one process to another and only at night. (Not heavy traffic,)
    Story short, all network infected, AD schema was modified, and if close the traffic the pcs loose dns resolution. (Fatal for an active directory domain with exchange etc.)
    Network os where compromised by dfs bogus system restore to the clients (primary low level drivers), and fake upgrades of the antivirus server.
    No credit fraud was reported. The only objective looks to stay resident.
    I also notice heavy usage of vga frame buffer.
    Many strange things problems with bios configurations etc. fake bios screens.
    I don’t know if that variant do flash bios.
    Primary defense is the OS that reconfigure the coms/firmware/shadow config on boot.
    Those XP love to make system restore if modified (long boots, info on logs)
    One thing was clear. It work a low level, it was well designed and have many self-defenses.
    The modifications to the OS start whit a sysprep setup and it use wmi and net framework to compromise the os.
    It was not normal malware….
    If the PC is fully compromised not only a fresh installed os will have some estrange traffic. HD geometry modification allow to storage setup files that compromise the os from the first boot.
    The modifications to the OS start whit a sysprep setup and it use wmi and net framework to compromise the os.
    Nothing that was not seen in on malware before but this implementation was very unique, the os was compromised due to bad configuration. No AV detect malware, only prevex AV detect that the DC have kernel files modified.

    Now this is in the open and is more complex.

    Tips: create a folder inside c:\windows, wipe the drive reinstall and if the folder is there at least you have a geometry modified HD/hidden partition.
    Remember this thing don’t care about any standard.
    Hidden efi partition (inside another partition...) brutal use of ntfs data streams, symlinks.
    Bios upgrades run fast (1 second), all indicate that under the hood your head gasket is blow.
    That’s the fast path, it take a long time to researching your acpi tables and low level drivers.

    In my case it love my gtx480 and my lsi 9060 raid card.
    I already suspect that it hides efs setup files, more than one time my pc start to boot windows setup with no hd or cd attached (raid card cache has no battery)

    That’s my second high end machine infected and after all the research we don’t have the proper tools.

    One thing I like to do is boot whit a Linux live cd, go to package manager and uninstall all acpi, and virtual components (I now is live cd but the commands runs) turn of the pc and when I restart it do crazy things.
    One tip, when posting if is reapplying the config you will see artifacts (I have 2 gtx480, and before 2 4870)
    This is a resume ok. More data later.have tons.

    You want security, buy a nice intrusion detection firewall. Like wachguard.
     
    Last edited: Apr 17, 2013
  20. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    DHRF - interesting (and intimidating)read, thanks.

    In an earlier post you wrote :

    "the router is easy, once they have your ip (provided by the malware) they modify the router so it can register your ip on dns or to provide dns redirection.
    the key to bios infection is not hard, dont let the gpu part like a hard part."



    Ok, let's say it's easy for an attacker to compromise your router (if the firmware is buggy etc, which has happened before with certain models), and the router forced "a dns redirect" and silently, without your knowing, downloaded and executed hostile code on your computer. How were your defenses? Did you run as regular user or admin, approved strange UAC prompts etc. I doubt an infection like this, even though very sophisticated, could carry out its payload just like that - without social engineering, using a kernel vulnerability etc.
     
  21. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    The problem is privilege elevation, in the old days if the users where not local admins you were safe.
    Imagine if I give you a menu to configure your malware?
    How many examples we have.....

    This bug use several, the download of malware payload was not present in the 2010 version.

    Since I find this bug I run my rig whitout following extreme security, my data is secure on offline HD here and offsite. I assume I can be hacked any time.

    Security is an illusion, remember that you are looking to binary code, I kwon is like ask people to prove they are not connected to the matrix……but the more usability the more insecurity.(mobile phones rig a bell)

    A router whit extreme intrusion detection work on my networks for now.

    I will try to get the most clear exmples of logs etc, but is very dificult to get smoking gun, (all the code, from all the components).
     
  22. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    I actualy see fake bios screens and I was able to get to the original after some tricks.

    the network trafick, is there and only some OS firewalls will block it.

    paravirtulization allow you to have direct hardware access and no impact on performance.

    I have 15 years of work in a consulting firm and make many migration whit microsoft consulting services.

    I am a hardware fan and overcloker (since the days you have to solder bigger capacitors on the boards) I see things that are hard to prove.

    how you can confirm 100% that your PC do not have an hypervisor?

    I only say I am not crazy, a litle paranoic yes, and you have to be to be on security.


    I will try to provide more info,and I am one of the people that post on that facebook page.
     
    Last edited: Apr 18, 2013
  23. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517
    So this malware does not work in any different way compared to other "traditional" malware. You still need either a) a privilege escalation b) or user input / decision.
     
  24. new2security

    new2security Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    517

    Well unless you download your BIOS flash utilities or other hardware components' drivers etc from shady sites, I'd say the risk of you getting infected by this super malware is non-existent. Of course, the mobo producer's download servers could have been compromised, but again, it's always a risk we are taking when we download _any_ software from _any_ reputable vendors' sites.
     
  25. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina

    ok


    1 thing is the os
    2 the bios/acpi etc

    if malware can get to your pc, this can.

    if malware can use mbr this can use it too.

    and if you read a little about acpi or xen they can remain in the pc with no flash, or you flash your bios to change the boot device?

    how malware get to your pc, dns redirection/site hacked you download tampered drivers, or like any other malware period.

    the key is that the hole is in the hardware plataform and we don't have the proper tools.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.