is this real or bogus and paranoia ?gpu-based-paravirtualization-rootkit

Discussion in 'malware problems & news' started by snort, Apr 12, 2013.

Thread Status:
Not open for further replies.
  1. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    first, I have tons of work, sorry by not keeping posting.

    I will when I have time.

    the papers, you provide is great, but the man have another paper
    http://pferrie.host22.com/papers/vtrootkits.pdf


    I think the diference now is the use acpi/acpi tables like a fundation.

    I will try to get more evidence.

    RGDS
     
  2. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina
    acpi can do lots of things, it have lots of management on the hardware and can be configured from the os...., its a standard, have holes.
    the most I read about acpi the more ideas come to mind....

    how I force a reinfect? I boot a Linux live cd, go to package manager and remove all the acpi/firmware, is a live cd but the commands run.
    then when I boot windows my graphic cards are unable to start, one reboot more, long post artifacts etc and all is fine.


    I have many problems whit bios options, not only today bios shadow is not a standard menu option, acpi can force it.
    puff, I have some history with bios that I am afraid to post...the strange things that the machines whit this bug do when you try to get it out....
     
    Last edited: May 7, 2013
  3. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    Last edited: May 8, 2013
  4. DHRF

    DHRF Registered Member

    Joined:
    Apr 17, 2013
    Posts:
    18
    Location:
    Argentina

    I totally understand the lack of credibility about the malware.

    That's why I respect the professional courtesy of this forum.
     
  5. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    While I do not doubt that there could be malware capable of this, it seems as if the signs indicated here are perfectly normal.

    Explorer.exe is launched during the startup process and should not really have a parent.

    In process hacker, I do see Unknown Process writing to disk, but this appears to be more of an incorrect assessment. It seems as this happens when a process runs and closes very quickly. For instance, when the google update process ran, it showed activity related to a google update process.... and this can be verified under procmon . It appears though that since the process is closed, when process hacker puts it in the list of disk access, it again tries to lookup the process being used. It appears that since the process is no longer running, it comes up as unknown process.

    Now, I don't doubt that processes can be hidden and write to disk, but I don't think this is **necessarily** a sign of something malicious.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.