ACPI and Malware

Discussion in 'malware problems & news' started by Searching_ _ _, Apr 6, 2009.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I had an issue I raised in this post.

    Apparently there are ACPI fan control scripts that can control temperature through fan control. I can't access the real website that contains the scripts but I can see the cache. here.
    I can't go to this original website, http://www.thinkwiki.org/wiki/How_to_control_fan_speed
    Maybe more thoughtful control.

    Is it possible for malware to utilize a fan control script, for laptops of course, as detection prevention? By executing a fan control script when it detects a scan in progress causing a thermal shutdown.
     
  2. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I dug a little deeper this time.

    What is ACPI?

    The Advanced Configuration and Power Interface (ACPI) specification is an open standard for unified operating system-centric device configuration and power management.

    What does ACPI do?

    The ACPI standard brings Power Management into operating system control (OSPM), as opposed to the previous BIOS central system, which relied on platform specific firmware to decide power management and configuration policy.

    The ACPI specification contains numerous related components, for hardware and software programming, as well as a unified standard for device power interaction and bus configuration.

    If ACPI can program hardware, How does it talk to the hardware?

    ACPI compliant systems interact with hardware through either a "Function Fixed Hardware (FFH) Interface" or a platform-independent hardware programming model which relies on platform specific AML provided by the Original Equipment Manufacturer.

    Reference 1

    And

    The major kernel-level components of the architecture include:
    • AML Interpreter
    • AML Disassembler
    • AML Debugger
    • ACPI Table Manager
    • ACPI Namespace Manager
    • ACPI Resource Manager
    • ACPI Fixed and General Purpose Event Support
    • ACPI Hardware Support
    User-space utilities built upon the kernel components include:
    • ASL Compiler & Disassembler
    • ACPI Simulator (AcpiExec)
    • ACPI Table Extractor
    Reference 2

    How would Malware leverage this access and control?

    If it could reprogram device power management firmware, which isn't needed while ACPI is functioning, then the Malware would have places to store malicious code.

    I also think that a Malware having access to ACPI on the infected system would be able to disable the OS to prevent scans by AV software.

    Annoying but not harmful.

    It could also cause overheating issues leading to component failure.

    Now they're hitting the pocket book.

    Continuous and excssive component failure could be used to incur financial pressure on cash restricted targets.

    Tailored Malware can go undetected by current scans leaving hardware issues as the only symptoms.

    Malware residing in firmware would remain until called.

    Many people use hardware failure to rule out a malware issue, stating "Sounds more like a hardware problem", refusing to look any deeper. With this perspective it would be possible for malware to persist. Most people once faced with a hardware issue will go back to using old install media or back up media from the hard drive which may be infected and causing these hardware failures.

    Excessive emphasis for those with ADHD. :D
     
  3. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    Post #2 by searching , the link problem:

    If I make Google traduction, and click on link 'Reference 2' - Avira AntiVir says: 'contains recognition pattern of the HTML/Infected.WebPage.Gen HTML script virus.'

    In my case: Deny access, OK.

    This link 'Reference 2' in English original version - is OK.
    Other links, in English or with Google traduction - all OK.


    P:thumb:
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I had a similar issue some days ago. Thermal shutdown but normally impossible I have one of the best coolers on the market. Speedfan showed 120°C, crazy. Three thermal shutdowns. I still think it is a wrong temperature that the bios measures, sometimes degrees switch to -20°C.

    I think secret orgs misuse ACPI by default, also those S-states.
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Last edited: Jun 4, 2009
  6. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Do you know that this technique is known already for years? It is only the peak of the iceberg.
     
    Last edited: Jun 6, 2009
  8. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    I had a condition where I had a 50gb formatted for windows which, later, I did format the remaining space to use for data storage. Not too much after that, the second partition developed it's own OS not visible from primary partition. A Spanish Windows Starter Edition. Prevxhelp was assisting me at the time because Edge would lockup on scans and freeze the system. He recomended I start from scratch.

    That's why I've been researching ACPI stuff, because it always seems to be involved. Then I saw how ACPI has access to all hardware and stealth by design, It's own components, makes me want to stock up on P3's. :)
     
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Does it not strike you as odd that all stealth techniques converge on you? I could accept one or two, but just about any special hacking technique ever mentioned, and you seem to have been hit by it.

    So:

    1. Statistically, it does not fit.
    2. If you can detect it, it ain't stealth.
    3. All detection methods mentioned are in vivo in Windows, which makes the whole thing an absurd game, because if this "malware" was truly stealth, you would a) not be able to find anything about it b) you would require Linux live CDs and whatnot
    4. You have faulty hardware or bad cooling, which explains the multitude of hardware related problems.
    5. No need to get hysterical, simple bios flash works ...
    6. Do you know why all of this is just a nice story, because for instance you can boot Linux with kernel parameter acpi=off and oops, no more malware. And Linux is nowhere mentioned, so we have acpi-windows-dependent crap, which means live CD and it's gone. Or better yet, the hardware won't function at all ...

    Mrk
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    As I said but wasn´t related to the topic, Acpi is only one little part of a multitude of specific undermining attacks.

    There exists nothing really undetectable, so stealth is a common term for things that are well hidden.
     
  11. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    ACPI has OS independent technologies, interfaces, code and hardware.

    The OS independent technology portion of ACPI operates before the (Phoenix) BIOS Power On Self Test. It starts before everything, including Linux and Live CD.

    Plausible deniability. "You have a hardware problem, no need to look for malware", could be a side effect of bad malware coding.
    A rough chop vs. minced, to use a cooking analogy.

    The OS independent ACPI BIOS is not flashed when flashing your (Phoenix) BIOS.
    In much of the information about ACPI BIOS on most websites, there is a misunderstanding, intentional or unintentional, that it is a part of the BIOS that everyone knows about. Award, Phoenix, AMI etc.
    But, in the ACPI specification documentation it states the ACPI has a seperate BIOS.

    Awaiting your Actuarial analysis on the probability of these events.
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Exactly, always these narrow-minded linux junkies, they don´t realize that they are already subverted by default.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Subverted as in subversion ... svn commit and that sort of style?
    Mrk
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Someone tested it on one of my systems as it seems. I doubled checked if my cpu cooler wasn´t the cause I unmounted the cooler tower and remounted it from the scratch with arctic paste but didn´t help then I changed some settings and the temps were normal. We talk about +/- 80 °C difference in Bios. Usually 42 °C with this malicious bios script that some insane mind plugged in 122 °C. That leads inevitably to auto shutdown. I think this bios script is remotely controlled by radio or satellite, they probably use the oa in cmos, cpu direct access or audio device as c&c transmitter.
     
  15. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    This shutdown stuff has been plaguing me when performing malware scans with various tools. They get in with no alerts or alarms, then buggy symptoms appear.
    That's why I want to determine if they are persistent or a fresh attack each time.
    A fresh system install has no problems, no overheating, no shutdowns.
    I used Radix to take base lines after every program install. Between 2 installs something appeared, patched modules that no one could explain.

    Everything that has been occurring in my system is explainable, without RF c&c.
    By attacking ACPI it may be possible to control hardware functions.
    Some checking on Winbond ACPI controller chips, I have found some newer chips with as much as 4 megabytes (32 megabits) flash storage.
    I have been looking at SMSC chips but here is less quick info on them.
    Combine it with the http smuggling/splitting from the other thread adds up to a lot of mischeif potential.
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Radio, satellite I see ... How about you build a copper mesh around your house and then see how the aliens probe your hardware, eh? Damn those Maxwell equations! Oh, for radio transmission, you need an an an antenna! I have looked recently, did not see any antennas on a mobo ... Hmmm ...

    Maybe tachyon radiation?

    Mrk
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Bluetooth only one example for invisible antennas but wireless transmission.
     
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I did not see your answer. Which modules showed Radix? Pay attention on all subsystem components session manager sub system as well as system shadow table and win32k.sys. That´s their playground for years.

    It is persistent if it is bios related.
    For how long? Always a matter of time until "sub-bios-hack" comes back.

    You are one of the few who understand the truth and are dedicated to.

    That is also what was told to me from one of the archs. This bios thing subverts any os and combined with http smuggling and poisoning it does its work all around the globe on nearly all systems that are connected to the internet.
     
    Last edited: Jun 17, 2009
  19. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Offhand I don't recall. I've wiped the OS, but have a backup of it. Could load it up later in a VM and check.
    Haven't decided which OS I want to install yet. Back to Windows, maybe try Linux, or go deep with BSD.

    Here is me playing around in Linux trying to dump some ACPI info.
    Can't open table.dat.

    Code:
    root@youknowho:~# acpidump >acpidump
    root@youknowho:~# acpixtract -a acpidump
    Acpi table [DSDT] - 30346 bytes written to DSDT.dat
    Acpi table [FACS] - 64 bytes written to FACS.dat
    Acpi table [FACP] - 244 bytes written to FACP1.dat
    Acpi table [SSDT] - 528 bytes written to SSDT.dat
    Acpi table [APIC] - 84 bytes written to APIC.dat
    Acpi table [SLIC] - 374 bytes written to SLIC.dat
    Acpi table [MCFG] - 60 bytes written to MCFG.dat
    Acpi table [HPET] - 56 bytes written to HPET.dat
    Acpi table [XSDT] - 84 bytes written to XSDT.dat
    Acpi table [FACP] - 116 bytes written to FACP2.dat
    Acpi table [RSDT] - 60 bytes written to RSDT.dat
    Acpi table [RSDP] - 36 bytes written to RSDP.dat
    root@youknowho:~# iasl -d TABLE.dat
    
    Intel ACPI Component Architecture
    AML Disassembler version 20061109 [May 16 2007]
    Copyright (C) 2000 - 2006 Intel Corporation
    Supports ACPI Specification Revision 3.0a
    
    Could not open input file TABLE.dat
    
     
  20. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    How many layers are there on a motherboard anyway?
    One layer could contain the antenna/s, conceivably.

    I've seen antenna in US currency! Why not a motherboard?
     
  21. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Don´t expect too much insider knowledge from him, he is stuck in his linux dimensions.;)

    Also we shouldn´t forget the report about the manchurian chip.

    That are the temps displayed shortly after acpi s3 wake up:
    http://i39.tinypic.com/2e151le.jpg
    Extra frost simulation.

    Some times later we see this:
    http://i44.tinypic.com/2zstdmg.jpg
    Hot as hell.

    But both values can´t be nothing then wrong. That´s a malware trick or total failure of a company called phoenix award. The last possibility who is responsible for this mess is either Intel or Gigabyte but I bet the core problem is award bios.

    With linux the temp read out is impossible.
     
    Last edited: Jun 18, 2009
  22. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Power management isn't handled by "Phoenix/Award" Traditional BIOS. That function has been move out of the BIOS beginning in 1999 and later, to have it's own hardware/software infrastructure called ACPI.
    ACPI has it's own BIOS which is pre POST of Traditional BIOS; Some chips contain up to 4 Mbytes of flash.

    Traditional BIOS issue is the inclusion of a complete network stack built for hidden communication, supposedly for updating EFI.

    Leveraging ACPI gives them overall direct device access to all power managment functions. At the least a harassment tool.
    Traditional BIOS may offer a hidden communication channel on an infected system, for hackers, visible only by sniffing.

    *Please keep the Anti-Moron Patrol comments out of all threads.
    *Thoughtful Counter Point is always welcome and helps us re-evaluate our ideas.
    *Logic can be valid or invalid. So it is possible to be totally logical, but invalid.
     
  23. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I know that there is a covert comm channel through bios but
    where is this acpi chip located? Is it the board vendor who placed it? I thought it is part of the cmos chip.

    Actually the bios seems to show correct temperature, only windows is right now fooling around +20 up to +30 °C.

    Two thermal shutdowns they must be induced by vista or cpu, I guess.
    Any idea how to disable this shutdown from software side?
     
    Last edited: Jun 18, 2009
  24. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    What if I told you that I know the number of layers on a mobo and what each one contains? Would that convince you to take off the tinfoil hat?
    Mrk
     
  25. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Your silly,

    The tin foil hat only protects me from the magnetron pulse cannons, it doesn't do anything for my computer.

    Look for a chip printed with Winbond or SMSC, could be other vendors.
    See diagram here.
    Also, ACPI specification says it has its own hardware.
    If ACPI is damaged or not present OS will use APM.
     
Loading...
Thread Status:
Not open for further replies.