Discussion in 'malware problems & news' started by snort, Apr 12, 2013.
by the way, all my media came from msdn.
Well, flashing being involved or not, IMO you still need an escalation either through an approved user input/decision or a system vulnerability . I can subsribe to the idea that an unpatched system /software /plugins has lowered its guard against malware and could execute them without your knowledge, but could you explain in detail how this payload manages to tamper with your BIOS settings, writes to your ROM chips etc from Windows user space.
Are you suggesting that Microsoft could have delivered tainted drivers?
Though not detailed until we wait for DHRF's, this I can offer. Since malware has gotten through the "rooted" system either from; a) exploit/s for a remote code execution vulnerability and/with privilege escalation, or, b) social engineering (user input like cracks or patched bootable installers, torrents); it is only a few steps away from getting to the BIOS or the firmware, I assume. In Linux system with root, it is pretty straightforward, as flashing firmware through the desktop is possible or supported (any linux guru can correct me). While in Windows requires a reboot(for BIOS rootkits) or requires a kernel driver(for SMM rootkits). Obviously, for infected bootable installers, it goes straight ahead just like in DOS mode flashers. Hence, it is not done in Windows user space. For Brossard's rakshasha, it can be done through network boot.
but some drivers that are from MS are used to manage some fake hardware.
Thanks for elaborating. I can see that the steps involved make sense. But I admit there is a mental threshold where I'm still struggling to convince myself that these hostile kits can infect your GPU chips, run virtual BIOS sessions from the GPU ROM as if it were a computer within the computer.
DHRF - I have to ask, in view of the capabilities of this supposed rootkit
a) Who do you think might be behind it
b) How do you think you became a target
c) How prevalent do you think it is ITW?
How? Please describe the scenario.
cant give much details but goverment or enterprise for the one that hit my network.
my work notebook get infected there and later my home pc.
but now this code is out, or the backdoor was found and now is like a donwloader malware.
I dont think that will spread like fire, I want tools to protect or detect.
I will post docs later, it was about an exploit of acpi that was part of compativility phantom device or bus and it was an exploit, the os dont see nothing wrong becouse the device was supported by MS drivers.
ACPI and PNP bo hand to hand, read a litle of acpi, the work of the people of hackintosh, they have tons of data in their site.
I am not an expert and I have trouble following you. Please explain as you would to a computer illiterate.
explorer.exe Already explained
The others = similar = No panic
Noted. It's definitely a false positive. I've checked 4 W7 pc's and all of them give me the non-existent error for those processes.
I never said that monitoring processes can be used as evidence.
Ok, so the particular GPU hypervisor malware you got is quite different to Brossard's Rakshasha in terms of how they were installed. I never quite read your previous posts regarding DSDT injection, ACPI exploit, hackintosh and the likes.
What I describe was actually the second scenario of how Brossard's POC malware gets installed remotely by flashing the BIOS eventually.
His first scenario is of course, physically backdooring the hardware with the use of flashers to the BIOS.
I haven't yet read the GPU malware links posted on their facebook page. So unfortunately, I can't describe how the GPU malware was able to virtualize everything and much more their dsdt hack, acpi exploit and so on and so forth.
I was only able to read the Brossard's paper and what I elaborated was the way he gets to remotely install his Rakshasha by flashing the BIOSes with his romkit and eventually the PCI roms with network firmware after getting root first.
Since the various PCI devices of many manufacturers differ, the hack was to determine the exact MAC and the make of those enumerated PCI devices of the target victim to be sent to the remote C&C prior to the downloading of the appropriate flashers for that particular PCI devices. The purpose of flashing other PCI roms like the CD firmware with network firmware was for redundancy in case the BIOS was reflashed removing akshasha. Through constant updating from the network, they can reflash akshasha back to the BIOS.
I personally don't think this kind of attacks will develop into a full fledge commercialized exploit kit type to infect many. We don't have to worry that anywhere in the immediate future us wilders forum members will have this type of malware get past our layered defences just like any other malware unless targeted. That's the reason we are also not hearing anything from security experts like Metasploit's HD Moore sounding the alarm for that type of ubermalware being so prevalent.
And so this is more for targeted attacks, where they have done their homework first doing reconnaissance on their juicy targets before doing the actual attack.
I am also waiting for DHRF to describe how GPU malware gets into the system through those dsdt injections, acpi exploits (or what have you that doesn't require the actual flashing of the bios?).
Interesting read. The way you describe it sounds plausible and I don't doubt most of them are feasible. Average user probably won't need to worry about these malware classes, yet, but perhaps it's already being used for industrial espionage.
How would one protect against these attacks?
thats my main concern.
In security this cant be avoided: more security less uasability.
today you can donwload a linux live cd an boot on any pc, thas was a no go in the year 2000.
the thing is that this is posible, many people I talk have some variant and they cant get it off.
MS release some remote code execution patch almost every month.
if av cant protect about ring 0 malware whats the point of av!!!!.
I dont care if goverment or big IT enterprises are behaind this, I dont have nothing to hide, MS is my food provider and I am the first to blame them when they F up.
but malware makers dont sleep, they share the holes they find, even if it was goverment/security related.
the malware comunity must be aware about blue pill malware.
I work whit virtulization since vmware start. you can make a sysprep setup that make a phisical to virtual migration.the only secret here is they use normal compatibility to get inside.
paravirtualization allow direct hardware access, so if you are a gamer you dont fell the diference.
OS manipulation is easy, but if our report tools give fake reporst do to rookit drivers, or reinstallation is no fix do to hidden setup files, that give the bad scenario we cant get: sensation of security.
like I said, it was not easy and I can have some fale positives, but that dont rule out the big hole (or compatibility layer if you preffer) and we can only find out after infection/hack/data access etc.
Security must be proactive, no reactive.
I have tons of info but I cant post all, not to mention that virtual bios/acpi can be used to discredit any find.
gpu virtualization is used today, gpu accelerated app are normal, and I said gpu becouse it have memory, proccesor capability, a nice audio or network card can be used too to store data too.
I post this before: look at the malware of rookits, look at infection,hidden,drivers,intention, make a menu about the best about each category and desing your own.
how you hidden to the av?
how you can load before os start?
how you can make it hard to remove?
how you can fake it was removed?
one thing we use in security is fake data, we kwon that hakers can get in (os holes,firewall holes, $ to it personal etc) a fake data server allow the hakers think they get in and stole the info so they dont use social tactics.
they have use fale av in the past, so malware makers are no fools.
I have tons of info and its hard to resume all in a couple of post
thanks for the proffecial courtecy, I looks normal here but it not the rule so I thanks.
please look at the facebook info, lots of links there.
paravirtulization is not full virtualization, it allows direct hardware access to some buses or devices.(give more compativility to the malware)
acpi and pnp go hand to hand.
you dont need to flash bios to change acpi option, they get stored in cmos, the only thing you need is a load of that part of bios if the bios get restored,replaced,reflashed.
tools to change vga oc, or cpu oc are not rare....both use low level hardware access.
I also found that the more hadware the Pc have the more complex (or placess to hide) it is.
my malware infected core i7, lsi raid card:4ssd raid0, 4wd rg4 2tb, 2 ati 4870x2 on a evga x58, was more complex that the IBM 3650, still the vga was used.
I think it use all cache/memory devices to use as store to get reinfected.
vga are no optional so the focus on that device is more understandable.
the artifacs I get after hard resets (I do overclock) make me change my 2 4870x2 for 2 evga gtx 480.
now I have asus crosshair V formula and amd 8120
Of course, it is plausible and feasible. I am not making all those up. Everything I say is in the Brossard's paper. See the link I have already posted earlier in this thread which I actually got from their Facebook page.
Paravirtualization is a misnomer in this type of malware that is already residing in the hardware firmware itself. Why would this type of malware need direct access when it is there already. When these malware are the HYPERVISORs or the Virtual Machine Monitors and the victim Operating system is the virtualized machine thinking it is still running on top directly on the Hardware.
Or you are actually referring to the INITIAL infection or injection process? Where the malware dropper was able to write directly into the firmware or to any other writable memory in various hardware devices. But then the operating system is still not in virtual machine stage and the malware is not yet in hypervisor during that process. Again, that would be a MISNOMER again to call that also paravirtualization.
Brossard, the Subvirt guys of MS and others like the Blue pill guys in the Invisible labs never ever mentioned about any Paravirtualization.
The ACPI table is in the BIOS. And sometimes when people refer to as CMOS, they are referring to the BIOS or the otherway around.
The bottom line is this type of malware was able to write or flash or modify into the writable memory or ROMS or the firmware of the hardware. There is no magic there.
You may not call that flashing but instead refer to it as low level hardware access or wrongly termed as paravirtual access. But as long as you write or modify on a firmware it is still called flashing to me. It's just a matter of semantics. It is called Flashing whether you get a write access to the firmware, whether it be in the BIOS, CMOS, PCI ROM, SSM, or EEPROM, NVRAM or any other firmware including the ACPI table in the CMOS/BIOS.
You better contact the Subvirt guys, the Invisible things lab guys who created the Blue Pill as well as Brossard. They may actually clear everything up. Instead of making things up or inventing jargons like paravirtualization, they may actually prove your or your group's claim of CDs infecting a clean machine, androids getting infected, etc. Everything has all been researched and done by these trailblazing guys. If the AV guys refused to believe, these people will be receptuve even if everyone are accusing your group of spreading FUD.
hold your horses
an os that was compromised can infect all media inserted.
don't jump layers ok
don't put all the people that complain about the malware in the same bug, I do work with some of them but I don't think all this is about this malware, still a os that has been compromised can infect or not any device inserted.
you think that modify a shadow room is flash? because you can do that.
do not modify the original room but load in memory a fake one.
bios shadow, gpu shadow is used today and can be used to allow compatibility or not so fine intentions.
gpu is target because is one of the first devices that is call during post.
syslinux docs show how to use gpu as boot device....
paravirtulization is not my invention ok, if you do some physical to virtual migration on VMware you will notice some drastic changes.
I am working 18hs per day to get logs to post.
please allow 72hs, I do work, I have 3 kids and remake all the logs is not easy, your courtesy its reconized , and my effort at least the benefit of the doubt.
I can grant rdp if you prefer.
but the fact is that the bios is shadow, acpi fake firmware, use gpu as storage/bus and I cant get rid of them, I wipe my drives, reflash my bios, and if I boot whit my today recorded Linux mint I can access the logs of Linux mint I boot in 2012, same for kapersky AV, still show virus removed last year.
So a storage it have, or many, and the code I found on cpu/gpu/acpi send me to qemu or xen info on the web.
|C|27 VIRT_FIRMWARE [Y]Virtualization in the Firmware
not to metion that acpi tabled enforce firmware virtualization
and according to all tools the mother bios is the gpu bios
all because acpi take control
please don't jump layers or conclusions, I don't en up looking at bios because I have time to spare.
and I kwon very well that my logs can be compromised and you en up loosing your time.
Thanks to all for reading my bad English, I can speak it much better (dyslexia and epilepsy give me lots of buffer overflow)
I know that. What I meant was in particular how can an infected CD pass the malware to a clean machine where:
a) the BIOS of the computer was configured to boot first from the hard drive and not to the bootable CD
b) autorun is disabled
c) while hidden files and extensions are shown, the user will not click on suspected files.
Unless, a certain vulnerability like in shell32.dll or other vulnerabilities zero day or not is exploited in a vulnerable system, then those are bypassed just like in the LNK exploit for Stuxnet.
It sounds like Fiction or FUDish, the way it was presented in the facebook page. Like there's no recourse...
"Q: Well then how can I copy all my files from my infected machine to the new one?
A: That's a good question. Using a USB stick to transfer will just infect the new machine. Writing them to a DVD could infect the new machine through the DVD's filesystem being infected. I am working on a solution for myself to safely copy files but this makes this a huge problem."
Sorry, when I say YOU, it's plural as in collective as in the Group. I never wanted to make it personal. More on that later.
GPU is one of the first device called during post? Isn't it the hard disk, the network, and CD/DVDs are? But through network booting through syslinux/PXE any PCI roms(and that's where the video cards/GPU comes in) becomes part of possible bootable devices.
I know the malware can flashed firmwares like PCI roms including video cards with network firmware for redundancy in order to "network boot" from there using syslinux or PXE. But to boot from GPU, a modification in the ACPI in the BIOS, the BIOS itself, EFI for Macs, or UEFI firmware for newer hardwares or even NVRAM is needed to modify the booting sequence. All the works by the Subvirt guys, Heasman, Brossard, the lady and the guys of Blue Pill and Invisible things lab all are pointing in there. Rarely of mention of any GPU shadow or BIOS shadow. That's a novelty those guys will be interested in. But still using those shadows will still require modifying the boot sequence. It is quite possible using the ACPI BIOS driver or any driver, that they can modify the boot sequence in the installation stage or flash a firmware for that purpose. Heasman talked about the ACPI/Bios rootkit(link below) where that ACPI Bios driver is involved. We just have some little disagreement if it's outright flashing of firmwares or in the fly modification of bios or gpu shadow. But the result is the same, malware(bootkit or romkit) is needed to boot first before the target operating system in order to hook the latter as a virtual machine.
Of course, there are drastic changes. The malware as accdg to the Brossards paper have made many changes to the operating system making it so porous. But that doesn't mean it's Paravirtualization. There's no such thing. It's still plain and simple Virtualization when you migrate to VMware. The virtual machine just got porous and we have heard of some bypasses on virtual machine getting in to the hardware. Again, it's nothing personal. When I refer to you, I refer to the whole group. You as in the plural "You". Just making a healthy criticism to clarify things. To help you convey in a simple comprehensible manner not ending up lost in a gibberish haystack which others are quickly get turned off. Don't you guys realize, I am helping you?
Take your time. You can't do it alone and that's why the suggestion I make. More on that later.
If in your case(and others in your group), the virtualization of the target OS is done under Xen or Qemu. The Subvirt uses both VMWare and Virtual PC for the virtualization of the target OS by the hypervisor or virtual machine monitor....
SubVirt:Implementing malware with virtual machines
ACPI BIOS rootkit is nothing new. Already demonstrated by a trailblazer by the name of John Heasman...
Also his work on PCI rootkit...
Unfortunately, for you and others, you've become victims. Other than that your firms, where you people are working, are juicy targets; it's more likely of an unfortunate case of being in the wrong place at the wrong time because of what; may be too much torrents or pirated wares for some. There could be more undocumented cases that get's unreported for cyberespionage or cyberwarfare purposes or for more infections for use in their botnets which capitalised on the GPU's processing power for bitcoin mining or any other botnet-powered super computing tasks. Aside that this could be spook's dream come true. Because it remains undetectable with the usual AV's or IDS.
I suggested you as a group contacted those guys I've mentioned, which may give you extra clout in convincing the unbelievers in the AV industry. Because these guys(the AV and the security guys) have all the tools and the resources. Among the AV guys I think will be probably sympathetic to your guys' cause will be Marco Guilliani, If I spell that correctly. The one who researched on the first in the wild BIOS malware in this decade, Mebriomi malware.
Maybe the release of this malware in the wild was to coincide with the new Kaspersky's UEFI AV and Windows 8 with its Secure boot? He he (just kidding, because there should be a lot of funfare in the media and in the security circles if this is true.).
Don't take any criticism as personal. I just wanted to clarify everything for others. Because of somewhat a communication problem and a somewhat Fudish way of presentation, the people at the beginning of this thread and in other forums as well are somewhat not taking every words your group are saying as to be taken seriously. Some might even say, it's just bogus or paranoia as in this thread title. I think I am the one in this thread who cleared the way for everyone here in wilders that these things are possible. And as I said, don't you realize, I am helping you clarify things. And why? That's in gratitude for broadening our horizons. I have been hearing for many months or even years for e.g, the Subvirt by Microsoft, PCI and BIOS rootkits by Heasman, Akshasa by Brossard and Blue Pill by Invisible things lab but I always taken them lightly. And only through you, I have seen the works concerning GPU-assisted malware. Thanks for that. We'll be waiting for more updates. btw, I'm dyslexic too.
I'm sorry for this post but this comes to my mind :
1- if it spread by flash drives :
how can we see if a flash is infected or not ??
2- same of CD/DVD ??
if we could get the binaries we could send it to av to reverse it
in the end there is code that is spreading !!!
how can you get your hand on the code ??
okay can anyone plz help me
get in top of what happening to my computer
i'm probably hacked but i don't know what to do next
the hack is coming back even after format !!
what to do next ? what should i learn/read/study in order to continue
should i open a new topic ?
if no one here can help me at least can you direct to something or somewhere to get help ?
already went to Unite forums they didn't detect anything
anyone with any tips feel free to private message me
it could be this or idk someother backdoor
Apologies to DHRF and his group regarding Paravirtualization. Paravirtualization was mentioned here...
same as CD/DVD, if files are unhidden and extensions shown, you can see any suspicious files unless files are appended with file infectors. Your recourse will be to scan with an up to date scanners and/or running it sandbox/VM or/with a noisy HIPS to see unusual behaviors typical of rootkits like (driver loading) or bootkits(lowlevel disk access).
as posted already in this thread... https://www.wilderssecurity.com/showpost.php?p=2217256&postcount=21
My suggestion would be; from a clean machine, download and burn a bootable rescue AV cd/dvd you prefer and then scan your suspect infected machine. If the infection keeps coming back. Then the first step before scanning, in case of suspected bios malware, short of the best solution of flashing (which however might brick your hardware), one can simply do a CMOS reset at first (esp. for older machines or certain Motherboards).. http://www.wikihow.com/Reset-Your-BIOS by temporarily removing the CMOS battery or shorting ). Just the simple procedure of removing the battery of your laptop or unplugging the computer for many minutes, any incarnation of Rutkowska's bluepill will be removed automatically ... http://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf
Then, from the BIOS, by simply disabling network booting, you will actually prevent any PCI romkit(like that of Brossard's akshasa or Heasman's PCI rootkit) if present from booting before your operating system. .
But if CMOS reset didn't work(especially in newer hardwares), and suspected problem keeps coming back and we assume the very rare BIOS malware is still there(unlucky you), you have no choice but to flash the BIOS EEPROM.
To prevent future attacks(including Bios malware):
A) disable paging files, malware might hide there or attackers might use that to see paged passwords, loaded driver memory, etc.
b)From the BIOS, disable bios shadow, disable network booting(as explained), disable acpi driver loading in the bios, booting priority should be the hardware first except in cases when running your bootable rescue disks or trusted clean installers(prior to booting, you can press "escape" or the assigned key for your particular machine, to manually boot to the cd/dvd). If you are afraid of bluepill, disable the virtualization or use secureboot.
c)disable autorun, disable java if you don't need it, use firefox for e.g. with noscript and adblock, try sandboxie and/exploit shield, enable hardware DEP(always ON) or EMET, disable unneeded services, secure your router, use HIPS or any other antimalware you prefer, etc.
Separate names with a comma.