Rootkits headed for BIOS

Discussion in 'malware problems & news' started by lotuseclat79, Jan 28, 2006.

Thread Status:
Not open for further replies.
  1. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Hi controler,

    I don't have enough expertise in this area to answer the question. I know the BIOS is protected - how, I do not know.

    You already suggested that he contact Faronics Support.

    Otherwise, I would just format/reinstall to be sure to have a clean system.

    -rich
     
  2. controler

    controler Guest

    Hello

    Here is a quote taken from the foronics website. Hope they do not mind.

    Only asking support would maybe get you more detail. I do not think they will give out their secrets though as to exactly what they are doing with the BIOS.
     
  3. aka:snowman

    aka:snowman Former Poster

    Joined:
    May 14, 2004
    Posts:
    152
    Have not read this entire thread....so just excuse me if this post is not in line with the discussion........

    BUT.....for those concerned about their BIOS.....you may want to take a look at...... cmos zip............which can be found at the below link....about in the middle of the web page...


    http://www.ultimatepcrepair.com/news/22.html

    As with all software you update on your computer,
    stop and take the time to copy or backup your bios.
    Should something go wrong while you are updating
    your current bios,you will have a backup copy on hand.
    Use a backup utility such as <cmos zip> to backup a
    copy of your bios or use print screen to have a written
    copy of your bios.
     
  4. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Controler, are you really sure that nothing can survive if take out the battery?

    What about Flash Memory? I thought bios is flash memory, then it wouldn´t need a battery to survive, isn´t it?

    Another thing is on my second HD, I also have installed a windows, but actually it starts with a blue screen: STOP 0x0000007b .. check your harddisk or harddisk controller.. sometimes it works, sometimes not..

    Sometimes when starting the computer this message also appears: "Nvidia Raid IDE Rom Bios 4.84 Detecting Array..."
    You can expect this message with about every 10th Reboot, it does not appear every reboot, thats the strange thing. I disabled the whole crap, like s-ata, lan bios a.s.o., but still this message comes about every 10th reboot, I did not counted it´s an estimation..

    The new insanity starts with VICE, 3 different error messages look here, how can they vary that often?

    http://i2.tinypic.com/qzkocz.png
    in english: System can´t find the mentioned path.

    http://i2.tinypic.com/qzkoro.png
    in english: access denied

    http://i1.tinypic.com/ogxbg8.png
    in english: one device attached to the system does not work

    As you all have seen I reflashed my Bios, so only the first area hasn´t been re-written, the bios flash always succeeded, but the first area didn´t change. (the blue part, before the white)

    Then I sometimes get Attackscreens from Zone Alarm, always the same area, check this:
    Moscow/Russia attackers >>>
    http://i2.tinypic.com/qzlkld.png

    apt.exe Buffer Overflow =>

    http://i2.tinypic.com/qzlump.png
     
    Last edited: Mar 8, 2006
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  6. controler

    controler Guest

    System junkie

    Did you say your video card was built into motherboard or seperate?

    I did not say a rootkit could not stay in Video card memory. I say it can.

    Hardware can cause some wierd things to happen. If the computer comes with
    all software and hardware installed is one thing but if some one builds their own or updates their computer you can see problems. It appears you are running a AMD 64 bit CPU. Did your computer come with this? Did you add the video card after you bought the computer? 64 bit platform still has alot of issues with drivers and things. In your screen shot I saw you trying to run a modual that is only for an AMD 7. That is an old 500 mhz CPU. Your problem could be also a hardware problem.
    A rootkit could also make a computer appear as it has a hardware problem especialy when working with the ACPI.
    I would star disconnecting one hardware at a time. The only thing you need to watch the BIOS boot is the video card, nothing else.
    In example of drivers and hardware, it should be understood both Windows and your BIOS need to support the hardware. That is why mfg releases new BIOS updates.
    A bad stick of RAM can cause many different problems. one common is freezing after or during boot up. Your computer boots up but no mouse or keys work as it freezes.
    This sort of thing can hapen with a poorly written rootkit also especialy if they are going for the BIOS or NVRAM.

    it appears you reflashed your BIOS but you still had windows installed. You did not unhook your hard drives to illiminate them as a problem.

    If it is RAm and you have more than one stick in your computer, just turn off computer, pull the stick out and tur it on again. Older mobos made you install stick in number 1 slot but new ones are as picky anymore. Best to have the mobo documentation on hand to see if any slot will work. You won't blow anything up if you did put it in a different slot anyway.
    If you have a different video card try that. Sometimes when you reflash a BIOS to a newer version, you also need different windows driver to work with it. It sounds easy to me but to one that knows nothing about hardware, i am sure it can sound scary.


    controler.
     
  7. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    SystemJunkie,

    The first screenshot you posted (the EMM386 error) strongly indicates that you have a memory problem. This could also account for many of the other issues you report so the first step should be to check your memory using a program like MemTest86. Assuming a "rootkit BIOS" at this stage is highly premature.
     
  8. controler

    controler Guest

    System Junkie mentioned in another post, he-she has done alot of research on rootkits.

    Is this he-she's way of showing us a working video rootkit that was self infected?

    scratching head here LOL

    controler
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yes, the problem is that the floppy bootloader is corrupt, no floppy works anymore, the only way to reflash a bios was using a special boot cdrom (some did not work and got exceptions) but one worked, look what happened,
    normally it does not work to flash via cdrom access (freedos) to hd, first access to hd then flashing from hd (was the only way!)

    External McAfee scan was impossible due to a A20 error, which also occured on another pc of mine. I don´t think it is a memory problem, the compute was delivered full configured and tested. The only thing I had to do was installing windows xp, thats what I did.

    So the bios message is only the vga card? Its a PCIe Geforce I never changed it, actually have no possibility to change it to test another one, because the other PC has PCI and PCIe.

    And check also this link, I asked if this is normal behaviour of ntuser.dat
    Ntuser.dat

    Another thing I noticed: I saved a PNG to NTFS HD and to FAT32 UsbStick and guess what? The Hashs are different. 1KB more on NTFS, strange isn´t it?
     
    Last edited: Apr 4, 2006
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    logfile
     
    Last edited: Apr 4, 2006
  11. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Um, if you're merrily flashing your BIOS, are you using the right file from the proper manufacturer? Unless you are using one specific to your motherboard then you will screw up your system completely.
    Don't think, check. Bad memory can occur with a new system and it is unlikely that most PC vendors would take the time to run a proper test. Faulty memory can pretty much mess up everything else - including any attempts to reflash your system...
    Perfectly normal, nothing to see here...
    No, not really. FAT32 and NTFS are different filesystems and will result in different amounts of "slack space" for a file. Your mention of "1KB more" suggests that you are actually talking about file size which is nothing to do with a hash.
    No - it's VMWare. If you don't know what that is then take it off your system.
    No it doesn't - 0.0.0.0 refers to your own PC.
    I don't know enough German to be sure, but that error message seems to be reporting a CRC failure on a file. This is normally an indication of a hard disk error, not malware.

    You've been given a suggestion, have chosen to ignore it and then gone on to misinterpret several normal or minor issues as being some almighty evil malware at work. Most likely the problems are due to your messing around and installing software that you don't understand (that version of VMWare on your system is a legitimate copy, right?) and this isn't the place to be asking for comprehensive training.

    My suggestion is to do a complete memory test, letting it run overnight. If no problems are reported, then consider formatting your disk and reinstalling Windows. If there are problems, replace the faulty DIMMs before doing anything else and retest. There might have been malware on your system but you've thrown so many spanners at it that no-one is going to be able to tell what problems are due to you and what may be due to other causes.

    However your problems are absolutely nothing to do with "BIOS rootkits" and simply exemplify the problems of having such discussions here - someone not understanding the issues, getting all panicky over a few strange symptoms and immediately assuming they've been haxxored rather than trying to make a proper diagnosis. These last few posts have just been a waste of space and time from my perspective and I will not comment further on this thread.
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    There were only two answers of you that were helpful and true. The network config of vmware 0.0.0.0 and the ntuser.dat problem, the rest was false and arrogant speech. Nevertheless thanks for the two tips which will help me.

    And I have made hashes with hashtab don´t judge too rashly it is a sign of arrogance, which is easily to see when you say absolutely, you can never say absolutely.

    Beside: my rams work perfect. The harddisk controller may have some problems, but the bios flash was correct and accurate.

    Beside2: The words you use, the false condemnations and rash judgements you write may with high probability be a mirror of your own ego.
     
    Last edited: Apr 4, 2006
  13. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi System Junkie

    Please do not take any comment personnal.
    There is no point for being agressive whoever started it.

    It obiviously look like you where sure you where infected.
    This thread is similar to the appdefend's forum "smss - rootkit or not thread"
    In the sens you where either a little "off topic" (replated to gss) or you hijacked a theorical thread asking for (non that much related) support.

    You seam verry able to learn and very currious.
    However from reading your post, it look like you just "discovered" rootkit and try to explain everything that work not so well by a supossed infection.


    Before saying your ram is perfect, please take the time to test it.
    The error you have in this thread + the video corruption you had in the other thread looks a lot like ram corruption. You have tryed everything else ... just test your ram please. Even brand new ram can be corrupted.

    Hope you'll soon get your PC rigth and you stay that curious (wich is a good thing ;) )
     
  14. controler

    controler Guest

    sign of arrogance?

    Not those that know me know I am only another PC user with alot of hardware expericnce.

    I would bet $ 1000.00 that I could figure out your problem if I had access to your computer. Sometimes it is hard to relate problems on forums.

    I am but a humble soul. My purpose her is not to bicker or argue with fellow posters about theory.

    I have been known to be a great judge of charchater.


    Some say I can feel things.

    I don't admitt it though.

    I am not sure your agenda and since I have a ton of my own problems right now I am not going to argue with you.

    I would reevaluate arrogance if I were you..
    controler with ONE L
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    true,true

    Let´s suppose there is a ram problem, but why my computer runs stable at the moment? I can do everything, benchmarks, games, multimedia, no matter. I see no problem, if there would be a serious ram problem, all these things were not possible. Now look @ this, actually having two parallel windows installed, long time apt.exe worked on the new win, now again a BO. (this is a ram defect?:thumbd: no)

    http://i2.tinypic.com/szx7jr.png

    Above you see the internal aspects of this phenomenon. You can see that PGbeta fail to protect apt.
    For those who don´t understand this picture: I startet apt.exe, it did not appear = buffer overflow (in filemon) EraseSurface (in procexp thread analysis) or 80% CPU for apt.exe against 20% CPU csrss.exe, caused by Antihook.exe who blocks csrss from terminating apt.exe but csrss is to strong therefore it comes to a pat situation (between antihook(apt.exe) and csrss) where my system freezes in infinite loop. (until I stop apt.exe which means losing the termination fight)
    Let´s call it the win32ksys rootkit or whatever.
     
    Last edited: Apr 4, 2006
  16. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi SystemJunky

    If i'd tell you that you have a few bad sector on your Harddrive would you answear me "NO - look, all my video and mp3, they are perfectly ok"

    You should not, there are billions of sectors on a HD, the chance that you look at a file and say ... "aha ! it's corrupted" is almost null. However this does not mean that none of your file may get corrupted.

    The same is true with ram.
    Ram = Random access memory.

    If there is a "ram sector" corrupted ... it means that sometime it work, sometime it doesn't. If you have corrupted ram, you'll notice the impact mainly in ram intensive action such as video games. You'll have some random program crash apparently for no reason and big chance are that your OS will never warn you. Windows is designed to be error tolerant. This mean that if an error happen in windows ... it try to ignore it and continue, retry later and never warn the user .... The latest part about not warning the user for small error is all about user-friendlyness. No one want a program that say your PC is in bad shape.



    It's perfectly possible to survive and do everyday work with corrupted ram, however strange problem will happen. If you have HARDWARE problem, please don't try to explain it by inventing a theorical SOFTWARE malware that can act as HARDWARE problem.

    It's not fun, it'll cost you 2-3 hours of your time ... but sector by sector checking is the only way to be sure you have no hardware problem.



    Now about the immage you posted .. I do not understand a word of what you want. I already told you that your problem is that you have too many resident protection software ... i stand my point. I do not say that having X software is bad. All I say is that each time you try to debug a problem ... you NEED to ISOLATE the problem. In that way you'll have a better understanding of the problem.


    If there is 10 causes of a problem with one software
    With two software you get 100 possible problem possibility
    With three you get 1000
    Four is 10 000


    See how it grows ?
    Turn everything you do not need off.
    Do not try to ask yourself why security program XY is doing that.

    Beside there is already a post about PG vs apt
    Pg free have NO protection against apt.
    End of story.
    Whatever program you have then may or may not block apt depending of the configuration you have.

    Also you should not randomly terminate system process.
    crss is a critical process, terminating it will cause an error and reboot your computer. No matter of theorical rootkit or not.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Fact: AppDefend found a rootkit win32ksys
    Fact2: apt.exe and portexplorer.exe are terminated (bo´d) from csrss.exe that get the tasks from a corrupt comctl32 and you talk about hardware problems, its so silly..

    I get regular attacks from the same ip and you talk about check your hardware..

    I know exactly what happens when csrss is stopped, I did not stop it, oh my god, how many unnecessary explainations I have to do until someone really see the problem.

    I tell you something neither gss, nor antihook, nor any other software can fresh up your pc in a second if the system is compromised, this is the hard truth everyone has to learn, but in some cases the software can help. Csrss.exe is the master of windows, if someone make it to his zombie and use a stealh virus/rootkit you con do nothing more useful to defend the system, you can block the termination intention in this case portexplorer and apt but it will result in 100% CPU and will disallow working normally.

    I have to correct myself, I actually noticed that suspending the process results in free CPU Power!
     
    Last edited: Apr 6, 2006
  18. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    win32k.sys is a legitimate system driver, not a rootkit. If AppDefend "found" it, then it blocked it.. the same goes for your firewall seeing the same attacks. At this point everyone with a firewall is going to see repeated attacks from the same IP, there are just so many worms out there right now that it's very widespread.

    The problem is that BIOS rootkits don't yet exist. The problems you describe are very much indicitive of hardware problems. Your software isn't completely independant of hardware, it needs properly functioning hardware to work right.

    In the time spent arguing against the idea that your RAM is bad, you could have run the tests several times.. the very least that woud happen is that you would have proof that they're wrong. The best that could happen is that it could actually locate the problem and have it fixed and done with. If you're not willing to take the steps to actually resolve the problem, you can always take it to a shop and let someone else deal with it.

    Everything being said by f3x, controler, Paranoid2k, etc., is all true. We're speaking from experience, this kind of problem is not uncommon.. and I've seen many RAM sticks go bad when they were still new, and at times just a few months down the road. It does happen. Think of it this way, how much time do you have left before you can't return bad memory anymore, if that is the problem?
     
  19. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Fact: I am the one who missinterpreted the data and told you it's a rootkit.
    FACT: YOU HAVE NOT READ THE ENTIRE POST THEN, GO REREAD IT, IT'S NOT A ROOTKIT.

    Fact: If you blocked a legitimate function of win2k, condsidering it a rootkit, then you surely have strange thing happens.


    Fact:
    Firewall are pain in the *ss if you blindly trust everything they say.
    This is especially true if you ip is dynamic.. or if you just disconected from a p2p network.

    Fact2: There are some zombie out here... they do scan ip range and try to exploit old vulnerability ... it doesnt mean you have infection XYZ

    And the magic solution to your problem is ?

    If your system is compromised ... then unsintall useless thing as you said it yourself .... they won't help you. But if you uninstall some redundant thing .. then it's easier to figure out what happen to your PC. The only way to solve a problem .. especialy


    Fact: Crss.exe will try to kill unresponsive process. If you block him from killing unresponsive process it's normal that the process stay unresponsive ...

    Fact: It's not been done yet to rootkit this part of crss.


    In sum ...
    1) you are not infected by smss.exe win32k.sys
    2) If you block it, you are bloking core of win2k os.
    3) Stange thing wil happen
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I have the most expensive ram on the market, corsair xxxxxllll, it is really silly to maintain this theory about ram problems, I paid nearly 300 bucks for the ram. I could oc this damn ram to the maxx if I would...

    No one of you really paid attention, nobody answered why VICE does never work, why does it change its messages every time, but I have screens from vice, longer time ago on a old pc it works and I could saw many hooks, on my actual pcs it does not work, you want to tell me that this is usual? There is at least one rootkit outthere that hook vice the way you see my screens above. What is your explaination?

    Why is explorer exe non existant but I can see it well in the task manager?
    http://i2.tinypic.com/t69wye.png

    Explain this? Why should csrss exe automatically stop portexplorer probably because intruders have no problems to get noticed.. http://i2.tinypic.com/t69zdk.png

    This is normal in your opinion, okay, maybe I need more drugs, probably then I would also say that this is usual behaviour.

    How will you know? Are you the allseeing being? If something is not on the frontpage of the yellow press it doesn´t mean that it does not exists.
     
    Last edited: Apr 6, 2006
  21. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    You're putting in an awful lot of effort to not do the right thing. Just download memtest86+, burn it to cd, put it in the CD drive, reboot, and let it run for at least a couple hours. It's very simple, and I'm sure you'll be happy to have eliminated the posibility. How much your RAM cost and how new it is makes absolutely no difference. There is absolutely no legitimate reason not to take this very valid step.
     
  22. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    There is absolutely no reason to do this step.

    The only importance is to get rid of too many buffer overflows.
     
  23. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi SystemJunkie,

    Those buffer overflow events in Filemon normally occur and are not a symptom of an infected system: Mark's Sysinternals Blog: Buffer Overflows.

    Nick
     
  24. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Systemjunky


    1) Smss.exe is not a rootkit, did you unblok it ?.
    2) If not try doing so and test if this make your system more stable.


    3) You keep flooding us with screenshot of program ABC
    Sometime it's very hard to understand what you want from us
    Try to be precise and adress one issue at a time.

    To post a theory that your system is compromised is a way to go,
    however alwais prefer a more logical explanation. You are doing act of fait, you beleive your compromised then you find yourself sign ... it's the other way out that you need to try.

    4) It's perfectly normal for explorer ... it's the way windows start you'll have this on all computer (at leat on my xp machines)

    5) The only thing you are rigth on is that it's not so normal for crss to try to kill random process...

    (unless those process are corrupted in some way that you will not want to be ram ;) )



    6)

    a)There is absolutely no reason to do this step.
    b)The only importance is to get rid of too many buffer overflows.


    the reason you will want to do a) is because of b) ;)
    corrupted ram is something that tend to execution error as buffer overflow.

    Now i understand you trust 100000% your ram.
    However there are two possible source for your problem
    I) Ram (or other Hw problem)
    II) Rootkit.

    Rigth now you have easy way to choose between the two.
    Do the memtest ... if it's negative then we can check about rootkit as we'll be sure it's not an hardware problem

    There is no reason to speculate ona theorical malware if you can have fact about hardware



    --------------------------------------------
    Edit: as i said before, it's kinda csrss job to kill process

    http://support.microsoft.com/?kbid=263201

    This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.


    I'd ask myself if this has something to do with an intenal command of port monitor rather than rootkit XYZ
     
    Last edited: Apr 6, 2006
  25. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Among the "other" hardware problems to consider is overheating due to OC'ing (if you do that), poor cooling capacity or poor heat transfer efficiency. It can effect any component, although the CPU is the prime candidate. Trust me on this one - it can be extremely difficult to diagnose since uncontrolled factors such as ambient room temperature and humidity can effect the problem.

    I'd add to verify all cooling measures are behaving as they should.
    The last thing, if you wish to provide some additional diagnostic information to the readers here, a complete snapshot of all running processes and list of hooked services would help. I know, a rootkit will lie. However, whether your problem is tied to a rootkit remains an unsupported conjecture, so let's ignore that possibility for now.

    Blue
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.