• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.
Joined
Sep 10, 2016
Messages
805 (0.29/day)
Location
Riverwood, Skyrim
System Name Storm Wrought | Blackwood (HTPC)
Processor AMD Ryzen 9 5900x @stock | i7 2600k
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX | Some POS gigabyte board
Cooling Deepcool AK620, BQ shadow wings 3 High Spd, stock 180mm |BQ Shadow rock LP + 4x120mm Noctua redux
Memory G.Skill Ripjaws V 2x32GB 4000MHz | 2x4GB 2000MHz @1866
Video Card(s) Powercolor RX 6800XT Red Dragon | PNY a2000 6GB
Storage SX8200 Pro 1TB, 1TB KC3000, 850EVO 500GB, 2+8TB Seagate, LG Blu-ray | 120GB Sandisk SSD, 4TB WD red
Display(s) Samsung UJ590UDE 32" UHD monitor | LG CS 55" OLED
Case Silverstone TJ08B-E | Custom built wooden case (Aus native timbers)
Audio Device(s) Onboard, Sennheiser HD 599 cans / Logitech z163's | Edifier S2000 MKIII via toslink
Power Supply Corsair HX 750 | Corsair SF 450
Mouse Microsoft Pro Intellimouse| Some logitech one
Keyboard GMMK w/ Zelio V2 62g (78g for spacebar) tactile switches & Glorious black keycaps| Some logitech one
VR HMD HTC Vive
Software Win 10 Edu | Ubuntu 22.04
Benchmark Scores Look in the various benchmark threads
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Not yet. Waiting on his parts in the mail for a physical examination to conclude more.
 
Joined
Jan 4, 2017
Messages
431 (0.16/day)
Location
Ohio
Subbing to this thread out of morbid curiosity. I don't know a whole lot about Card BIOS editing, but I do know this attack vector is not easily exploited. Definitely a sophisticated actor behind this. Waiting patiently for the results of the physical examination.


@R-T-B should basically have an official CyberPolice Badge from the work that was done BTW, well done!:lovetpu:
 
Joined
Sep 25, 2012
Messages
2,074 (0.49/day)
Location
Jacksonhole Florida
System Name DEVIL'S ABYSS
Processor i7-4790K@4.6 GHz
Motherboard Asus Z97-Deluxe
Cooling Corsair H110 (2 x 140mm)(3 x 140mm case fans)
Memory 16GB Adata XPG V2 2400MHz
Video Card(s) EVGA 780 Ti Classified
Storage Intel 750 Series 400GB (AIC), Plextor M6e 256GB (M.2), 13 TB storage
Display(s) Crossover 27QW (27"@ 2560x1440)
Case Corsair Obsidian 750D Airflow
Audio Device(s) Realtek ALC1150
Power Supply Cooler Master V1000
Mouse Ttsports Talon Blu
Keyboard Logitech G510
Software Windows 10 Pro x64 version 1803
Benchmark Scores Passmark CPU score = 13080
I don't know a whole lot about Card BIOS editing, but I do know this attack vector is not easily exploited
@R-T-B stated in post # 170 "I still have no definitive proof of the origin, but the gpu being flashed is not even on the list, honestly".
 
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
@R-T-B stated in post # 170 "I still have no definitive proof of the origin, but the gpu being flashed is not even on the list, honestly".

Exactly. If it's infected it's certainly not the origin. Chip only has 512kb tops, and is protected by several pascal protections.
 
Joined
Jan 4, 2017
Messages
431 (0.16/day)
Location
Ohio
Exactly. If it's infected it's certainly not the origin. Chip only has 512kb tops, and is protected by several pascal protections.
Again showing how little I know about this sort of thing. I guess I misunderstood. If it is by chance infected, it is more of a symptom than the root i suppose. Still great work on this.
 
Joined
May 8, 2016
Messages
1,735 (0.60/day)
System Name BOX
Processor Core i7 6950X @ 4,26GHz (1,28V)
Motherboard X99 SOC Champion (BIOS F23c + bifurcation mod)
Cooling Thermalright Venomous-X + 2x Delta 38mm PWM (Push-Pull)
Memory Patriot Viper Steel 4000MHz CL16 4x8GB (@3240MHz CL12.12.12.24 CR2T @ 1,48V)
Video Card(s) Titan V (~1650MHz @ 0.77V, HBM2 1GHz, Forced P2 state [OFF])
Storage WD SN850X 2TB + Samsung EVO 2TB (SATA) + Seagate Exos X20 20TB (4Kn mode)
Display(s) LG 27GP950-B
Case Fractal Design Meshify 2 XL
Audio Device(s) Motu M4 (audio interface) + ATH-A900Z + Behringer C-1
Power Supply Seasonic X-760 (760W)
Mouse Logitech RX-250
Keyboard HP KB-9970
Software Windows 10 Pro x64
So... can this work in legacy BIOS (modified to work on it), or is it UEFI only type of thing ?
 
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So... can this work in legacy BIOS (modified to work on it), or is it UEFI only type of thing ?

I mean technically anything is possible, but I feel this has been brought on largely by the use of large flashrom chips in motherboards. 16MB rom chips are common now with around 2-5MB of free space in a common image. 3MBs is enough for a micro networking-capable linux kernel and ramdisk, technically. That makes all sorts of targeted malware possible. We aren't really at the point where the malware can be made full blown generic I think, but I could be proven wrong when I examine the board (if so, I'll be terrified).

I think this could be a good point to do a call to action to manufacturers before they start implementing even bigger chips, and it becomes a genuine problem.
 
Last edited:

rugabunda

New Member
Joined
May 22, 2018
Messages
24 (0.01/day)
"The answer to your question can’t be publicly posted due to concerns of the malware being reused..." The best thing you possibly could do is make this available to the public so it can be dissected by the international community, then dealt with, and mitigated against by the international community. Otherwise you're putting it in the hands of one agency or another and who knows what their motives may be. It should be public domain. Not black box, closed up, like the intel ME, so people can't do anything about it but a few big agencies who specialize in this kind of activity more than anyone else to begin with. Once you involve the feds they might put you under a gag order. Put it out there before its too late. Giving this to an agency that is being sued by a man who was nearly killed by ISIS members who were under the direction of the FBI, not to mention all of the false flag events they've been engaged in, as well as unlawful spying which they are currently under investigation for by the White House, another criminal gang, this is the last group on earth I'd think about giving this too. Not saying they're all bad, but giving it exclusively to the FBI is like keeping Intel ME closed sourced and away from the public eye. "Perhaps this was a dry run on a non-critical target(s) to test the malware by a state actor?" my thoughts as well. Then why give it exclusively to a state actor? They could have been the ones testing it for all we know. Give it to the anti-virus vendors everywhere, give it to the public, allow it to be dissected and revealed so it can be better understood and thus prevented.

Some security tips:

First and foremost get a router capable of running dnscrypt; dnscrypt ensures you cannot be man in the middled via dns, thwarting all dns poisoning attempts so long as the dns server in use is not compromised or 'owned' so to speak. It would most have to be owned because the gigabytes or terabytes of simple daily dns traffic are too much to be analyzed on a compromised machine run by someone like you or I with cheap independent open dns servers. You can also get a windows version called simple-dnscrypt. This alone will enhance your online security immeasurably. Dnscrypt can also disable ipv6 queries which can be used to exfiltrate data; Disable all reverse dns and arpa requests via dnsmasq by adding "server=/arpa/" and "bogus-priv" to dnsmasq.conf. I just bought an asuswrt flashed it with merlin, though just a few days ago after exposing a possible Israeli false flag event on the newly moved US embassy, right on Israels own military counter intelligence website (debakafile), my firewall on the router itself was disabled that night; thankfully nothing can be persistent on this device, a re-flash cleans that up easily.

Turris Omnia is by far the fastest and safest consumer router ever made, both open source software and hardware, entirely crowd funded by people like you and I, though their dns resolver (knot-resover) I'm not familiar with, I believe it is DNS over TLS exclusively which is not something I'm familiar with, and I am not sure if it offers the same high level of security and features as dnscrypt. But all in all, the Turris is the best in the industry, possibly the world. Make sure you use an adblocker / malwarehost blocker on your router; firehol 1/2/3 lists catch all botnets and infected IPS reported around the world in realtime and everything is updated every 36 minutes; you can put it on a cron job to keep it up-to-date.

It takes a lot of work to harden a windows system. Use this guide, its one of the best. You'll want to harden the system via gpo with a fine tooth comb after running security compliance manager, or Microsoft Security Compliance Toolkit 1.0. Harden your cipher suites with IISCrypto, disable weak ciphers, anything less than TLS 1.2. Enable Strict TLS 1.2 DHE 256 on ISS, Windows Update, CryptoAPI, here is my automated reg file designed for windows 7, should be compatible with 10. Just do a restore if need be or use this regfile that will do that for you. Or here is a cutting edge cipher hardening powershell script for windows 10, not as hardened as my file but its still infinitely more secure than the default. Hardern Kerberos ciphers: https://pastebin.com/nhMji0mE Harden Microsoft trusted root CA, https://pastebin.com/0CjP826f Harden Harden Oracle Open JDK Java ciphers & sandboxing via "java config". Harden and remove weak ciphers from browsers. Update to the latest WINRM/Powershell https://blogs.msdn.microsoft.com/po...indows-management-framework-wmf-5-1-released/ (Possibly only necessary in windows 7) And harden powershell, disable powershell remoting, enable powershell script auditing / logging in GPO, add environment command 'Powershell Script Execution Lockdown' https://pastebin.com/iw1ck8Z1 run all browsers (only latest beta for security updates) in sandboxie with ublock matrix whitelisting only, & ublock origin as a minimum. Run ASLR & DEP with mwbam, or anti-exploit; (or better, windows 10 has added these features to windows defender, I'd use other security scanners only for maintainence) Enable ASLR in windows defender...(Windows 10 only) and on top of that, use the most cutting edge ASLF features available here on page 2, here. Harden the firewall, use binisoft WFC firewall for fine tooth control of windows firewall, which is the best there is. Harden the TCPIP stack using Microsoft's best practices. I posted a reg file to to do this in one go here: https://pastebin.com/nZ7swtxJ (I left out AFD for windows 10 compatibility; windows 7 users ensure you harden AFD also shown in "best practices" link or in custom lists below. "Security compliance manager" updates group policy to the latest definitions & settings. 'Microsoft Security Compliance Toolkit 1.0" has replaced SCM, which is no longer supported; but its a great piece of software. I have not tried the latter cause I'm on windows 7. This also allows you to save your GPO settings for future installations. Disable all ipv6, https://pastebin.com/VXd1wVF0

Run 1. Ancile, 2. 0&0 shut-up-10, 3. Blackbird and 4. Spybot Anti-Beacon to disable all microsoft spyware.

If you want to go all the way disabling risky windows services and features, I've compiled a huge list here, its very extensive and gets to the very core of all remote features in windows 7, and a huge chunk of Windows 10 too:

Black Vipers Win7 64 SP1 safe list.reg
https://hastebin.com/hugijoholi.tex
My custom disabled services list, reg file safe to import as is.
https://pastebin.com/yKfJunfc
Reg file includes all services changes from http://hardenwindows7forsecurity.com
https://pastebin.com/nugPxTg7
My custom list Includes hardening TCPIP/AFD & much more:
https://pastebin.com/DkiKZpGv
My custom list, disable windows remote management
https://hastebin.com/lebemeziba.tex

As you can see, I disable all lan networking & Microsoft remote assistance, remote desktop, and terminal services with these. You can comb through it and apply what is useful for windows 10. I've been running with these settings in windows 7 for 4-5 months with ZERO issues; the only problem was monthly rollups require re-enabling branchcache under services.msc for the updates to install, which is a microsoft bug. Must be enabled once every month.

Disable nvidia telemetry: https://pastebin.com/ZzpDdb5B

I've also disabled windows update and only enable it manually once a week or so; Last week I failed to disable it for two days and Microsoft installed windows defender signature updates even with automatic updates confirmed disabled and set to "notify but do not download." I have brought this to the attention of Microsoft. This suggests Windows updates can be exploited remotely with a MITM and or by Microsoft itself, and they are colluding with state actors, as you can see here: "The Microsoft Dilemma"


I suspect it was a dryrun to test my incredibly hardened PC for exploitation. I have not been hacked for months now; barring what I mentioned previously, and they didn't get to my pc.

If you do not game or encode video with cuda, don't install Nvidia cuda drivers as these are what is currently publicly known to used by nvidia rootkits. AND contrary to the ignorance of those hammering on about your so called loopy mind-state, Nvidia regularly releases security updates for their own video card drivers so keep those up-to-date also. According to Microsoft, you may also consider disabling hardware acceleration and webgl in your browsers to ensure your video card is not exploited via flash viruses. And that was back in 2011. There are some mitigations already present for this in Chrome for example. And in chrome webgl can currently only be disabled via extension.

Disable Intel ME. If you're worried about remote control you may wish to use only wired devices and no bluetooth as these can be hijacked remotely, possibly from satellites as well. I am curious if this may have been what spread spectrum was all about in the bios;

Always make sure your windows machine is up to date for this very reason: this is a must see video, how to defend against metasploit based attacks:


Make sure you post it publicly for all. I'd personally give a copy of this malware to legit security services like kaperski, regrun / unhackme crew, and the security team that uncovered the Intel ME hap bit (ptsecuriy) http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

The hackers could have been the DoD, NSA, FBI, CIA, for all we know. They are governed and infiltrated by some of the greatest criminals on this planet. Not all are bad but there is a lot of bad apples in these carts. CIA are well known to pose as Chinese or Russian hackers, "seeding" false intelligence and blaming it on the victims or patsies. Be aware of that if you found Korean or Chinese fingerprints anywhere that may have nothing to do with reality unless you are absolutely certain. Beware of divisive false intel. If you were targeted for your business or corporate background it could have been any number of security contractors who take the bid; this could include all aforementioned agencies, as the FBI is being investigated for now by the white-house. 21 trillion has been misplaced by the DoD in the last 20 years; that's a lot of money and they are highly active in these fields, but if you're not rocking the boat like I am then that's probably not an issue for you. If this is purely driven by corporate greed and financial espionage that is a whole different thing. Or possibly a random grab on a test run for something bigger, like a war against Russia or something to that effect. (yeah god only knows)

Can't believe the depth of ignorance in the original comments here.

If your computer was turned on after being turned off that is called a denial of sleep attack. Im curious if it was turned off or only in sleep mode. It was either #1, Asleep, with Magic Wake packets sent to your nic; #2 The rootkit triggers a wake up call while PC is in sleep mode. #3 Your Intel management chip/PSP which can turn your computer on even when its completely powered off. #4 A Hijacked Intel Proxzzzy which can wake the computer when its turned off as well. You may want to disable Wake-on-LAN and remote wake-up support features under device manager as well including EMCA & Intel Proxzzzy if they are active, https://www.ecma-international.org/publications/files/ECMA-ST/ECMA-393.pdf as a precaution against possible Proxzzzy hijacking attempts as demonstrated in the document; or unknown exploits for these wake services. I had spoken to Intel about the threat to critical infrastructure regarding Intel ME and Proxzzzy here: https://communities.intel.com/thread/123079

They shouldn't just be signing their bios updates, oem vendors should offer security oriented motherboards with a jumper pin that enables/disables all software flashing from taking place, as Intel used to do 10 years ago with some of their chipsets; Or they should use embedded One-Time-Programmable (OTP) memory where practical; which cannot be re-flashed. There will be a growing market in that field given the nature of threats like Intel ME.

If you have a deep conscience and want this to be truly of service to humanity and even potentially save lives, I'd post it up here or somewhere for all to find like open source software; which will benefit all of humanity. I'd give it away to the world and those protecting it, and freely. I would personally send it to kapersky, greatis and ptsecurity for example. Russia could use the assistance given the fact they are being targeted by the west and what are the chances the FBI are going to defend anything but their own corporate interests and handlers, that of the bankers and the entrenched swamp of America? Get it out to the world in case they put a gag order on you.

"Perhaps this was a dry run on a non-critical target(s) to test the malware by a state actor?"
my thoughts as well. why give it exclusively to a state actor?

Oh yeah, or just switch to linux with aparmor and hardened tcpip stack, ipv6 disabled. :rolleyes:

Last but not least, let your love guide you not your fear.
 
Last edited:
Joined
Apr 8, 2010
Messages
991 (0.19/day)
Processor Intel Core i5 8400
Motherboard Gigabyte Z370N-Wifi
Cooling Silverstone AR05
Memory Micron Crucial 16GB DDR4-2400
Video Card(s) Gigabyte GTX1080 G1 Gaming 8G
Storage Micron Crucial MX300 275GB
Display(s) Dell U2415
Case Silverstone RVZ02B
Power Supply Silverstone SSR-SX550
Keyboard Ducky One Red Switch
Software Windows 10 Pro 1909
I have always naively presumed those motherboard chips are practically read only, and only some very very special magic from manufacturer software can update what's inside.
Ignorance is bliss LOL
 
Joined
Feb 20, 2007
Messages
372 (0.06/day)
Location
Where the beer is good
System Name Karl Arsch v. u. z. Abgewischt
Processor i5 3770K @5GHz delided
Motherboard ASRock Z77 Professional
Cooling Arctic Liquid Freezer 240
Memory 4x 4GB 1866 MHz DDR3
Video Card(s) GTX 970
Storage Samsung 830 - 512GB; 2x 2TB WD Blue
Display(s) Samsung T240 1920x1200
Case Bitfenix Shinobie XL
Audio Device(s) onboard
Power Supply Cougar G600
Mouse Logitech G500
Keyboard CMStorm Ultimate QuickFire (CherryMX Brown)
Software Win7 Pro 64bit
I have always naively presumed those motherboard chips are practically read only, and only some very very special magic from manufacturer software can update what's inside.
Ignorance is bliss LOL

BIOS update from within the OS - never heard of that shit?
 
Joined
Apr 8, 2010
Messages
991 (0.19/day)
Processor Intel Core i5 8400
Motherboard Gigabyte Z370N-Wifi
Cooling Silverstone AR05
Memory Micron Crucial 16GB DDR4-2400
Video Card(s) Gigabyte GTX1080 G1 Gaming 8G
Storage Micron Crucial MX300 275GB
Display(s) Dell U2415
Case Silverstone RVZ02B
Power Supply Silverstone SSR-SX550
Keyboard Ducky One Red Switch
Software Windows 10 Pro 1909
BIOS update from within the OS - never heard of that shit?
Like I said, I thought that's some magic from the manufacturers. Come to think of it, I don't remember that last time I updated my BIOS...
 
Joined
Jan 23, 2012
Messages
361 (0.08/day)
Location
South Africa
Processor Pentium II 400 @ 516MHz
Motherboard AOpen AX6BC EZ
Cooling Stock
Memory 192MB PC-133
Video Card(s) 2x Voodoo 12MB in SLI, S3 Trio64V+
Storage Maxtor 40GB
Display(s) ViewSonic E90
Audio Device(s) Sound Blaster 16
Software Windows 98 SE
Posting here purely to sub to this thread and keep track - it's certainly very interesting.

Hats off to R-T-B for the work so far :)
 
Joined
Nov 29, 2016
Messages
667 (0.25/day)
System Name Unimatrix
Processor Intel i9-9900K @ 5.0GHz
Motherboard ASRock x390 Taichi Ultimate
Cooling Custom Loop
Memory 32GB GSkill TridentZ RGB DDR4 @ 3400MHz 14-14-14-32
Video Card(s) EVGA 2080 with Heatkiller Water Block
Storage 2x Samsung 960 Pro 512GB M.2 SSD in RAID 0, 1x WD Blue 1TB M.2 SSD
Display(s) Alienware 34" Ultrawide 3440x1440
Case CoolerMaster P500M Mesh
Power Supply Seasonic Prime Titanium 850W
Keyboard Corsair K75
Benchmark Scores Really Really High
Hi,

Thanks in advance for any help...

Fresh Windows 10 1803
Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4

I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by any AV. It has been sending me around in frustrating circles. I originally thought the malware was hiding in filesystem slack space, but it appears to be using a combination of evasion techniques that rewrite the HDD HPA/DCO, GPU Firmware (main infection source), SSD firmware (unable to BCDwipe certain sectors - multiple SSD's - unable to upgrade BIOS due to malware interference), and the motherboard BIOS (Blocks rescue disks). The malware blocks rescue CD's from running and locks the drive into hibernation to prevent offline scans. Reflashing the MB BIOS stops this for 1 boot, then the problem returns.

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

I know, crazy, right? I believe the origin of the malware is Chinese/Korean for a number of reasons that I won't go into here. On trying to upgrade the GTX 1070 firmware with the ASUS GPUUpdateBios.exe, I get a response "You no need update GPU Vbios!". I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Long story short, I am unable to find any info on how to reset these parameters (or rest the card completely back to stock) and cannot find the relevant .IFR firmware mentioned in NVFlash to update this. On reboot, the malware takes the card back again and we're back to square one.

If there is a tool to completely reset all the card parameters to factory, or a hardware ninja method that provides similar results, I would very much appreciate some recommendations. If this malware resonates with anyone else, I would really like to know it's name as I have been unable to determine the strain.

Cheers!


Sorry, if something really that sophisticated has attacked your computer, you'll just have to buy everything new again...
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
BIOS update from within the OS - never heard of that shit?

Erm there is software that does it from motherboard makers, even auto update, it is convenient for Joe Schmo to do it. It's a catch 22 especially in this instance.
 

dorsetknob

"YOUR RMA REQUEST IS CON-REFUSED"
Joined
Mar 17, 2005
Messages
9,105 (1.31/day)
Location
Dorset where else eh? >>> Thats ENGLAND<<<
Erm there is software that does it from motherboard makers, even auto update, it is convenient for Joe Schmo to do it. It's a catch 22 especially in this instance.
And erm

Download ATI Winflash (old) | TechPowerUp
https://www.techpowerup.com › Downloads › Tweaking › BIOS Flashing


ATI Winflash (old) Winflash 1.26.1. Latest. September 10th, 2007. 349.0 KB. winflash1261. ... Version History. N/A. May 21st, 2018 21:17 PDT change timezone.

10 Oct 2005 - 6 posts - ‎3 authors
Asus' website has umpteen revisions of the bios available, but when you go to the flashing procedure, it says "if you can't find the Winflash ...

As you can See its been around and Available Over 10 Years :) How Time flys :)
 
Last edited:

Ahhzz

Moderator
Staff member
Joined
Feb 27, 2008
Messages
8,709 (1.48/day)
System Name OrangeHaze / Silence
Processor i7-13700KF / i5-10400 /
Motherboard ROG STRIX Z690-E / MSI Z490 A-Pro Motherboard
Cooling Corsair H75 / TT ToughAir 510
Memory 64Gb GSkill Trident Z5 / 32GB Team Dark Za 3600
Video Card(s) Palit GeForce RTX 2070 / Sapphire R9 290 Vapor-X 4Gb
Storage Hynix Plat P41 2Tb\Samsung MZVL21 1Tb / Samsung 980 Pro 1Tb
Display(s) 22" Dell Wide/24" Asus
Case Lian Li PC-101 ATX custom mod / Antec Lanboy Air Black & Blue
Audio Device(s) SB Audigy 7.1
Power Supply Corsair Enthusiast TX750
Mouse Logitech G502 Lightspeed Wireless / Logitech G502 Proteus Spectrum
Keyboard K68 RGB — CHERRY® MX Red
Software Win10 Pro \ RIP:Win 7 Ult 64 bit
Thanks for all your work on this RTB
 
Joined
Feb 2, 2015
Messages
2,707 (0.81/day)
Location
On The Highway To Hell \m/
ATI Winflash is for graphics cards. Not motherboards. There's, supposedly, an ASUS Winflash that's for flashing a motherboard's BIOS from within Windows. But for this particular motherboard the manual states that you need to use ASUS EZ Update to flash the BIOS from within Windows. There's also an ASUS Live Update Utility. That supposedly does the same thing. Anyway, supposedly you'd need highly specific software, designed to work with specific motherboards. But of course the hacker knows about all of this and took advantage of it. Interesting...
 
Joined
Feb 20, 2007
Messages
372 (0.06/day)
Location
Where the beer is good
System Name Karl Arsch v. u. z. Abgewischt
Processor i5 3770K @5GHz delided
Motherboard ASRock Z77 Professional
Cooling Arctic Liquid Freezer 240
Memory 4x 4GB 1866 MHz DDR3
Video Card(s) GTX 970
Storage Samsung 830 - 512GB; 2x 2TB WD Blue
Display(s) Samsung T240 1920x1200
Case Bitfenix Shinobie XL
Audio Device(s) onboard
Power Supply Cougar G600
Mouse Logitech G500
Keyboard CMStorm Ultimate QuickFire (CherryMX Brown)
Software Win7 Pro 64bit
Erm there is software that does it from motherboard makers, even auto update, it is convenient for Joe Schmo to do it. It's a catch 22 especially in this instance.

That shit should never have been made possible, a big risk not only from a security standpoint.
 
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
ATI Winflash is for graphics cards. Not motherboards. There's, supposedly, an ASUS Winflash that's for flashing a motherboard's BIOS from within Windows. But for this particular motherboard the manual states that you need to use ASUS EZ Update to flash the BIOS from within Windows. There's also an ASUS Live Update Utility. That supposedly does the same thing. Anyway, supposedly you'd need highly specific software, designed to work with specific motherboards. But of course the hacker knows about all of this and took advantage of it. Interesting...

You don't really need highly specific software. AFUWINFLASH works on nearly every AMI Aptio based motherboard (pretty much every DIY board on the market), and is available from AMI for free.

https://ami.com/en/products/bios-uefi-tools-and-utilities/bios-uefi-utilities/
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
In DIY now, it's really just AMI.

I'm just naming them because I have encountered all 3, also MSI uses their own flash software too. It is a big exploit. This guy got hit with a hydrogen bomb.
 
Joined
Aug 20, 2007
Messages
20,714 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
I'm just naming them because I have encountered all 3, also MSI uses their own flash software too. It is a big exploit. This guy got hit with a hydrogen bomb.

A lot of vendors use their own customized flash software, but generic afuwinflash still works.

Yeah, award and phoenix are still around, but mostly in OEM space.
 
Status
Not open for further replies.
Top