GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[InVasMani]

I feel this has been brought on largely by the use of large flashrom chips in motherboards. 16MB rom chips are common now with around 2-5MB of free space in a common image.

I feel like a lot of the switch to UEFI was just form over function in order to dress up the bios similar to the transition between XP and Vista or anything Apple related. They could free up more space as well in UEFI bios removing both unneeded form and function IE unneeded operable features. That would show up more readily in the bios editing tools however. At the same time if they already have someone compromised enough to install a malicious bios they might not care about remaining undetected and just want to do a quick seek and/or destroy attack. On the other hand they might want to only marginally alter it and remain unnoticed camouflaged until the right moment to strike or red flag was detected by the victim. The whole situation really highlights the concerning aspect of it all since there are plenty of people with malicious intentions. The likely hood of it being widespread and rampant to every day users is probably relatively tame I'd think though as most people with this type of intention and knowledge are going after a whale not a minnow.

 

[R-T-B]

I feel like a lot of the switch to UEFI was just form over function in order to dress up the bios similar to the transition between XP and Vista or anything Apple related.

It has a lot of bloat certainly. Some of it needed to happen (16-bit BIOS code was hitting a lot of limits), but the "extensible" part of the UEFI acronym has been taken to quite an extreme as of late, and it's not a place that needs it, honestly. Firmware should be simple management code, nothing else...

 

[lexluthermiester]

Apparently you're not as up to date as you think.

You seem to be making assumptions..

The fact @OneMoar and I agree on something should be enough to worry RTB.

Or a reason to laugh his butt off..

technically anything is possible

It is software after all. Hardware will execute the code it's instructed too. If changed once, it can be changed again. Betting this problem is solvable..

 

[R-T-B]

Or a reason to laugh his butt off..

Frankly, a lot of the drama and flack I've gotten from this is beyond silly. Not naming names, but I won't pretend what occured here improved my view of this community, honestly.

 

[xrror]

I haven't kept up with where Intel's Management Engine actually lives these days. It used to be the southbridge/Platform Hub - is it integrated into the actual processor now? If so that might make the processor itself suspect?

Another thing is to check all of the integrated peripherals on the motherboard. I know some boards things like the Ethernet NIC and 3rd-part USB2/3 controllers actually had their own flashroms separate from the main bios/firmware. The badUSB exploit used this.

Last for the people who kept doubting that madbrit didn't open or run that email... you do know that a virus scanner is prime attack vector, right? When the virus scanner automatically (without user intervention) scanned his incoming email and crashed... that crash was probably the under/overflow exploit where the crafted malware pwned the scanner - AND likely had the privilege level of that scanner (which tend to be pretty high, like SYSTEM) and then dropped its beginning payload.

The days where you scold people and wag your finger saying "you obviously opened it" are way gone folks. Stop it and realize that drive by malware has been a thing for at least 10 years now.

EDIT ADD: Oh yea, any chance you can get some of madbrit's fubared SSD drives? That's insane and also scary that the malware managed to tamper with them enough to fail genuine check, but they actually still "work."

Are they SATA or NVMe? That's also pretty targeted. Trivia that might not mean anything - 850Pro also one of the few with legacy bootable support for older motherboards. Maybe additional attack surface? Tamper with legacy boot module on 850pro? I dunno... but THOSE might be seriously the "investigative prize" out of all this. Samsung at least should be mighty interested at looking at what was done to those 850pros.

 

[eidairaman1]

I haven't kept up with where Intel's Management Engine actually lives these days. It used to be the southbridge/Platform Hub - is it integrated into the actual processor now? If so that might make the processor itself suspect?

Another thing is to check all of the integrated peripherals on the motherboard. I know some boards things like the Ethernet NIC and 3rd-part USB2/3 controllers actually had their own flashroms separate from the main bios/firmware. The badUSB exploit used this.

Last for the people who kept doubting that madbrit didn't open or run that email... you do know that a virus scanner is prime attack vector, right? When the virus scanner automatically (without user intervention) scanned his incoming email and crashed... that crash was probably the under/overflow exploit where the crafted malware pwned the scanner - AND likely had the privilege level of that scanner (which tend to be pretty high, like SYSTEM) and then dropped its beginning payload.

The days where you scold people and wag your finger saying "you obviously opened it" are way gone folks. Stop it and realize that drive by malware has been a thing for at least 10 years now.

Heck its been around a lot longer than that, even before the term malware was ever coined.

 

[R-T-B]

If so that might make the processor itself suspect?

No. The Management Engine computational core is in the processor. But it loads the software it runs from a special region of the standard BIOS/UEFI chip, similar to standard CPU microcode.

 

[xrror]

Also I just pondered... what would the development environment/toolchain look like for the developer of this malware? Is there a way to emulate a given UEFI board to target/test against, or would the creator actually need a physical motherboard to test on?

Because if they recently bought/sold an Asus Strix Z270F Gaming using anything but cash ... I guess that would still just be circumstantial. It would only be "damning" if somehow testing on that board accidentally "watermarked" the malware madbrit's board received. But I don't know enough about UEFI to think of any way that might happen.

Or I suppose if they were really sloppy, and managed to leave damaged the test board in a way identical to madbrit's. That all jumps the gun of course, but fascinating to think about.

 

[R-T-B]

Also I just pondered... what would the development environment/toolchain look like for the developer of this malware? Is there a way to emulate a given UEFI board to target/test against, or would the creator actually need a physical motherboard to test on?

Because if they recently bought/sold an Asus Strix Z270F Gaming using anything but cash ... I guess that would still just be circumstantial.

I mean, I'm not about to write a guide, but most of the tools are freely available and if you know what your doing, probably a image of the board bios is enough (like available from ASUS's or any other manufacturer's homepage).

There's a chance of bricking without a physical board to test on, but I doubt they'd care too much if this is a genuine "I hate your guts man" style attack.

 

[jboydgolfer]

Erm there is software that does it from motherboard makers, even auto update, it is convenient for Joe Schmo to do it. It's a catch 22 especially in this instance.

My most recent board has a direct connect and download option,without any third-party intervention, etc. it allows you to update from within the bios without downloading a file manually. There's even a digital assistant, that connects you to support staff , personally I don't feel comfortable using either of those methods to update firmware, nothing involving Internet transfer would make me comfortable

 

[R-T-B]

My most recent board has a direct connect and download option,without any third-party intervention, etc. it allows you to update from within the bios without downloading a file manually. There's even a digital assistant, that connects you to support staff , personally I don't feel comfortable using either of those methods to update firmware, nothing involving Internet transfer would make me comfortable

Personally, I don't think firmware needs a webstack at all except for if it's explicitly doing some type of network boot function...

 

[eidairaman1]

Personally, I don't think firmware needs a webstack at all except for if it's explicitly doing some type of network boot function...

Yup limited function, no firmware updates from the web.

 

[deadend]

My previous job was with one of the biggest antivirus manufacturers in the world. I used to do remote sessions on customer's machines for tuneup and malware removal. I bet you I can find out what kind of infection you have. If you want your PC cleaned send me a private message if you want to do a remote session.

 

[kastriot]

I heard that guy who opened this thread is now permanent resident in Gotham Asylum..

 

[eidairaman1]

I heard that guy who opened this thread is now permanent resident in Gotham Asylum..

What is that supposed to mean?

 

[R-T-B]

My previous job was with one of the biggest antivirus manufacturers in the world. I used to do remote sessions on customer's machines for tuneup and malware removal. I bet you I can find out what kind of infection you have. If you want your PC cleaned send me a private message if you want to do a remote session.

I know you probably mean well, but we're well beyond that point now. His computer is literally in the mail to me for a proper bios dump.

Those that mean he is a liar and batshit crazy?

He isn't. I mean, I guess if you're an absolute pessimist in humanity, sure, he could have written a modified bios that is otherwise harmless to himself for attention. Part of the reason I had him send me the hardware was so I could verify his claims on a carefully firewalled network. Unfortunately, yes, I have to rule out such things because weirder has happened on the internet.

But he gets a gold star for so far being completely honest and forthcoming with me. I genuinely think he just has a really nasty targeted infection, and needed help.

Besides, we couldn't gain any ground on the target system either way... It did not play fair on any level even from a totally fresh live Windows installer environment. That alone has me believing him.

I heard that guy who opened this thread is now permanent resident in Gotham Asylum..

Nope. Some of you guys did scare him good though... gratz.

 

[TheMailMan78]

My previous job was with one of the biggest antivirus manufacturers in the world. I used to do remote sessions on customer's machines for tuneup and malware removal. I bet you I can find out what kind of infection you have. If you want your PC cleaned send me a private message if you want to do a remote session.

You used to work at Bitdefender huh? Dont want to get off topic but why did you leave?

Also what this guy has, I doubt can be fixed remotely.

 

[deadend]

I got tired of night shifts (company is in Romania while most of the customers were in the US) after 4 years.
Worked there 1 more year there as senior software tester then went to a different company working support again.

 

[Durvelle27]

Very interesting. Subbing just to see the outcome.

 

[R-T-B]

The best thing you possibly could do is make this available to the public so it can be dissected by the international community, then dealt with, and mitigated against by the international community. Otherwise you're putting it in the hands of one agency or another and who knows what their motives may be. It should be public domain.

Standard procedure is to give the manufacturer 30-days, and given these exploits aren't really patchable but more architectural design choices to implement "features", I'm debating how to best proceed honestly. Usual procedures don't really apply.

Actually, I'm open to advice on that front. I can't promise I'll follow it, but ethics advice here is appreciated if you can make a good argument for your point (even better if you can cite past cases).

my thoughts as well. why give it exclusively to a state actor?

It isn't going "exclusively" anywhere.

 

[Hood]

Actually, I'm open to advice on that front. I can't promise I'll follow it, but ethics advice here is appreciated if you can make a good argument for your point (even better if you can cite past cases).

Even if users can't do anything to block this exploit, and the manufacturers need to redesign their architecture, the public should eventually know. 30 days lead time for the manufacturer is plenty for a flaw like this (whatever it is). You are doing a good thing, and it's generating a lot of interest. Looking forward to the resolution and disclosure.

 

[OneMoar]

Security through obscurity is not security

you should be contracting ASUS directly for disclosure

 

[R-T-B]

Security through obscurity is not security

I couldn't agree more OneMoar (lol that was awesome to say).

My curiousity is more along the lines of "if it's completely unpatchable, is a 30-day lead time even needed?"

This is a design choice more than a "bug" and as such, can't really be patched. Anything that can be flashed with around a 2mb free image space is inherently vulnerable to attack vectors like this.

It's not all doom and gloom though. We all know you need admin level privileges to flash the board in the first place...

you should be contracting ASUS directly for disclosure

As soon as the board is in hand for direct dumps, I plan on contacting AV Vendors, mobo vendors, and authorities as appropriate simultaneously. That should be tomorrow.

 

[OneMoar]

as a stop gap you could try padding the image so there was less then 64kb free, by creating some dummy dxe's

 

[R-T-B]

as a stop gap you could try padding the image so there was less then 64kb free, by creating some dummy dxe's

Not a bad idea as a stopgap prevention measure, I may do that when I clean his board.