• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.
lexluthermiester said:
So no suspicions of government actors?
Click to expand...

Not really. What little firmware portion there is is only present to dump a HPA payload. It's very targeted to his board. And the malware is loud. Everything points to non-state origin.

Hood said:
How about posting a short summary of the case, a TLDR version, since it generated 300 posts. You put in some time on this, and deserve recognition.
Click to expand...

May do so, but will need a rest first.

I spent nearly every waking moment of the past week on this, so there's certainly a writeup... will think about if it is worth it for certain.
 
R-T-B said:
Not really. What little firmware portion there is is only present to dump a HPA payload. It's very targeted to his board. And the malware is loud. Everything points to non-state origin.



May do so, but will need a rest first.

I spent nearly every waking moment of the past week on this, so there's certainly a writeup... will think about if it is worth it for certain.
Click to expand...

Take a Break for sure, you earned it
 
R-T-B said:
Not really. What little firmware portion there is is only present to dump a HPA payload. It's very targeted to his board. And the malware is loud. Everything points to non-state origin.



May do so, but will need a rest first.

I spent nearly every waking moment of the past week on this, so there's certainly a writeup... will think about if it is worth it for certain.
Click to expand...
I'm interested in the process to even identify what has been done, not necessarily how to fix it. Take your time on the write up, rather it be accurate than rushed.
 
Interesting!
 
DeathtoGnomes said:
I'm interested in the process to even identify what has been done, not necessarily how to fix it. Take your time on the write up, rather it be accurate than rushed.
Click to expand...

To be super brief a lot of it is just opening certain infected files with a hex editor and knowing what strings to look for. But yeah, I'll provide more details soonish.
 
i've skipped pages 5-13 (but will continue reading)... has anyone reached out to Mikko Hypponen @ F-Secure? he/his company might be interested...
 
plonk420 said:
i've skipped pages 5-13 (but will continue reading)... has anyone reached out to Mikko Hypponen @ F-Secure? he/his company might be interested...
Click to expand...

The last page or two of analysis are the most important, and mark it as a little less interesting than it initially appeared.
 
plonk420 said:
i've skipped pages 5-13 (but will continue reading)... has anyone reached out to Mikko Hypponen @ F-Secure? he/his company might be interested...
Click to expand...
Yea, F-Secure would be interested in this, maybe even to add to its free scanner.
 
DeathtoGnomes said:
Yea, F-Secure would be interested in this, maybe even to add to its free scanner.
Click to expand...

I have one drive I have left completely infected for press purposes. Issue being, it's only one drive, and imaging it isn't really possible due to how this malware works.

I'm unsure who to send it to now, especially considering it may lead to accusations of bias. May just be better to use archives of the collected malware to many parties.
 
R-T-B said:
I have one drive I have left completely infected for press purposes. Issue being, it's only one drive, and imaging it isn't really possible due to how this malware works.

I'm unsure who to send it to now, especially considering it may lead to accusations of bias. May just be better to use archives of the collected malware to many parties.
Click to expand...

Considering the suspicion is the AV companies which are now antimalware too are the ones who created all this rubbish just to sell you a product claimed to protect you...
 
eidairaman1 said:
Considering the suspicion is the AV companies which are now antimalware too are the ones who created all this rubbish just to sell you a product claimed to protect you...
Click to expand...
That is a school of thought I can not subscribe to. For one, with few exceptions, every country in the world has criminal laws against such schemes and, two, malware of this kind is almost always about money or something else of value. Malware companies are never going to risk the criminal and public consequences of such actions.

In this instance, it would seem to be a known piece of malware being modified to suit a customized need in an act of revenge. Nothing more or less.
plonk420 said:
i've skipped pages 5-13 (but will continue reading)... has anyone reached out to Mikko Hypponen @ F-Secure? he/his company might be interested...
Click to expand...
Why F-Secure? Not exactly a major player in the antivirus/antimalware arena.
 
Last edited:
Haaa well, we all got into the hype train but with a step back, it wasn't as crazy as we all thought (well, for me :p). I've been carried by the panic factor.

Still very interesting.

lexluthermiester said:
That is a school of thought I can not subscribe to. For one, with few exceptions, every country in the world has criminal laws against such schemes and, two, malware of this kind is almost always about money or something else of value. Malware companies are never going to risk the criminal and public consequences of such actions.

In this instance, it would seem to be a known piece of malware being modified to suit a customized need in an act of revenge. Nothing more or less.
Click to expand...

Haha I heard that so often; "Antivirus comapnies are the one doing the malwares". Imagine if someone discover that a malware comes from an antivirus maker, they would be closed at the instant!
 
lexluthermiester said:
That is a school of thought I can not subscribe to. For one, with few exceptions, every country in the world has criminal laws against such schemes and, two, malware of this kind is almost always about money or something else of value. Malware companies are never going to risk the criminal and public consequences of such actions.

In this instance, it would seem to be a known piece of malware being modified to suit a customized need in an act of revenge. Nothing more or less.

Why F-Secure? Not exactly a major player in the antivirus/antimalware arena.
Click to expand...

As I said, Suspicion
 
lexluthermiester said:
Why F-Secure? Not exactly a major player in the antivirus/antimalware arena.
Click to expand...

I was leaning towards Kaspersky Labs for the "big prize" (the super-scary-infected virgin SSD), because of their experience with malware and firmware infections in HDD/SSD things.

Open to suggestions of course. I know Kaspesky has alegations of russian bias (which may/may not be politcal), but other AV vendors would get archives of viral material to hopefully support any findings.

I also wasn't too thrilled about how open Kaspersky was with the HDD Malware thing. They never really let out any tech details that I could find. Dunno.

lexluthermiester said:
In this instance, it would seem to be a known piece of malware being modified to suit a customized need in an act of revenge. Nothing more or less.
Click to expand...

Yep. The only reason I see to submit it at all is he may have passed at least USB drives around and let this into the wild. We can't be certain.

I never really got screenshots of the malware, need to do that still. Until then, here are some examples from my clients best attempts to get a positive ID on it. Because of the rootkit, only some really old/obscure AV solutions seem to detect it successfully.

IMG_5259.JPGIMG_5211.JPGIMG_5206.JPGIMG_5204.JPG

This is how the rootkit presents itself at the BCD:

IMG_5227.JPG

And in UEFI:

IMG_5136.JPGIMG_5138.JPG

It's actually an HPA region invisible to the general purpose OS.
 
Last edited:
I recommend regrun as well as kapersky; regrun does what no other can for example, a semi-offline scan which detects and removes viruses during the boot process; it did so effectively for me a few months ago. and it also protects drives from flash viruses; it places file in each hard drive "lpt3.Drive_is_protected_against_flash_viruses_by_RegRun". It also has a great inbuilt system for their anti-malware team to connect to your pc and assist you in realtime; even in the free version.

BTW, have you tried scanning with offline av scanners? There is no better way to detect rootkits; Once windows is loaded, they can hide very easily; I personally recommend avira offline scanner and bitdefender offline scanner is not bad either. I use a dedicated bootable hd with at least a dozen linux o/s live environments and offline antivirus scanners for unbeatable fast efficient loading & scanning; you can built an offline scanning drive with multiple scanners effortlessly with this app here, YUMI: https://www.pendrivelinux.com/yumi-multiboot-usb-creator/

Install yumi, download avira offline iso, flash it to a usb or dedicated hard drive; boot and you're good to go; I believe avira required the option "unlisted iso GRUB partition 4"; the standard setting did not work for me. you can also try install it to grub, ram and syslinux if the others don't work; I would use all 4 at once just to save time!


As for online tools, one takes the cake above all else, and that is pchunter, for its ability to locate kernel hooks and completely dissect every aspect of the windows system and kernel for you to see every juicy detail! Nothing comes even close. http://www.majorgeeks.com/files/details/pc_hunter.html

View attachment 102153
Info.png
View attachment 102153

info2.png


"It makes extensive use of HPAs (Host Protected Areas, essentially an ATA command to hide a partition)"

PS; Have you attempted disabling AHCI and switching to IDE; is this possible? Or from raid to another; switching from any number of bios options relating to SATA, like compatibility mode or something like this, to see if this effectively breaks the rootkit?
 
Last edited:
rugabunda said:
PS; Have you attempted disabling AHCI and switching to IDE; is this possible? Or from raid to another; switching from any number of bios options relating to SATA, like compatibility mode or something like this, to see if this effectively breaks the rootkit?
Click to expand...

No. I must admit, my loyalties are to my client first and he needed to get running as fast as possible (losing money), so I simply took images of the HPA's and then removed and scrubbed them with hdparm tool in linux and a dco reset. I then secure erased the drives for good measure.

I kept two SSDs infected only for evidence reasons. The other ones (expensive Samsung 850 units) were actually able to be recovered as there didn't end up actually being an HDD firmware portion on them as I suspected. Sadly the most expensive SSD (an 850 pro 512GB) ended up being the primary "martyr" of infection, as well as one cheaper Crucial m4 unit. I'd never feel comfortable using those again, honestly.

I believe the mobo firmware had something up with it because this virus would persist across reinstalls in a very very agressive way. I never got the smoking gun I wanted in my analysis pointing to any particular party, but I'm pretty darn sure this mobo bios image is tampered with and the "source of all evil" so to speak.

In the end, the mobo virus was removed via a SPI reprogramming with a hardware chip programmer.

I'm sorry for the lack of updates on this front. Since the one thing I could determine indicated the virus is very tailor made for one machine, it isn't much of an "in the wild" risk and it seems most AV firms are only mildly interested. Disappointing, but I'm still looking around. Thank you for your advice Rugabunda, I will certainly be sending them images.

rugabunda said:
BTW, have you tried scanning with offline av scanners? There is no better way to detect rootkits; Once windows is loaded, they can hide very easily
Click to expand...

I'd never boot a viral infected drive or image, if that's what you mean. So many things could go wrong there, and you ruin everything from a computer forensics perspective.
 
Last edited:
R-T-B said:
No. I must admit, my loyalties are to my client first and he needed to get running as fast as possible (losing money), so I simply took images of the HPA's and then removed and scrubbed them with hdparm tool in linux and a dco reset. I then secure erased the drives for good measure.

I kept two SSDs infected only for evidence reasons. The other ones (expensive Samsung 850 units) were actually able to be recovered as there didn't end up actually being an HDD firmware portion on them as I suspected. Sadly the most expensive SSD (an 850 pro 512GB) ended up being the primary "martyr" of infection, as well as one cheaper Crucial m4 unit. I'd never feel comfortable using those again, honestly.

I believe the mobo firmware had something up with it because this virus would persist across reinstalls in a very very agressive way. I never got the smoking gun I wanted in my analysis pointing to any particular party, but I'm pretty darn sure this mobo bios image is tampered with and the "source of all evil" so to speak.

In the end, the mobo virus was removed via a SPI reprogramming with a hardware chip programmer.

I'm sorry for the lack of updates on this front. Since the one thing I could determine indicated the virus is very tailor made for one machine, it isn't much of an "in the wild" risk and it seems most AV firms are only mildly interested. Disappointing, but I'm still looking around. Thank you for your advice Rugabunda, I will certainly be sending them images.



I'd never boot a viral infected drive or image, if that's what you mean. So many things could go wrong there, and you ruin everything from a computer forensics perspective.
Click to expand...

I'd write about this and report it to board makers to disable automatic online flashing of firmware. Have a write protection jumper too, like how floppy disks and some usb thumbdrives had "switches" it would be a physical barrier that would prevent drive by attacks from happening like how the Chernobyl virus was.
 
eidairaman1 said:
I'd write about this and report it to board makers to disable automatic online flashing of firmware. Have a write protection jumper too, like how floppy disks and some usb thumbdrives had "switches" it would be a physical barrier that would prevent drive by attacks from happening like how the Chernobyl virus was.
Click to expand...

They've already implemented some of these things as write protection software flags in Intel-land at least, but they don't seem to protect the entire image. They certainly should do that.
 
I know this is nearing necro-post but you could always send this to Brian Krebs before this gets forgotten. I'd expect if you sent the drive dumps to him with the note to respect your client's privacy he'd respect it. Also he'd be the one to know if this was just a re-use of another existing attack.

I'd just hate to see that if there was something especially unique about this attack against your client it gets missed. Or even if Krebs has seen a pattern with this attack vector because I doubt users attacked this way would report it and/or know what was happening.

I mean obviously R-T-B seems to know his stuff here, I just happened to see an old notification cleaning my inbox and had this thought. Feel free to ignore it also =D
 
xrror said:
I know this is nearing necro-post but you could always send this to Brian Krebs before this gets forgotten. I'd expect if you sent the drive dumps to him with the note to respect your client's privacy he'd respect it. Also he'd be the one to know if this was just a re-use of another existing attack.

I'd just hate to see that if there was something especially unique about this attack against your client it gets missed. Or even if Krebs has seen a pattern with this attack vector because I doubt users attacked this way would report it and/or know what was happening.

I mean obviously R-T-B seems to know his stuff here, I just happened to see an old notification cleaning my inbox and had this thought. Feel free to ignore it also =D
Click to expand...

I just recently got some time to deal with this case again and no it is not forgotten. I have a contact in symantec who is interested but I will see about other parties as well.
 
Well now that this thread is back up there, I can say... ...this is the thread that made me want to sign up. :D

Super interesting stuff. Always want to hear more about this.
 
interesting thread!!!! thanks for the effort R-T-B!
 
OMG THE EXACT SAME THING IS CURRENTLY HAPPENING TO ME. I've been losing my mind for like two weeks. I feel the video card is even used to run vms on my computer. This thing is a nightmare.

R-T-B said:
If this is real, a hardware programmer should fix it...

But I really doubt it's real... sorry. If it is, get in touch with an AV vendor to provide samples and they'll likely buy you new hardware just to get to study / try to block this new monstrosity.
Click to expand...


I have to admit I'm experiencing almost verbatim what he's experiencing. Im running pro i7-7770k w 2 gtx 1070s. I've been losing.my mind and everyone thinks I'm crazy
 
Again, this attack was targeted and did not make it into the wild. I really doubt it's what you have but anything is possible. I'd be happy to help prove either way but need to wrap up this case first.
 
Status
Not open for further replies.
Back
Top