GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[Partywithtom]

Again, this attack was targeted and did not make it into the wild. I really doubt it's what you have but anything is possible. I'd be happy to help prove either way but need to wrap up this case first.

Believe me i believe for whatever their reason i dont know but im almost certain theres someone actively monitoring on the other end.

I would find a method around it and "break" it so to speak. Then when i wasnt at my PC it would eventually reset and the method i used to break it has then been locked down and no longer accessible.

I think and this is a stretch im somehow connecting to fake microsoft servers and when it updates it then turns my pc into a workstation within a BS domain. Ive gone to the the lengths of wiping and replacing EVERYTHING. And i.have a theory on how its returning but thats even crazier

Believe me i believe for whatever their reason i dont know but im almost certain theres someone actively monitoring on the other end.

I would find a method around it and "break" it so to speak. Then when i wasnt at my PC it would eventually reset and the method i used to break it has then been locked down and no longer accessible.

I think and this is a stretch im somehow connecting to fake microsoft servers and when it updates it then turns my pc into a workstation within a BS domain. Ive gone to the the lengths of wiping and replacing EVERYTHING. And i.have a theory on how its returning but thats even crazier

 

[MrGenius]

Why? As in why would someone be doing this to you? What would be the purpose of it? What do you have that they so desperately need?

 

[Partywithtom]

Wh l

Why? As in why would someone be doing this to you? What would be the purpose of it? What do you have that they so desperately need?

I have no idea. My best guess is I'm an unfortunate unlucky test subject, or just part of a large bot net of some kind with a managed center that monitors upon certain key alerts they recieve. I called Microsoft support and before they transferred me to tier 2 the lady said "and who else did you tell this to?" Which what kind of question is that? Why does it matter if i told anyone? Either i have a severe problem that Microsoft didnt want out or they are the malicious attackers. I dont know what else that question can possibly come about.

And i swear the few supports i have called Microsoft,LG, Nvidia all sound exactly the same.

And maybe again this is reaching but if it is the case they then would monitor me to make sure i am silenced.

Ive sent multiple emails to multiple maleware av and security companies all of which bounced back.

 

[dorsetknob]

Quote within a quote and no response NOT HELPFULL or informative.

 

[hat]

It looks like that was his response and he just screwed up the formatting...

 

[Partywithtom]

It looks like that was his response and he just screwed up the formatting...

Yea sorry. I never use forums.

 

[StrayKAT]

How do you even get hit like this? Damn. I've been using computers for almost 40 years. Never got infected. All errors are of my own making.

I know this is old, but I think the solution is a sledge hammer. If BIOS was screwed up on anything, I wouldn't even try.

 

[TheoneandonlyMrK]

For a first go at it id remove all drive's ,make a rescue usb with Linux and reflash the card as a second card not the booted to gpu , the n bios flash the mobo then insert and wipe each drive , fully format style, maybe just bin them but I'd try to save them, then fresh install with a lot of stuff crossed.
I have fixed many a family virus magnet , including many just showing fbi phone in screens etc etc but I still have never seen this, thankfully.
Good luck new guy with issue and still Op.

 

[Partywithtom]

Couple ideas.

1) my father ordered a service turning old slides to digital photos and was based in India and sent back via USB. The problems starting being vert apparent a year later near to to the day.

2) looking back its possible it may have been around longer but at one point when windows 10 was still really new(within a few months of release) i needed to activate it but had lost my key. So i did the in OS help chat and they went in through the CMD line and did some stuff i wasnt familiar with but seemed rather fishy to officially activate it but it worked and i thought nothing of it.

3.) I used to have a windows 10 enterprise key through the vlc and had set up my parents with a copy and had my account as admin them standard. And totally forgot about it. So they were on a ent copy for years without getting the proper updates via vlc distribution since they changed how they delivered them and i no longer had access to the VLC. My father used it mostly and hes vert very tech illitereate.

4. Crypto currency mining.

5. All the above

For a first go at it id remove all drive's ,make a rescue usb with Linux and reflash the card as a second card not the booted to gpu , the n bios flash the mobo then insert and wipe each drive , fully format style, maybe just bin them but I'd try to save them, then fresh install with a lot of stuff crossed.
I have fixed many a family virus magnet , including many just showing fbi phone in screens etc etc but I still have never seen this, thankfully.
Good luck new guy with issue and still Op.

I built an entirely new PC. Power supply ,monitor, keyboard and mouse were the only thimgs reused

Like there was an old laptop tbat hadnt been turned on in years. Upon turning it on it obviously updated and upon inspection and logging into my mothers account(mine had never touched yhis laptop) im going through and in HER one drive or Dropbox dont remember where some of MY FILES. LIKE WTF....

 

[TheoneandonlyMrK]

Couple ideas.

1) my father ordered a service turning old slides to digital photos and was based in India and sent back via USB. The problems starting being vert apparent a year later near to to the day.

2) looking back its possible it may have been around longer but at one point when windows 10 was still really new(within a few months of release) i needed to activate it but had lost my key. So i did the in OS help chat and they went in through the CMD line and did some stuff i wasnt familiar with but seemed rather fishy to officially activate it but it worked and i thought nothing of it.

3.) I used to have a windows 10 enterprise key through the vlc and had set up my parents with a copy and had my account as admin them standard. And totally forgot about it. So they were on a ent copy for years without getting the proper updates via vlc distribution since they changed how they delivered them and i no longer had access to the VLC. My father used it mostly and hes vert very tech illitereate.

4. Crypto currency mining.

5. All the above


I built an entirely new PC. Power supply ,monitor, keyboard and mouse were the only thimgs reused

Like there was an old laptop tbat hadnt been turned on in years. Upon turning it on it obviously updated and upon inspection and logging into my mothers account(mine had never touched yhis laptop) im going through and in HER one drive or Dropbox dont remember where some of MY FILES. LIKE WTF....

Kinda concerns me, some of my family and friends are less technically minded , they "make do ,upto the point they cant due to 8, million web pages loading etc.
Then phone a friend, shit knows i don't want to see this next Tuesday, sounds mental and at personal attack stage imho I'd contact the police too.

 

[Partywithtom]

Kinda concerns me, some of my family and friends are less technically minded , they "make do ,upto the point they cant due to 8, million web pages loading etc.
Then phone a friend, shit knows i don't want to see this next Tuesday, sounds mental and at personal attack stage imho I'd contact the police too.

Funny thing there was a warrant out for my arrest i wasnt aware of. Anyways when the police came and got me i asked if they were monitoring me lol

 

[Partywithtom]

Oh yes please.

 

[RootnBoot/dev/null]

Damn... Looks like you got hit with what i have nicknamed "nightmareware". It also looks like you were hit about a month before it made its way onto my home network ... Once i noticed it and started trying to get rid of it... It when full on mother f***er and started chopping down my high end gear like pime trees at christmas..

Yes it is a beastly hardcore and sofisticated platform. I can share a little of what i learned over the past 5 or 6 months, several computers, ssds, new retail windows install usbs, multiple asus gpus, multiple routers and multiple house wide phone replacements...

First off this is not some bs malware made by bored kids or greedy oportunists, it's ACTUALLY the REAL version of what ESet is reporting has just been discovered in the wild for the first time... In October. Lol.

We both got that beat by about 6 months and what the describe sounds like a tree hugging hippy younger sibling of the Real MF'r we have been dealing with.

Ultimately its a kernal mode rootkit/bootkit that has been written into spi memory and from there it can, and will pwn anyband every OS amd piece of hardware you send its way. Flashing the motherboards bios and the rom on the gpu with nvflash... Will accomplish just next to not a damn thing... It is going to take reflashing the spi/uefi module to start putting the pieces back together.

A programer can be had from ebay for 30-50 bucks... But, also keep in mind :

If you have wireless in your house.. Pull tne plug right now.. it uses stealth bluetooth connects for inet access..

It's also more of a hackers framework like merasploit then a lonesome rootkit rat.

It's capabilities will frighten you... It's primary objective is to turn your OS into a virtual machine that it will then be hosted on your hardware, with persons unknown in the drivers seat and in cotrol of the hypervisor.

At one point, at least, my rig was being configured autonomously with a poisoned and misapropraited version of puppet enterprise IT automation software.. As well as other erratta based it solutions.

This platform is in active devolpement, is well funded and substamtially staffed by skilled mechanics. I have documented numeous comments in config files and logs referring to the platform as an "experiment" and indicating its currently in " field trials .

If you have cell phones.. Cances are they are hit..amd your router to most likely.

I dont know who is developing this platform... But i doubt very seriously that its bored youngsters or whatever.

This is the more like the twrminator..

I have my hunches, but really, after being roflstomped for nearly 6 months in the name of research and dev.. I shutter to think what REALLY pissing them off would yield.

So best advive i have is keep a level head, buy a chip programmer.. Or send you hardware back to manufacture for repairs.. Replace hds and buy a cheap gpu tp use try reflashing the 1070 on a clean rig with a clean rom... Avoid bluetooth and wireless like the plague... And with a little luck you' ll /dev/null/ this hateful rubix cube of an attack vector .

Good luck.

 

[BadFrog]

I love all these new accounts posting in this thread.

TL;DR

Op seems to be some covert super secret spy that has been targeted by some govt entity and comes to Techpowerup to solve the problems and rescue the day. Def speaks very highly of TPU and I guess terrible from his own govt IT guys. IDK bored on a Wednesday night and saw the post above and was a new user.

 

[hat]

I've got a few questions...

Why would we need a hardware flasher to get rid of this thing? Surely the SPI memory/whatever infected chips were infected by software in the first place, so there must also be some kind of software solution?

Why is WiFi/Bluetooth dangerous? For that to be an attack vector, wouldn't the attack have to come from somewhere physically close by?

How does the initial attack happen in the first place? It seems like there must be some glaring security hole somewhere to allow memory modules like this to be overwritten without the user's consent, or even knowledge.

 

[OneMoar]

Damn... Looks like you got hit with what i have nicknamed "nightmareware". It also looks like you were hit about a month before it made its way onto my home network ... Once i noticed it and started trying to get rid of it... It when full on mother f***er and started chopping down my high end gear like pime trees at christmas..

Yes it is a beastly hardcore and sofisticated platform. I can share a little of what i learned over the past 5 or 6 months, several computers, ssds, new retail windows install usbs, multiple asus gpus, multiple routers and multiple house wide phone replacements...

First off this is not some bs malware made by bored kids or greedy oportunists, it's ACTUALLY the REAL version of what ESet is reporting has just been discovered in the wild for the first time... In October. Lol.

We both got that beat by about 6 months and what the describe sounds like a tree hugging hippy younger sibling of the Real MF'r we have been dealing with.

Ultimately its a kernal mode rootkit/bootkit that has been written into spi memory and from there it can, and will pwn anyband every OS amd piece of hardware you send its way. Flashing the motherboards bios and the rom on the gpu with nvflash... Will accomplish just next to not a damn thing... It is going to take reflashing the spi/uefi module to start putting the pieces back together.

A programer can be had from ebay for 30-50 bucks... But, also keep in mind :

If you have wireless in your house.. Pull tne plug right now.. it uses stealth bluetooth connects for inet access..

It's also more of a hackers framework like merasploit then a lonesome rootkit rat.

It's capabilities will frighten you... It's primary objective is to turn your OS into a virtual machine that it will then be hosted on your hardware, with persons unknown in the drivers seat and in cotrol of the hypervisor.

At one point, at least, my rig was being configured autonomously with a poisoned and misapropraited version of puppet enterprise IT automation software.. As well as other erratta based it solutions.

This platform is in active devolpement, is well funded and substamtially staffed by skilled mechanics. I have documented numeous comments in config files and logs referring to the platform as an "experiment" and indicating its currently in " field trials .

If you have cell phones.. Cances are they are hit..amd your router to most likely.

I dont know who is developing this platform... But i doubt very seriously that its bored youngsters or whatever.

This is the more like the twrminator..

I have my hunches, but really, after being roflstomped for nearly 6 months in the name of research and dev.. I shutter to think what REALLY pissing them off would yield.

So best advive i have is keep a level head, buy a chip programmer.. Or send you hardware back to manufacture for repairs.. Replace hds and buy a cheap gpu tp use try reflashing the 1070 on a clean rig with a clean rom... Avoid bluetooth and wireless like the plague... And with a little luck you' ll /dev/null/ this hateful rubix cube of an attack vector .

Good luck.

this has been the single greatest comment in this thread
I tip my hat to you sir who ever you are

 

[R-T-B]

What he says is possible. I would not be so quick to dismiss it.

The malware I dealt with could've been an embryo form of something bigger in development. I do know after my mobo reflash, my client was good for maybe no more than one month before being hit with an attack well above my ability to defend against. It was very sophisticated, net based, and absolutely scary/terrifying. We replaced routers, bluetooth devices, everything. At one point we suspected his fricking smart beds (no I am not kidding, they were those fancy smart kind with net access for some kind of media function so...)
I finally gave in and could not take his money in good faith. I encouraged him to contact both the FBI (since as I mentioned earlier it seemed targeted) and someone more skilled in network defense. I was at my wits end.

No, I'd not rule anything out. Unfortunately my client has went silent at the moment (disturbing in and if itself) so I do not have permission to share more.

 

[hat]

What he says is possible. I would not be so quick to dismiss it.

The malware I dealt with could've been an embryo form of something bigger in development. I do know after my mobo reflash, my client was good for maybe no more than one month before being hit with an attack well above my ability to defend against. It was very sophisticated, net based, and absolutely scary/terrifying. I encouraged him to contact both the FBI (since as I mentioned earlier it seemed targeted) and someone more skilled in network defense. I was at my wits end.

No, I'd not rule anything out. Unfortunately my client has went silent at the moment (disturbing in and if itself) so I do not have permission to share more.

Here be dragons.

Would you be willing to expand on that, if your client allows? As if the first strike wasn't unsettling enough, and then it got worse? Right now most of us know little else than "bad things can happen to flash memory (or worse?)". To be clear, I'm not asking for details on the circumstances surrounding the attacks, just the technical details.

 

[R-T-B]

Here be dragons.

Would you be willing to expand on that, if your client allows? As if the first strike wasn't unsettling enough, and then it got worse? Right now most of us know little else than "bad things can happen to flash memory (or worse?)". To be clear, I'm not asking for details on the circumstances surrounding the attacks, just the technical details.

I would love to expand. All I can say without his permission is that the second attack was a sophisticated network based attack, using his modem as the bridge. And no matter what modem we replaced it with, it would happen again. It would then proceed to infect home devices. (We know this from a firewall netlog showing them contacting malware ips).

He basically shoveled money at this problem with no end in site. I don't think he'd disagree with that statement. It's part of why I couldn't work for him anymore: I couldn't take his money and gurantee success; he needed someone better skilled at network issues and able to "do the job right." I'm a firmware guy, it left that turf.

It was almost as if his home was cursed. I could remove devices from the premise, cure them via a hardware flash, and they'd remain fine. Put them back in his home and they'd not last 2 nights. Of course it wasn't cursed, it was just a repeatedly infected modem/router. I almost wonder if the cable end was compromised at the ISP's side... that's basically why I told him "call the FBI."

I haven't heard from him in over a month, which sucks because I want to send things of his to Symantec/other AV groups/the FBI but don't know if I have his permission. Some of the evidence consists of complete, untampered with drives, so I don't feel comfortable sending them without client permission since they contain a lot of his personal stuff surely.

Advice there appreciated, actually.

Plus, it's odd having a box of SSDs and thumb drives on the mantle labeled "INFECTED - DO NOT USE." It's not a good conversation piece when you can't say much: I'd be glad to be rid of it.

 

[hat]

Can't say I'd be the best one to give you advice on that... other than try contacting him again about it. All I can say is it seems pretty clear that he's being targeted, repeatedly. That's a problem, and I wouldn't know where to begin defending against that kind of attack. It's also a problem if these types of attacks are happening to others (a few others have chimed in saying something similar happened to them).

At this point, though, it's still his stuff and it probably shouldn't be sent anywhere without his consent...

 

[R-T-B]

At this point, though, it's still his stuff and it probably shouldn't be sent anywhere without his consent...

Yep, and that's where I am. Not a lawyer and did not charge enough to afford one, but certainly seems the safe bet.

Already contacted him. The silence bothers me, frankly. But my hands are tied as of now.

I can say I had a HDD crash recently and lost a lot of my reports on the malware. The delay in remaking them may have shaken his confidence in me, but our last email was friendly and you'd think he'd claim his hardware... dunno.

I will say technically speaking, this is all way over my head now. I can bios flash. I can tell you your board is infected. I can even tell what modules are infected. But I can't fix it. Not at this level. Not when every device becomes a vector repeatedly and the orgin can't be cleaned without going ISP side. I'd need either ISP cooperation or the fricking source code to whatever this thing is and I'd probably be lost then.

I can even UNDERSTAND why they targeted him (though I can't tell you guys, I will say it's nothing bad on his part). But then we have other infections and I don't know if this isn't part of something bigger.

Wish I could help more but them damn ethics lol.

 

[metalslaw]

Yep, and that's where I am. Not a lawyer and did not charge enough to afford one, but certainly seems the safe bet.

Already contacted him. The silence bothers me, frankly. But my hands are tied as of now.

I can say I had a HDD crash recently and lost a lot of my reports on the malware. The delay in remaking them may have shaken his confidence in me, but our last email was friendly and you'd think he'd claim his hardware... dunno.

I will say technically speaking, this is all way over my head now. I can bios flash. I can tell you your board is infected. I can even tell what modules are infected. But I can't fix it. Not at this level. Not when every device becomes a vector repeatedly and the orgin can't be cleaned without going ISP side. I'd need either ISP cooperation or the fricking source code to whatever this thing is and I'd probably be lost then.

I can even UNDERSTAND why they targeted him (though I can't tell you guys, I will say it's nothing bad on his part). But then we have other infections and I don't know if this isn't part of something bigger.

Wish I could help more but them damn ethics lol.

Thought I might add 2c to the thread. Having recently had our home network hacked heavily, I had a terrible time trying to isolate and reload without reinfection.

I learnt a lot, but in the end I had to just segregate off all my own devices into a subnet of our home network. It was literally too hard to get _everyone_ to reload every operating system, at the same time. Eventually I just gave up on the rest, and carved off a subnet, as I knew I was/am the main target. Since then, I had to reload my own network of devices about 3 times, each time tightening down everything on both the router, and my devices. Now I'm infection free device wise, but the others in the house aren't. And I have no way of telling them they are because, 'there is nothing wrong with my computer/phone' is how it is. This is even with a file named hax.log (for example) sitting in the root directory of a c drive on one person's pc... urgh.

Anyway, my 2c. Never underestimate use of wifi being an attack vector via mobile devices. Both on a rogue network nearby that the device connects to silently, or to the users own already compromised network.

Once a mobile device is infected, you cannot clean it unless you wrap it several times in aluminum foil, or use a high quality faraday bag, and then reload the rom via a secure offsite hardline networked computer.

If you try to reload without isolating it from both wifi and phone networks, via the alfoil/faraday bag method, it will reload the infected rom from a hidden partition on the device.

Turning off wifi, and reloading it via the 'phone companies' network does not work. It may 'say' wifi is off, but it isn't. Wifi is still on, even if it says it's off.

And even though the rom reload will appear to be working, it's really just reloading it's the hacked rom upon boot again.

Clean installing a rom is still difficult if you don't have the proper low level tools. Mobile devices are terribly hard to clean install and know it worked too. It's not always obvious you got it right, til you figure out the method of the hack.

Then finally, to really stop an attack, you need to buy a quality router that specifically makes it basically impossible to brute force attack. I use a one of the Draytek 2860 range. It's expensive as f, but can really lock down any attack vectors. It would take a hacker about 30 years to brute force the password.

I also do not use wifi now, even with the draytek (although I probably could, given how much defense the draytek has built in).

But wifi just has too many attack vectors these days, and it isn't worth the risk for me atm. I go via hardline, or for a phone, the phone networks wireless network.

Also public wifi is not secure at all. Never ever ever ever use it. As soon as you connect, your device can be compromised within a minute or 2 by an experienced hacker on the same network. And once compromised, always compromised... as almost nobody alfoils/faraday bags on a mobile device reload...

And a mobile device is the main attack vector these days for hackers, because soooo many people use them on public wifi, get compromised within 5 minutes, go home, connect to home wifi network, now also compromised, and every device on the network compromised.

Anyway, food for thought

Cheers,
Ian

 

[trparky]

Let me guess, Android? Oh, and let me guess that your phones didn't receive any recent security patches as well. I'm not at all surprised, it's one of the reasons why I'll never touch an Android.

There was talk about WiFi chipsets being able to be exploited without anyone knowing, Broadpwn was one such exploit found back in 2017. A user's device can be exploited and they would be none the wiser.

https://arstechnica.com/information...illion-phones-to-a-wi-fi-hopping-worm-attack/

I'm sure that a lot of devices haven't been patched yet. Apple iOS devices have been patched for months.

 

[MrGenius]

Again...why? What's the point? Nobody ever seems to know why. It's just too many unanswered questions for me. Why not try to make some sense of it all? It's like you people thrive on insanity.

Man...if I could just do that...I'd have no problems at all!

 

[hat]

Older iPhones are also regularly left out of the loop. I'm not sure what all gets updated, unless they move on to a new iOS version. I don't hear about individual Android components being updated without a move to an entirely new Android version (e.g. 7.0 > 7.1). There's probably a lot more Android devices out there than iOS, but with that comes the risk of lots of cheap phones that rarely receive updates, if it all, and even flagship phones that eventually fall out of the update cycle. TextNow, as a quick example, sells plenty of cheap phones, and even some not so cheap phones (they have a Galaxy S7 I believe which ships with Android 7.0) which are running, well, less than the latest version of Android.

So, while the Android ecosystem is indeed messier, older Apple devices are left out as well.

Again...why? What's the point? Nobody ever seems to know why. It's just too many unanswered questions for me. Why not try to make some sense of it all? It's like you people thrive on insanity.

Man...if I could just do that...I'd have no problems at all!

Why what? I mean, if these attacks are happening, and indeed are happening more frequently, it's definitely something to be concerned about.