GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[R-T-B]

It's just too many unanswered questions for me

Meh. I'll drop this hint since I doubt it matters, and it's generic enough.

The motive (at least in my clients case) is most likely financial. I really can't say more though. I'm sorry.

The whole thing is insane and I wish I'd never found this case, frankly. It's bad shit. The malware scene is getting a lot of resources it should not have. I'm curious from whom.

 

[trparky]

So, while the Android ecosystem is indeed messier, older Apple devices are left out as well.

Most iOS devices get a good five years of updates which is absolutely amazing considering that most carrier branded Android devices in the US barely get any. About the only Android devices that get guaranteed updates are the Google branded devices and even those only get updates for two to three years.

 

[R-T-B]

How does the initial attack happen in the first place?

Missed this. If I had to fathom a guess, I'd say they compromise ISP hardware on the ISP side, as the modem is repeatedly the orgin foothold. But that's just a stab in the dark. I'm guessing small scale where a target lives, like a local ISP substation or something.

Frickin' CSI level shit (except no enhance).

My present advice to people believing they are affected:

Talk to your neighbors. Ask if they have been experiencing similar issues. It may lead us to a trend. For all I know, you all live in the same block.

If you have multiple affected parties, contact your ISP as a group. They will certainly look into a multiple person claim, and they may contact police as well if need be.

 

[hat]

Missed this. If I had to fathom a guess, I'd say they compromise ISP hardware on the ISP side, as the modem is repeatedly the orgin foothold. But that's just a stab in the dark. I'm guessing small scale where a target lives, like a local ISP substation or something.

Frickin' CSI level shit (except no enhance).

My present advice to people believing they are affected:

Talk to your neighbors. Ask if they have been experiencing similar issues. It may lead us to a trend. For all I know, you all live in the same block.

If you have multiple affected parties, contact your ISP as a group. They will certainly look into a multiple person claim, and they may contact police as well if need be.

That's scary for a whole mess of reasons, if that is indeed the case. I'm assuming you didn't overlook something simple, such as his IP still being the same every time, or a service like DynDNS in play? Would it be possible to attack a device via the MAC address?

 

[trparky]

Usually the MAC address isn't exposed past the first router in the chain.

 

[hat]

Maybe cyber ninjas can see better? Or maybe they're hitting the MAC of the router, and then the attack goes down the line?

Totally talking out of my ass here, I know next to nothing of this stuff... just presenting scenarios I think might be possible to my betters to see their answers so I can expand my own knowledge.

 

[bubbleawsome]

Man as someone that only does hardware and software as a hobby, no matter how much better I may be than your average non-techie this stuff is lightyears from what I understand. I get the basic how of it, but the steps to get that framework in place, and then to actually act on it still sounds like science fiction to me.

Whack

 

[Frick]

Next level stuff this. How soon will it be fully automated and sold to script kiddies?

Anyway, one point.

I haven't heard from him in over a month, which sucks because I want to send things of his to Symantec/other AV groups/the FBI but don't know if I have his permission. Some of the evidence consists of complete, untampered with drives, so I don't feel comfortable sending them without client permission since they contain a lot of his personal stuff surely.

Advice there appreciated, actually.

Do you know at all what's on these drives? I'd be uncomfortable as well keeping others people data in my home ... considering what some people store on their drives. That is what I'd be worried about. If anyone finds anything truly bad, will you be an accomplice?

 

[Nuckles56]

@R-T-B I'm going to say this has to be one of the most interesting threads I've been in on a tech website and it says a lot of how much skill some people out there have if they are able to achieve these kind of attacks and keep managing to reinfect a device after it has been cleaned. In his case I think I would be saying that's enough internet for me and just pull the plug and not consider plugging it in again (with 100% new hardware) for a long time and probably consider moving at the same time.

 

[sepheronx]

loved this thread. It scared me into now when I go home, I will have to do a thorough check on my computer and the network.

Anyway, please keep us updated if you get anything new come up.

 

[qubit]

Yep, and that's where I am. Not a lawyer and did not charge enough to afford one, but certainly seems the safe bet.

Already contacted him. The silence bothers me, frankly. But my hands are tied as of now.

I can say I had a HDD crash recently and lost a lot of my reports on the malware. The delay in remaking them may have shaken his confidence in me, but our last email was friendly and you'd think he'd claim his hardware... dunno.

I will say technically speaking, this is all way over my head now. I can bios flash. I can tell you your board is infected. I can even tell what modules are infected. But I can't fix it. Not at this level. Not when every device becomes a vector repeatedly and the orgin can't be cleaned without going ISP side. I'd need either ISP cooperation or the fricking source code to whatever this thing is and I'd probably be lost then.

I can even UNDERSTAND why they targeted him (though I can't tell you guys, I will say it's nothing bad on his part). But then we have other infections and I don't know if this isn't part of something bigger.

Wish I could help more but them damn ethics lol.

I think you're right to be concerned about having that stuff in your possession, especially if there's potentially illegal stuff on there. It's suspicious and really quite ungrateful if he's now leaving you high and dry by not responding to you.

I see that he hasn't logged onto TPU since May 30, so maybe send him a message to collect his stuff within the next couple of weeks or so, or you'll dispose of the items in a secure manner (to avoid his data getting into anyone else's hands). One way or another, you don't wanna hang on to it.

 

[juiseman]

First time post; just joined today. This has got to be the most interesting thread I've read!!!! Crazy stuff!!!
I'm no software guy; just a 25+ year hardware nerd. First 2 things that came to mind when I read this is:
1. Its fake.
2. These people somehow got infected with a militarty cyberwarfare level worm of somesort.

Either targeted specifically or they happend to be the unlucky "test targets" before the malware gets injected
to the real intended hosts. Or in other words "went live"

Take time to concider this; If this thing is real it could basically infect every device that was connected to a "specific or local network".
So you could esentally take down a huge portion of (lets say) government network or a large company pretty quick.

If it can intrude mobile phone as well? thats crazy. So any person's phone that has been infected could "jump"
to any WIFI network. In turn now that network is infected and the worm spreads. This is starting to sound like a movie ...lol

But if this thing is real; thats just nuts. It kind of makes me think of all the accusations of China placing backdoor chips in computer
hardware and phones. To me; that seems the only way somthing like this could be real to gain such low level acccess to firmwares and such.

There is noway in my mind that a "1 size fits all" worm would fit in this category. There are thousends of different firmware chips with a thousand
types of code. I don't think that this "super worm" could identify how to intrude and identify each device unless thier was somthing common
between all the devices.
If its real; it would have to "phone home" to a large database for a specifc firmware for each indepentent device.
If thats not the case; then I don't think this thing is real. The size would be too big to distribute effectivly.

 

[Salty_sandwich]

This has to be the most interesting thread I have ever read and im only on page 6

Mainly because I read about UEFI malware or the theory of it a while back, its also sad to see how the OP was jumped on at the very start without even giving time to post up peoples demands, to much of that happens to quickly.

I have played around with Kali Linux off and on and only know the extreme basics or less lol decided not to mess around with it after a while because I prob's could get myeslf in trouble with the things i was learning, albeit basic stuff but could lead to more, hay everyone starts somewhere when they learning something new..

It looked to me that lots is possible when it comes to hacking, if you understand coding which i don't BTW, Kali linux has quite a few prebuilt tools for testing but i'm guess they can be altered to what ever you need if you know how to code.

 

[trparky]

If it can intrude mobile phone as well? That's crazy.

I mentioned Broadpwn a couple of posts back.

So any person's phone that has been infected could "jump" to any WIFI network.

It is possible.

Nitay Artenstein, the security researcher who discovered Broadpwn had this to say...

Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim's phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.

...

He eventually spotted one crucial bug in particular, hidden in Broadcom's "association" process, which allows phones to search for familiar Wi-Fi networks before they connect to one. One part of the beginning of that handshake process didn't properly constrict a piece of data sent to it by the Wi-Fi access point back to the chip, a bug known as a "heap overflow." With a carefully crafted response, the access point could send data that corrupts the module's memory, overflowing into other parts of the memory to run as commands.

"You malform it in a special way that gives you the power to write anywhere in memory," Artenstein explains. That sort of overflow is vastly harder to exploit when a hacker is remotely attacking randomized, protected memory of modern operating systems, but worked perfectly in the memory of Broadcom's Wi-Fi module on smartphones. "It’s a pretty special bug," Artenstein says.

So yes, it is very much possible.

You see, much like how GPU memory is shared and is part of what looks like the memory pool of your typical PC, the Broadcom WiFi chip is similar in nature. One exploit there and you've got full root access to just about anything you want stored in memory of the smart phone device. This is some seriously scary stuff here. If devices aren't patched, and you best believe that many Android devices still aren't patched, God knows how many people are walking around with a device that's completely open to be hacked without them even knowing it happened to them.

 

[R-T-B]

Do you know at all what's on these drives? I'd be uncomfortable as well keeping others people data in my home ... considering what some people store on their drives. That is what I'd be worried about. If anyone finds anything truly bad, will you be an accomplice?

I've thought about this. Fortunately I saw no signs of anything strange / iffy / illegal on the other drives which I actually went through pretty thouroghly to investigate the malware I assume innocence based on that, hope that's enough and that I am correct.

He was also very eager to go to the FBI last I talked which works in his favor.

I see that he hasn't logged onto TPU since May 30, so maybe send him a message to collect his stuff within the next couple of weeks or so, or you'll dispose of the items in a secure manner (to avoid his data getting into anyone else's hands). One way or another, you don't wanna hang on to it.

I think this is what I will do... I like this plan the most. I will give him a "30 days notice" in case it's just a vacation or slow email or something. After that databearing devices will be disposed of properly.

Appreciate all the advice.

 

[revin]

If you didn't find anything on there that you felt was not illegal, I'd just put them away somewhere and still have them in case you find more issue's of similar cropping up. I mean there must be a "someone" in the cyber security system that would be willing to use the item<s> to help further track and decipher from where you have got to. After all you have done most all the leg work in narrowing it down.
Also, want to say a Huge kudu's for what you have done ! Completely respect just how far you have gone in this issue.

 

[juiseman]

What blows my mind is that the first targeted individual seems to be some sort of "ransomware" or such.
But then the next report seems to describe the same type of behavior. Makes me wonder how people get the tools
to make these worms. The whole process of how it jumps around to different firmwares within the computer seem's
like a well thought out process. I picture a team of malware creators in front of a big white board discussing how to
to make the the infection spread with 100% percent success.

I'm no security expert by any means; but I still dont know how this malware jumps the devices frimwares. The Vbios, SSD's, and the actuall computer BIOS itself are all
different types of firmware with different programming correct? Then the talk about infecting the phones also? I'm going to take a highly uneducated guess and say
this would only be possible if root access was gained first though a network intrusion; then the malware phoned home to its master which downloaded, then imbeded itself in the different areas in the system. If not; this file size would have to be huge to catalog all the needed code to do it what these folks are claiming. Not impossible to affect a large number of (lets say Windows computers and android phones) but dosn't seem possible to also infect Iphones, Linux computers, and the 100's of other types of network devices that we use everyday....

 

[R-T-B]

I'm no security expert by any means; but I still dont know how this malware jumps the devices frimwares. The Vbios, SSD's, and the actuall computer BIOS itself are all
different types of firmware with different programming correct?

Yep. And that's what makes it both hard to believe (I wouldn't have believed it had I not seen it myself) and also terrifying.

They probably needed firmware source code to do this IMO. That means... either there is a big leak somewhere in many companies, or this is state level stuff. I don't know and can only theorize.

 

[OutThereSomewhere]

Yep. And that's what makes it both hard to believe (I wouldn't have believed it had I not seen it myself) and also terrifying.

They probably needed firmware source code to do this IMO. That means... either there is a big leak somewhere in many companies, or this is state level stuff. I don't know and can only theorize.

If your customer doesn't respond, have you considered giving the card to the authorities?

 

[R-T-B]

If your customer doesn't respond, have you considered giving the card to the authorities?

It wasn't the GPU that was infected in the end. It was his mobo and various other components. But not his GPU, ironically. It always was clean.

I no longer possess the hardware and my software samples were lost in my HDD crash. The only evidence I have remaining is sadly, one complete virgin SSD and several virgin USB sticks, which I assume to be infected (they were taken from a very "sick" system). I could hand those over sure but there are all sorts of ethical reasons that make it tricky. As such, I probably won't be.

I may examine them prior to destruction though (if we get there) and try to rebuild my malware sample collection. The only issue with that is the samples aren't valuable to a criminal investigation if you tampered with the drive in pretty much any way. But if he's not contacting me anyways, we can't exactly press any charges either way, so... that might not be a bad idea.

Then at least antimalware companies would get something new to look at, and I could filter out anything personal.

 

[juiseman]

It's kind of weird that the anti-malware company's are not more interested in this. They are all trying to 1 up each other all the time. I would think they would jump on the opportunity to be the first to discover this "super worm" so too speak. I should not be calling it a "worm" anymore; it's effectively a worm, Trojan, rootkit, and almost adware because its not hiding itself .....its like this thing wants to be found and let the user know its there but they can't do anything about about it...lol.....WTF?????

 

[OutThereSomewhere]

It wasn't the GPU that was infected in the end. It was his mobo and various other components. But not his GPU, ironically. It always was clean.

I no longer possess the hardware and my software samples were lost in my HDD crash. The only evidence I have remaining is sadly, one complete virgin SSD and several virgin USB sticks, which I assume to be infected (they were taken from a very "sick" system). I could hand those over sure but there are all sorts of ethical reasons that make it tricky. As such, I probably won't be.

I may examine them prior to destruction though (if we get there) and try to rebuild my malware sample collection. The only issue with that is the samples aren't valuable to a criminal investigation if you tampered with the drive in pretty much any way. But if he's not contacting me anyways, we can't exactly press any charges either way, so... that might not be a bad idea.

Then at least antimalware companies would get something new to look at, and I could filter out anything personal.

I assume you destroyed the motherboard and the other bits?

This is frightening stuff alright. I never thought someone could end up having a machine filled with such an infectious disease. And In all my years I've never seen anyone visit a forum and ask for help on this level. Kudos to you for taking it on.

Sorry to hear your HDD crashed, typical I guess.
I was reading earlier that he said he had reported this to the FBI, did you ever check that out?

If the malware has never been seen before and foreign, I would guess this would fall into the National Security category?

Since he hasn't contacted you I can only assume he's shitting himself....somewhere.
Apologies for all the questions. I'm really fascinated by this and what you're dealing with.

Perhaps he's been messing with things he shouldn't have been messing with.

 

[R-T-B]

Perhaps he's been messing with things he shouldn't have been messing with.

I saw no evidence of that, but after what I have seen anything is possible.

His mobo was reflashed and returned to him. Worked well for about 1 month until the second, more viscious attack. I have no idea it's status now.

 

[OutThereSomewhere]

I saw no evidence of that, but after what I have seen anything is possible.

His mobo was reflashed and returned to him. Worked well for about 1 month until the second, more viscious attack. I have no idea it's status now.

Sounds like the OP has been targeted as others have suggested. And perhaps pissed someone or some entity off.
Personally If I had that kinds of news I would have put the hardware through an industrial mincing machine.....Then quickly put the house up for sale.

 

[R-T-B]

Sounds like the OP has been targeted as others have suggested. And perhaps pissed someone or some entity off.
Personally If I had that kinds of news I would have put the hardware through an industrial mincing machine.....Then quickly put the house up for sale.

I don't seem to be on anyone dangerous's radar right now at least. But it certainly hasn't been my favorite case either.