Bios rookit?

[jpeg666]

I recently dealt with a network breach and full hack of my phone and my PC. I lost access to all my e-mail accounts and password manager. I have since recovered my e-mail accounts and nuked my PW manager account. I suspected a bios rootkit I couldn't find definitive evidence at the time. I have since bought a ch341a programmer and re flashed the board I bricked trying to flash the entire chip with ami tools. I unfortunately lost the dump of my first mobo so I can't compare it. I do however have the mobo I was using prior to switching and getting hacked. I have dumped the bios and did a diff check with a fresh downloaded bios file.

Can anyone with knowledge of bios structure take a look and see if anything looks fishy.

https://www.diffchecker.com/2oCVBEv9/

If you don't want to view it on the site I can download some software to make a text file I just don't have any at the moment. Thanks

 

[natr0n]

Sorry you got hacked. This is like a mission impossible movie script. Never have come across bios rootkits ever.

 

[Solaris17]

Nothing in that indicates compromise.

Some Microsoft entries, normal UEFI databases and otherwise configuration.

I have to asks why it even matters if it’s been replaced.

At literally anyone else. Is there some tech tuber or something that read some documentary? These threads and the lack of any actual infection seem to be getting more prominent and the only thing I can assume is some jack ass is drumming up hype somewhere on Reddit or YouTube.

For anyone else interested: the amount of technology and skill that needs to go into this to be undetected, successful in infecting, and usable enough to extract data costs money. Lots of it. And also risks the method being shut down when it’s discovered.

Unless you:

Control a nation
Control large amounts of money
Control state secrets
Control industry secrets
Control a large industrial complex

No one cares and no one will waste these infection vectors on you.

 

[jpeg666]

Nothing in that indicates compromise.

Some Microsoft entries, normal UEFI databases and otherwise configuration.

I have to asks why it even matters if it’s been replaced.

At literally anyone else. Is there some tech tuber or something that read some documentary? These threads and the lack of any actual infection seem to be getting more prominent and the only thing I can assume is some jack ass is drumming up hype somewhere on Reddit or YouTube.

I'm not sure but me being hacked is very real. I don't know the attack vector but my phone was added to a workspace and being remote accessed. I had to get a new phone they had access to my new phone too through samsungs dumb multi-control stuff and added an additional esim to it. I have since got all that locked down and taken care of.

I wish I had the original dump of my mobo when I was hacked but I lost it

At one point I booted into safe mode and my password was autofilling until windows bruteforce protection kicked in.

Unless you:

Control a nation
Control large amounts of money
Control state secrets
Control industry secrets
Control a large industrial complex

No one cares and no one will waste these infection vectors on you.

I am aware of this. Which is why I am so confused about the effort put forth.

 

[DaemonForce]

ASRock X370?
I don't see anything out of the ordinary here. Console customization, a bunch of ACPI stacks that look normal and some EDK2 inserts which are completely over my head. I see some PE stacks to something that looks like an Android related file explorer tool. Do you have some kind of file explorer in your EFI? Other than for flashing data?

 

[Solaris17]

samsungs dumb multi-control stuff

Right.. dumb multi control “stuff”. I have every reason to believe what you’re saying is true. If I am honest though cross device infection methods are even more rare.

I will be brutally honest. Most infections stem from users doing things they shouldn’t.

You will never by accident come across advanced malware trying to pirate some video game or going to dodgy websites.

I don't know the attack vector

So you just jumped straight to assuming it was a bios infection.

Well this post satisfies all of my curiosity.

Do you have some kind of file explorer in your EFI?

Flash tool to explore drives for the new bios file; as well as the subroutine for flashing it.

 

[Assimilator]

At literally anyone else. Is there some tech tuber or something that read some documentary? These threads and the lack of any actual infection seem to be getting more prominent and the only thing I can assume is some jack ass is drumming up hype somewhere on Reddit or YouTube.

Nah, I think we just have a garden variety user who clicked something risky and their PC got pwned as a result. But instead of accepting their mistake and learning from it, for whatever reason they decided that there has to be an alternative explanation.

Could also be the long con, a threat actor trying to convince people to help them by ultimately downloading and running something that will compromise the helper's machine.

Or it could just be a troll spreading FUD because that's what some trolls do.

Any way you look at it though, there's zero evidence presented to entertain the claim being made, so I move that this thread be locked.

 

[jpeg666]

It is not an asrock x370, The board in question is an Aorus X570. I personally have not edited this bios. I tried to repackage a bios on my other board before I got my programmer so I could read it and full bricked it, couldn't even flashback.

Every week the bluetooth drivers would become corrupt and I would have to SFC to repair them. I was very suspect of that and even more so when my phone became compromised.

Nah, I think we just have a garden variety user who clicked something risky and their PC got pwned as a result. But instead of accepting their mistake and learning from it, for whatever reason they decided that there has to be an alternative explanation.

Could also be the long con, a threat actor trying to convince people to help them by ultimately downloading and running something that will compromise the helper's machine.

Or it could just be a troll spreading FUD because that's what some trolls do.

Any way you look at it though, there's zero evidence presented to entertain the claim being made, so I move that this thread be locked.

I could have very well clicked something I shouldn't have. I am just asking for help.... this response is insane. I wanted to try and fix it myself because the threat seemed pretty persistent. That is why I went and got a programmer and taught myself enough to at least erase and flash the damn board.

 

[DaemonForce]

If I am honest though cross device infection methods are even more rare.

They are for now and I would hope they stay that way. This really isn't going to age well when Type 3 HV hits the scene. At which point I'm out. Done with this nerd junk forever.

Corruption is real, no doubt about that but there's also infection through ??? means. You ever see those stupid gamer packages that ship from the mobo EFI stack? When I reset cmos on this X570 TUF board I forget that AsusUpdateCheck auto-installs without my consent. The way stuff gets downloaded could either be packaged in the ROM or could open a TCP connection to a hacked service and drop payload directly into RAM and elsewhere. I haven't been BIOS compromised before but I would say polymorphic self-executing trojans are nasty enough. Then there's junk like this to scare tf out of you.

Keep your snifferers safe.

 

[Onasi]

Aren’t UEFI files nowadays digitally signed and unless said private keys get leaked (and I don’t remember that happening to Gigabyte for their X570 boards), then infecting and rewriting firmware code is impossible?

 

[jpeg666]

Flash tool to explore drives for the new bios file; as well as the subroutine for flashing it.

The bios that was dumped wasn't flashed with the programmer. It was flashed with Q-flash on the mobo with a fresh bios. I am talking about 2 dif boards here. My Aorus I never flashed with a programmer or software, that is the bios in the diff checker. My X570 Meg Unify is the one I flashed using the programmer after I bricked it after getting hacked.

So you just jumped straight to assuming it was a bios infection.

I also didn't jump straight to bios infection. I have been dealing with this since may 10th. Burrowing through event viewer, sniffing for suspicious network activity. Clearing out drives in linux with 0 writes all before actually losing access to my stuff.

 

[Bill_Bright]

I suspected a bios rootkit I couldn't find definitive evidence at the time.

Why do you suspect a BIOS rootkit?

I am not surprised you can find no evidence. (1) BIOS rootkits are extremely sophisticated and therefore, tend to be in the arsenals of those listed by Solaris17, and by those with equally deep pockets conducting cyberwarfare against those enemies. In other words, they are designed to leave no evidence. It also means (2) while they do exist, it is very rare, in fact difficult to become infected by one. And, even more rare for the same person to have their phone and their Windows based computers to become infected. The hardware and the OS are just too different.

Aren’t UEFI files nowadays digitally signed and unless said private keys get leaked (and I don’t remember that happening to Gigabyte for their X570 boards), then infecting and rewriting firmware code is impossible?

I would not say "impossible" - but extremely difficult. This is why Microsoft pushed to make UEFI a requirement - despite the fact they knew the MS haters would bash them for it - as they have, relentlessly. But that's a different discussion.

In fact, it actually is pretty hard for even Windows 10/11 to become infected at all these days. "IF" the user (ALWAYS the weakest link in security) simply keeps Windows and their security software current, and they avoid being "click-happy" on unsolicited links, downloads, attachments, and popups, the odds of being compromised are very slim.

Now if the user invites the bad guy in by failing to keep their OS and security current, by participating in illegal activities or visiting illegal porn and gambling sites, and by carelessly clicking on every link they see, then compromise is possible, maybe even inevitable. But cross-platform infection? I doubt that.

I don't think it fair to accuse anyone, at this point, of trolling. There's enough misinformation, FUD, etc. out there, some sophisticated enough to trick even the most seasoned professional.

Just today I got an extremely realistic notice from Chase Manhattan Bank informing me of a problem with my account, and to "click here" to contact a representative to get it resolved. It had perfect spelling and perfect grammar - formally where signs of scams were easily detected. It had 2 problems, however. My name is not "Customer" and "Chase Manhattan Bank" does not exist. It changed it's name to just "Chase Bank" several years ago. Still, my point is, it was so well done otherwise, it could have tricked the naïve.

What is needed is better education to make the naïve aware of these threats, how to recognize them, and how to mitigate/negate them by keeping their systems current, and avoid being "click-happy" - regardless how legitimate that "unsolicited" email, text, phone call or whatever may appear.

For that reason, unless it degrades into a cesspool of $h!t and nonsense, I think this thread should remain open - for now.

 

[jpeg666]

Why do you suspect a BIOS rootkit?

I am not surprised you can find no evidence. (1) BIOS rootkits are extremely sophisticated and therefore, tend to be in the arsenals of those listed by Solaris17, and by those with equally deep pockets conducting cyberwarfare against those enemies. In other words, they are designed to leave no evidence. It also means (2) while they do exist, it is very rare, in fact difficult to become infected by one. And, even more rare for the same person to have their phone and their Windows based computers to become infected. The hardware and the OS are just too different.

There were a lot of weird things happening in Windows, like my PC being enrolled into MDM and Autopilot, along with a long list of other things I saw while digging through the event viewer. I would securely erase my NVMes, NWIPE my USB drives, and do this all in Linux. As time went on after fresh installs, new things like the MDM and SMB servers would crop up on my PC without me doing anything. I went to every means of securely wiping my stuff. That's when I started thinking about more sophisticated routes.

Look, I'm not saying it was uefi related, I was reaching out for help and information. I also never denied the possibility of me infecting it by clicking on something.

 

[natr0n]

Did you access the web of darkness by any chance ?

I've watch many videos how unimaginable (hacked related things) happens to some peeps for being curious.

 

[R-T-B]

Is there some tech tuber or something that read some documentary? These threads and the lack of any actual infection seem to be getting more prominent and the only thing I can assume is some jack ass is drumming up hype somewhere on Reddit or YouTube.

As far as I can tell it all stems from that one case I dealt with that was a real infection yes, but the guy in question was also for lack of a better term and without giving away too much, a very high value target.

I'm certainly not drumming this up. This stuff is rare as hens teeth and OP, you are not infected in this way.

Look, I'm not saying it was uefi related, I was reaching out for help and information. I also never denied the possibility of me infecting it by clicking on something.

If you want generic malware removal/reinstall advice, that is more in line with what probably happened and we can help.

 

[jpeg666]

As far as I can tell it all stems from that one case I dealt with that was a real infection yes, but the guy in question was also for lack of a better term and without giving away too much, a very high value target.

I'm certainly not drumming this up. This stuff is rare as hens teeth and OP, you are not infected in this way.


If you want generic malware removal/reinstall advice, that is more in line with what probably happened and we can help.

I'm open to any advice. Ever since the incident I'm just freaked out about persistence. I am going to be getting new hardware but I also don't want to sell my old hardware to someone that could cause them problems if there is some kind of persistent malware. What can I do that would show you the all clear on my hardware?

 

[Tropick]

I'm open to any advice. Ever since the incident I'm just freaked out about persistence. I am going to be getting new hardware but I also don't want to sell my old hardware to someone that could cause them problems if there is some kind of persistent malware. What can I do that would show you the all clear on my hardware?

Since it's not a BIOS rootkit you'd be safe to just reflash the BIOS and full overwrite the drive if you want to be super certain. That should clear whatever (if anything) might be present.

 

[Bill_Bright]

Since it's not a BIOS rootkit you'd be safe to just reflash the BIOS and full overwrite the drive if you want to be super certain. That should clear whatever (if anything) might be present.

I agree.

Just remember a common mistake some make when trying to rid their systems of malware is, after wiping their drives, resetting and flashing their BIOS they restore their data from backups, only to reinstall the infected files and malware all over again. So make sure any backup file or image you have is clean before using it.

 

[jpeg666]

Are MDM and autopilot event viewer entries normal for a clean install of windows 11 23h2? Maybe I can supply my event viewer log after a clean install off brand new usb and made on a clean pc.

 

[Tropick]

Are MDM and autopilot event viewer entries normal for a clean install of windows 11 23h2? Maybe I can supply my event viewer log after a clean install off brand new usb and made on a clean pc.

My man you are way, way, way overthinking this. You're fine, there is no rootkit, you don't need to scrutinize the logs, the machine will be clean after a reflash and overwrite format/reinstall. If there was some hyper-sophisticated malware present on the system it sure as hell wouldn't allow it's actions to show up on event viewer.

 

[RJARRRPCGP]

Every week the bluetooth drivers would become corrupt and I would have to SFC to repair them.

This appears to be an MS bug since the August, 2022 patch-Tuesday. But I didn't run into the problem between the May, 2024 patch-Tuesday and the June, 2024 patch-Tuesday.

It's known to happen randomly, often between patch-Tuesdays, in a random amount of time. I didn't have this issue in the early-21H2 days. I first installed 11, which was 21H2, of course, first in April, 2022 and didn't have the issue until August. The 22H2 and 23H2 ISOs, have this bug, out-of-the-box. I found out that the bug is still there, in 23H2, after I wiped the SSD and installed 23H2 in early-February, 2024.

 

[Bill_Bright]

This appears to be an MS bug since the August, 2022 patch-Tuesday.

It's known to happen randomly, often between patch-Tuesdays, in a random amount of time.

Where are you getting this information? Please show us a white paper, a study, a Microsoft KB that says one of their updates broke BT and that it is still broken meaning MS hasn't bothered to do anything about it.

You are implying this is a MS bug. From what my friend Google Bing tells me, it is not. You are implying this same bug has been in existence since Aug, 2022. It has not.

"Random" problems with Bluetooth does not imply it is a MS problem.

I have been running BT devices on all 5 machines here, including this PC since W10 first came out, and on 2 of those machines that has since been updated to W11. My BT devices have consistently worked just fine. Does that mean all BT devices everywhere work fine? Of course not, just as you having an issue on one of your machines does not mean the problem is everywhere, as you imply.

Just because Windows loses connection to a BT device, it is flawed logic to assume Windows is automatically at fault. It could easily be, and often is the computer's BT interface (a hardware issue). It could easily be the BT device itself (a hardware issue). It could easily be the device's BT driver (the hardware maker's issue). It could easily be a USB issue, again a hardware issue.

It must be noted that bugs in Windows Update that break common devices typically affect millions and millions of people. I don't see it.

 

[R-T-B]

Where are you getting this information? Please show us a white paper, a study, a Microsoft KB that says one of their updates broke BT and that it is still broken meaning MS hasn't bothered to do anything about it.

It hasn't broken BT, it breaks sfc verification of it and yes it is quite well known.

 

[ShiBDiB]

OP you already know what happened.

Your third party password manager was the vector, you're not important enough for anything else being mentioned here.

This thread has gone off the rails as per usual for this topic.

 

[jpeg666]

OP you already know what happened.

Your third party password manager was the vector, you're not important enough for anything else being mentioned here.

This thread has gone off the rails as per usual for this topic.

Jesus lock It then. The rudeness is next level. Help and advice is all I came for.

I appreciate the people who tried to help, gave advice, and weren't condescending. I'll seek information elsewhere.