GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[MadBrit]

Hi,

Thanks in advance for any help...

Fresh Windows 10 1803
Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4

I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by any AV. It has been sending me around in frustrating circles. I originally thought the malware was hiding in filesystem slack space, but it appears to be using a combination of evasion techniques that rewrite the HDD HPA/DCO, GPU Firmware (main infection source), SSD firmware (unable to BCDwipe certain sectors - multiple SSD's - unable to upgrade BIOS due to malware interference), and the motherboard BIOS (Blocks rescue disks). The malware blocks rescue CD's from running and locks the drive into hibernation to prevent offline scans. Reflashing the MB BIOS stops this for 1 boot, then the problem returns.

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

I know, crazy, right? I believe the origin of the malware is Chinese/Korean for a number of reasons that I won't go into here. On trying to upgrade the GTX 1070 firmware with the ASUS GPUUpdateBios.exe, I get a response "You no need update GPU Vbios!". I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Long story short, I am unable to find any info on how to reset these parameters (or rest the card completely back to stock) and cannot find the relevant .IFR firmware mentioned in NVFlash to update this. On reboot, the malware takes the card back again and we're back to square one.

If there is a tool to completely reset all the card parameters to factory, or a hardware ninja method that provides similar results, I would very much appreciate some recommendations. If this malware resonates with anyone else, I would really like to know it's name as I have been unable to determine the strain.

Cheers!

 

[Athlonite]

The tool I think your looking for is called a hammer followed up with can of gas and lighter as that's some seriously bad crap you have going on there

 

[Space Lynx]

How does one get malware of this level on their PC? were you looking at something you shouldn't have been?

 

[MrGenius]

You can't reset a VBIOS. You can flash a different one, or the same one.

 

[erocker]

Isn't OP just explaining the Windows 10 update process?

If not...

Destroy the all drives. That is honestly what I would do if I were experiencing this.

 

[yotano211]

Why not just do a fresh install of the OS to the HD or get a new HD.

 

[R-T-B]

If this is real, a hardware programmer should fix it...

But I really doubt it's real... sorry. If it is, get in touch with an AV vendor to provide samples and they'll likely buy you new hardware just to get to study / try to block this new monstrosity.

 

[Nuckles56]

If this is legit, get in contact with a proper security company and get them to analyse this monster, as it sounds pretty insidious

 

[the54thvoid]

To be believed I think some would like to see this on a screenshot. What you have sounds too extreme for an ordinary PC, and the very odd message from your gfx firmware doesn't sound believable at all. But, a screenshot of this flash process would help.

 

[R-T-B]

Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.

 

[eidairaman1]

Those errors frankly sound more like a counterfeit 1070 gpu you are trying to flash with the wrong bios than a GPU that's "infected."

Post a GPU-Z.

It's a liar here, trying to hide what he is doing.

He needs to secure erase or format his hdd and reinstall the os for starters.

 

[FireFox]

It's a liar here, trying to hide what he is doing.

Agree with you.

Maybe he was flashing the card things went wrong and now he es trying to tell us something different?

 

[W1zzard]

I ran NVFlash with the latest firmware rev. but when I compare the bios to the .rom file, I get a number of mismatch inconsistencies in the InfoROM settings(InfoROM, Static (InfoROM Header - Timestamp), User Setting (OEM Information - Data), and Unallocated Space (size difference). Unallocated space is the source of the malware, i believe.

Please post the BIOS you saved from your card and the one you are comparing to

 

[remixedcat]

you caught an STD from the dark web?

Wireshark it and look for anything mucky.

 

[dorsetknob]

Subbed for the Streisand troll lookalike
this sounds totally like Smelling the female troll knickers (fishy as hell do i smell Rock cod)
Please provide screenshots and

Please post the BIOS you saved from your card and the one you are comparing to

If you have what you say you have contact your AV Vendor and Microsoft
they might even Send a Specialist for a Site Vist as what you Describe is ...........................................unbelievable

 

[mobiuus]

F.U.B.A.R.

 

[Vayra86]

Somebody set us up the bomb.

 

[qubit]

This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.

 

[kastriot]

One troll or deluded fuck making fun with all people here

 

[Deleted member 163934]

In theory such thing is not impossible. In practice there are an army of problems for someone that want to write such type of malware/virus like how on earth it can target each possible mb bios, gpu bios, hdd/ssd firmware because I doubt all of them share similar structure, then you have the limitations from the size of mb bios, gpu bios, hdd/ssd firmware size because you need to still have that pc working (it's just easier to write garbage on the mb bios, gpu bios, hdd/ssd firmware because you just don't care about having that pc still running) and then after you somehow managed to use the little free space you also need to actually have a running code there. A random hacker won't have the resources to actualy code something like this, you need proper funding for such thing and even with the money I doubt it can be done. Now if this was targeting only a particular platform yes that has happen in the past.
It will sound rude what I will write in the following line but it's a fact: if you are so important that someone will actually spend the money to make a malware/virus targeting you then you won't be asking for help here because due to the nature of your job you would be informing someone else about the situation.
Don't get me wrong but you kinda need access to the source code for an army of bioses/firmwares to have a chance to even write something like this else is just impossible and there are very few agencies that can actually have such a chance (even they will need to steal some source codes in some cases or reverse engineer it but this last case is not that easy to the point it might not even be viable).

If you assume your ssd/hdd is infected with something that no antivirus is capable to deal with just use another pc, download a linux distro that allow you to run a live sessing (ubuntu and derivates for example), write it on an cd/dvd/usb stick on the other pc (NOT on the infected one), boot from that usb stick (u put the usb stick in the infected pc with the pc powered off, and the first time you start the pc you boot from the usb stick else you can compromise the usb stick (like the malware/virus writing crap on the usb stick and make it not boot or run crap from bootloader)) and write zero/random stuff on the hdd using dd (
if you have only one hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
if you have 2 hdd/ssd
sudo dd if=/dev/zero of=/dev/sda bs=4096 status=progress
and then after it's done
sudo dd if=/dev/zero of=/dev/sdb bs=4096 status=progress
if you have multiple hdd/ssd
sudo dd if=/dev/zero of=/dev/sdX bs=4096 status=progress
replace X with letters a,b,c, and so on
you can read more here: https://wiki.archlinux.org/index.php/Securely_wipe_disk)
Sure after zero-ing the hdd/ssd you lost all the data but the hdd/ssd should be clean. I wouldn't fully write with zero a ssd, I would write with zero only the section where the partition table is located (that should be enough; you didn't said if it's MBR or GPT).

Regarding the differences between the gpu bios (the one in the file and the dump after you flash it). How did you flashed the gpu bios? You did it in Windows (doing it in the infected WIndows is asking for trouble because that Windows can happy freeze in the middle of the flashing process... and this can happen in a clean Windows also, I know some amd drivers that will just messed up with the gpu flashing process)? If yes then there is no surprise for me that the one in the file and the dump after you flash it are not identical, I've done it several times in Windows and I didn't really got a match (usualy I was getting 1-5 differences but I saw no real problem). If I do it using a DOS usb stick I always got 100% match.

Trying to clean it by booting in the infected Windows connected to internet can easily prove a waste of time... There are several antivirus that will just make an bootable cd/dvd/usb stick and you will boot directly on that and try to clean it from a clean enviroment:
https://www.bitdefender.com/support/how-to-set-up-a-bitdefender-rescue-cd-1249.html
https://www.avira.com/en/download/product/avira-rescue-system (I had issues with avira when I tried to use it like it just froze and some %)
https://support.kaspersky.com/viruses/rescuedisk
just to give some example. Again you will need to write those things on a cd/dvd/usb stick on another pc (trying to do it on the infected pc can easily go wrong).

L.E.:

Once established, the malware silently downloads and replaces security related .EXE's (MBAM, Glasswire, Win Def, etc.) then starts on the system files. One by one, every 5-10 minutes from multiple CDN's that are not legit. All files are signed and pass VirusTotal. They are, however, WinPE versions of the files. The system then reboots and virtualizes itself, repartitioning a drive with free space to replicate and hide itself. It is *almost* invisible. Using MBR Filter helps and delays it enough to do some analysis, but then it starts imposing Group Policies to lock you out / flag legitimate apps as malware / changes hardware parameters (downgrades 7th Gen CPU to 6th Gen, etc.).

Post the VirusTotal links to the files you think are infected and you checked with VirusTotal. I'm asking for this because there are several checksums used by VirusTotal SHA-256 , MD5 and SHA-1 and I find it hard to believe that you can find a way to modify a file and fix all 3 checksums to look like the original file, you can probably fix one of them but all 3....

Windows 10 in normal conditions will happy update when it wants. So the fact that you see some Windows file getting changed is actually the normal way of Windows 10 doing the updates... If you want to change this behaviour you can happy google for the solution.

L.E. 2:

I don't really believe you are dealing with a malware/virus that has actually replaced the mb bios, gpu bios, hdd/ssd firmware.
Make an usb stick with a linux distro that can run a live session on another pc (if you don't have 2 pcs just ask a friend), disconnect the hdd/ssd (all of them, just unplug the power or sata cable) and boot from the linux usb stick. If at first boot things look ok reboot it, if at second boot again things are ok then you probably don't have any problems with the bioses (you might had messed up them when you flashed them...). If you have no problems while using the live linux session then reconnect the hdd/ssd cables and boot again from the linux usb stick and write zero on each of the hdd/ssd. Reboot and reinstall Windows without being connected to internet.
If what you are describing is correct (the behaviour of the malware/virus (looks like a joke to me to be honest, I wouldn't make it do anything like that) and the fact that nothing detects it) then well your only way is to fully wipe the ssd/hdd because else you will never know what is affected and what not (well u will first need something that detects it, then something that cleans it).

And sometime a reinstall on zero-ed hdd is just faster than trying to clean an infected hdd. I wasted 18 h on the laptop of a client because the client refused to understand that he needs a new hdd/ssd 6 bad sectors reported by smart and growing was 5 when the laptop got to me, increased to 6 while i tried to fix it; 90+ logical bad sectors on the OS partition, got fixed after I zero-ed it, I also had to backup the data from that OS partition because ofc the client wanted me to save his photos and silly cooking recipes (not to mention that the client fail to point to the directories where he had those things, I actually failed to find a single cooking recipe...) because I really had a working machine when the laptop end up to me, was taking 60 minutes to even finish the boot process and ofc the client didn't even wanted to pay how much I asked for my 18 hours of work... Next time he comes to me I will just say I want the money before I even look at his laptop else he can happy find someone else to fix his laptop.

 

[SomeOne99h]

Is this a stolen computer that is protected by passwords or/and by encryption?
Notice he mentioned take over polices and that he is looking at the mysterious unallocated space.

 

[neatfeatguy]

I've seen some pretty nifty viruses at my last job go through some stores. Some sophisticated ones that stole credit card data to ones that simply renamed .exe to another file extension name or just designed to eat up hard drive space by filling out a .txt file with basic information it pulled from the computer - it would just write the info over and over and over again.

One of my more favorite ones took myself and another senior tech to track down the issues. Store called in, having a slew of issues on the server computer. A quick remote into the system made it painfully clear they some how infected the computer with a virus. We pulled the server from the network and had the store setup one of their registers to work as a temporary server to store sales and clock in/out data. We shipped out a new server computer and it would arrive NDA. The store was working, but they called in a few hours later saying their registers are having issues now. It seems the virus went through the network and infected the registers.....now the store was pretty much SOL. They had to close down for the rest of the day. We setup new HDDs for the registers to ship out NDA as well.

Next morning the store calls in and I get them all setup and working on new hardware. They're off and running now. They call back later that day with the same issues as before. Everything was infected again. In the end, it appears that the 512MB flash card on the cook display control boxes had just enough free space to allow this virus to install and infect them - once the new devices showed up on the network the virus would move to them. What a cluster....

As for the credit card stealing virus, we got to work with the FBI to help try and clean out the system and pinpoint where the virus was hiding and how it was constantly opening new ports to allow data in/out. They needed the ins/outs of the company's software and how everything talked and what ports it made use of. Once they figured they couldn't pinpoint the issue in a timely fashion and clean out the store without a proper new set of hardware, they pretty much took everything with them when they left and we don't know what ever happened after that. The poor lady that ran the franchise had 8 different stores and 6 out of 8 had this virus. She had to order new equipment for 6 stores - that's 6 server computers, at least 18-24 registers (3-4 registers per store) and 18 cook display control boxes (3 per store). She spent almost $30k on brand new hardware because of this virus.

Some folks out there can certainly design crazy ass viruses and malware - I wouldn't be surprised if there was a hint of truth to the OP's post. Then again, it sounds rather far fetched.

 

[Caring1]

This doesn't quite sound for real. All this BIOS and VBIOS infection and flashing... really?

Anyway, the only way to be sure of getting rid of malware is to reformat and install Windows fresh. I'm talking about having only the system drive connected, then booting off a W10 DVD that was prepared on a different computer, formatting the drive and reinstalling it from scratch. Try that and I bet the infection goes away.

It's quite possible that any data drives are also infected, but that's another story.

It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.

 

[Solaris17]

IDK, I would need too see some samples before I believed any of this.

 

[qubit]

It's also possible the BIOS can be infected as well as GPU Vram or Memory Dram, but that is a bit high tech for hacking a home system.

Yeah, possible, but unlikely, hence my skepticism. You can see from the incredulous responses from some of the others in this thread that I'm not the only one.