• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.
  • The forums have been upgraded with support for dark mode. By default it will follow the setting on your system/browser. You may override it by scrolling to the end of the page and clicking the gears icon.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.
My previous account was banned without warning in response to your question, under the pretext of "spam". If you care about your own technological freedoms and the truth, back this up and save it. Here is my previous comment on security hardening which received many likes by the community. https://pastebin.com/c6jXZjtS And this very comment which was also censored https://pastebin.com/diZ0QGNC



OEM manufacturers must begin shipping motherboards with jumper pins to disable flashing. OTP flash memory where practical, is another solution. These are the simplest and most comprehensive solutions available to the public; without adding extra unnecessary bulkware with their own potential security issues down the road. Other than that, software capable of dumping and scanning firmware for rootkits will be an important advancement for antivirus companies; Signature checks via security software on firmware is another mitigation. The only issue here is if these are state backed, state financed weapons being used illegally for espionage against American citizens and corporations, then what are the odds that any US antivirus agency, operating under the jurisdiction of the FISA courts, will have the legal means at their disposal, never mind the moral backbone to actually do what is right, and make their findings public?

Your infection does not look unlike Stuxnet. Greatis was the first antivirus firm who came out with a free cleaner for the state backed joint NSA-Israeli [1] [2] stuxnet virus which was found in the wild all throughout Japan just prior to the Fukushima incident; It was reported some Stuxnet modules were designed to infect simens SCADA controllers, to be used in particular against Iran's nuclear enrichment facilities. Siemens SCADA controllers are widely used in critical infrastructure all over the globe; it was reported from Japanese sources that the Simens controllers at the Diachhi nuclear site were infected with the Stuxnet virus, which caused the water cooling systems to malfunction and the resulting catastrophe.

Quoting this website: https://richardedmondson.net/2017/01/02/the-stuxnet-connection-to-fukushima/


The original sources have since been taken offline from both:
http://www.yomiuri.co.jp/dy/national/T101004003493.htm
and https://web.archive.org/web/*/http://www.yomiuri.co.jp/dy/national/T101004003493.htm
leaving only these semi-official alternative news sites with copies of the original documentation.

If you don't think certain elements within the US, and Israel govt wouldn't do such a thing, then you're not up to speed on current events; and [2] And seeing that the US govt and all of its agencies have been completely infiltrated by Israeli spies, at the very least, the world would be much better off if these were given to the general public so one state cannot get the upper hand over another and security firms will actually offer the public protections. Common sense has it no one with an ounce of brain power and courage would give this exclusively to the very nation fomenting regime change, illegal wars of aggression, and has single handledly brought the world to the edge of global thermal nuclear war. Kapersky was previously under fire from the US government over the Russiagate scandal whereas now the CIA and FBI are the ones being blamed and investigated for these very allegations at the behest of Donald. J. Trump. Yes, the CIA and FBI are now under investigation for illegal spying and initiating the Russiagate conspiracy theory. [2] Muller has already publicly come clean on who colluded with the Trump administration during his campaign, and it wasn't Russia. As has been the case since the assassination of John F. Kennedy, Muller admits it was Israel [2] [3] who colluded with the US administration. Israel has had the US by the balls since they they bombed the twin towers on 911 and long before then, given the revelations of the USS Liberty. And that was on June 8'th 1967. A US house intelligence report last month had already officially cleared trump of any charges of collusion with Russia. Yet the charade goes on in the JMSM. Now there is massive infighting taking place within the swamp otherwise known as the US government, that will soon lead to revelations of Israel's direct involvement behind all of these atrocities, and the resulting wars, quote "I estimated that about 2.4 million Iraqis have been killed as a result of the illegal invasion of their country by the United States and the United Kingdom in 2003." From the article How Many People Has the U.S. Killed in its Post-9/11 Wars?



Here is one for your ethics, made by a dear friend of mine:
And this documentary that I had made on 911

Doesn't look to me like the Federal Beauro Of Investigation, nor the Criminal Intelligence Agency, two entities that should have been at the forefront of investigations into the greatest terrorist attack in the history of the United States, have come anywhere near providing the public with the truth of this event, in fact they were directly involved in covering up these crimes. But that may change very soon, as for current events, a massive internal purge is going on:

House Republicans Press Conference Demanding Second Special Counsel 5/22/18 [FBI currently under investigation for criminal activity]
Why?: Mindblowing Corruption At FBI - NSA Whistleblower Reveals

Here is my previous comment on hardening which received many likes by the community. https://pastebin.com/c6jXZjtS And my latest comment which was also deletedhttps://pastebin.com/diZ0QGNC
So much nonsense...
This post should have its own thread in the lounge...
 
So let me understand, my Intel DZ77GA "Has" a Jumper for BIOS it has to be positioned to even allow any changes, AND a position to actually "Update" the BIOS, is this current issue able ot get around the Jumper Lock for a BIOS Update ?

What chipset is that? I thought that died out with Core 2s. Cool to hear they are still around just underimplemented.

No, this can't get around that.
 
Last edited:
Don't tell me what to do!
When did I do that? :confused: Not sure when you became so important that me expressing my opinion on a subject became telling you what to do...:kookoo: this is a public forum and I am free to express my opinion here as long as remain within the rules, which I am.

:lovetpu:


:shadedshu:


Oh. I get it. I used the 2nd person "you", and you think I actually meant you personally, rather than referring to myself. Sorry, but you misread what I said. I could care less about what you personally are doing... I'm not a sociopath that thinks everything must be done as I demand it or that my way is the only right way. ROFL.
 
When did I do that? :confused: Not sure when you became so important that me expressing my opinion on a subject became telling you what to do...:kookoo: this is a public forum and I am free to express my opinion here as long as remain within the rules, which I am.

:lovetpu:


:shadedshu:


Oh. I get it. I used the 2nd person "you", and you think I actually meant you personally, rather than referring to myself. Sorry, but you misread what I said. I could care less about what you personally are doing... I'm not a sociopath that thinks everything must be done as I demand it or that my way is the only right way. ROFL.

It was an intentionally sarcastic, childish response. Meant to be humorous actually, and it seems a few here picked up on that.

It was meant in quasi-meme form, the same way " YOLO!" is used non-seriously before doing something incredibly stupid.

No worries, I didn't make it clear.
 
A TPM module may have prevented any of this.
TPM's can be bypassed. They are not fool-proof.
And supposedly, protect them, which they have historically done horribly. It's a google away how to dump one with a simple serial port.
Exactly..
I have very little faith in vendor implementations of secureboot in regards to firmware.
Agreed. Secureboot is often more hassle than it's worth, which isn't much.

What are the chances of jumpers becoming a super duper new security feature of next generations of motherboards? Probably the coolest thing since solid capacitors?
While I suspect that might be sarcasm, taking a step into the past is an effective way to render a certain level of effective security.
 
It was an intentionally sarcastic, childish response. Meant to be humorous actually, and it seems a few here picked up on that.

It was meant in quasi-meme form, the same way " YOLO!" is used non-seriously before doing something incredibly stupid.

No worries, I didn't make it clear.

:kookoo:

Yes, dry humour can be mis-interpreted. o_O I AM a sociopath. ROFL.


TPM's can be bypassed. They are not fool-proof.

Anything can be bypassed, really. It just a matter of motivation. That doesn't preclude that fact that if all of these "features" are used in the way they were meant to be, it'd be far more difficult to run into potential problems such as this. I mean, I wear clothes, but they don't always cover a lot either... doesn't mean it's acceptable to NOT wear clothes... no matter how uncomfortable.

I actually use a TPM and bitlocker and Intel Secure Boot and many other things... just to see what they offer and if they have any impact on performance. I also somehow tend to have less hardware problems than on average though, and because I am sure that most hardware I get is pre-tested, that usually leaves most problems as software. BOS is software, and operating system in fact, and most do not treat it as such, nor do they tend to even think about it needing any sort of security.
 
What chipset is that?
1155 PantherPoint, Z77. I've got my 2600K on it atm, but not as easy to hit 5.0 for, and some odd reason it will NOT OC that Samsung Ram AT ALL, just a Bclck bump but still 16xx. The Visual BIOS is really Excellent but that's about it tho.
I'm going back to the DZ68BC, Z68 since it's already been over 5.2 and 19xx , but it don't have a BIOS Lock soooo ........ oh well
BTW Excellent job on this adventure RTB, it's an amazing .. thread Yes thread.
 
The only true way to protect a BIOS is move to a removable device. Plug it in, boot the computer and unplug it. If things were only that simple...

Side Note: @R-T-B, patiently waiting the outcome.
 
The only true way to protect a BIOS is move to a removable device
Well seems that Intel already implemented that with a jumper, and yea "if some gained access to direct Pc, so same "if they gained the removable device.
 
While I suspect that might be sarcasm, taking a step into the past is an effective way to render a certain level of effective security.

To expand on that a little: I realized from this thread that the UEFI chip is insecure AF; motherboard makers really love to jump on bandwagons of tiny little new features and advertise them with neon lights; and like every other industry, manufacturers like to advertise previous stuff as "new" as soon as the general public has (almost) forgotten about them.
 
The only true way to protect a BIOS is move to a removable device. Plug it in, boot the computer and unplug it. If things were only that simple...
Been there, done that.
Elitegroup_761GX-M754_-_AMIBIOS_%28American_Megatrends%29_in_a_Winbond_W39V040APZ-5491.jpg

Well seems that Intel already implemented that with a jumper...
Which came first? The socketed/removable BIOS chip or the write protect jumper? And was either idea Intel's? Serious questions I don't know the answers to...
I realized from this thread that the UEFI chip is insecure AF; motherboard makers really love to jump on bandwagons of tiny little new features and advertise them with neon lights; and like every other industry, manufacturers like to advertise previous stuff as "new" as soon as the general public has (almost) forgotten about them.
Realize this. UEFI is the future. It's a good thing. And it is not intrinsically any more, or any less, secure than a BIOS.
 
Side Note: @R-T-B, patiently waiting the outcome

Yeah, me too. Brand new programmer arrives tomorrow.

Interesting outcomes I've noticed in the meantime: I've been toying with the userland malware on an isolated machine. It makes extensive use of HPAs (Host Protected Areas, essentially an ATA command to hide a partition) to spread itself across media. From this payload it installs a general purpose rootkit by acting as the boot partition on whatever media device. From there, malware hell naturally ensues. It doesn't really attempt to hide itself.

It seems to try to spread via media (disks, usb) this way like old sneakernet viruses. But other than the userland payload, it makes no attempt to mess with the hardware on any system. The userland malware does not appear to contain a firmware infecting payload as I would have expected.

This leads me to the fairly benign conclusion I have been hinting at all week, but refused to confirm or deny until I was far more certain. As of now, I am nearly certain. This virus was installed or flashed in firmware by a bad actor as a point of resiliency, but it is only there as an "anchor" for the malware. It makes no attempt to spread or replicate to other firmwares (possibly because the malware is tailored to only this desktop system), only attempting to spread to other userlands.

Frankly, this all points to an "evil maid" style attack. But I still have no idea what the motive is because the malware is not sneaky. It is loud. It does not monitor, it is present and obvious. (It attempts to get you to buy fake AV programs, etc).

Sadly, this is the kind of thing any skilled actor with physical access to a machine can acomplish, and reeks of some kind of petty revenge attack. With those clues, I think we can conclude this is more a criminal matter than an FBI/government one, and move in that direction with our suspects (whom I obviously won't name, but we have some).

tl;dr: My client/OP pissed someone off who knew how to fuck up his machine royally. Not really newsworthy afterall and we should probably drop the hype there. Still interesting as a discussion though! And we'll certainly look at criminal charges as/if appropriate.

This is all pending a true programmer dump rather than behavioral analysisz but I think that will only support my findings, frankly.
 
Last edited:
Yeah, me too. Brand new programmer arrives tomorrow.

Interesting outcomes I've noticed in the meantime: I've been toying with the userland malware on an isolated machine. It makes extensive use of HPAs (Host Protected Areas, essentially an ATA command to hide a partition) to spread itself across media. From this payload it installs a general purpose rootkit by acting as the boot partition on whatever media device. From there, malware hell naturally ensues. It doesn't really attempt to hide itself.

It seems to try to spread via media (disks, usb) this way like old sneakernet viruses. But other than the userland payload, it makes no attempt to mess with the hardware on any system. The userland malware does not appear to contain a firmware infecting payload as I would have expected.

This leads me to the fairly benign conclusion I have been hinting at all week, but refused to confirm or deny until I was far more certain. As of now, I am nearly certain. This virus was installed or flashed in malware by a bad actor as a point of resiliency, but it is only there as an "anchor" for the malware. It makes no attempt to spread or replicate to other firmwares (possibly because the malware is tailored to only this desktop system), only attempting to spread to other userlands.

Frankly, this all points to an "evil maid" style attack. But I still have no idea what the motive is because the malware is not sneaky. It is loud. It does not monitor, it is present and obvious. (It attempts to get you to buy fake AV programs, etc).

Sadly, this is the kind of thing any skilled actor with physical access to a machine can acomplish, and reeks of some kind of petty revenge attack. With those clues, I think we can conclude this is more a criminal matter than an FBI/government one, and move in that direction with our suspects (whom I obviously won't name, but we have some).

tl;dr: My client pissed someone off who knew how to fuck up his machine royally. Not really newsworthy afterall and we should probably drop the hype there. Still interesting as a discussion though! And we'll certainly look at criminal charges as/if appropriate.

This is all pending a true programmer dump rather than behavioral analysisz but I think that will only support my findings, frankly.

Called it earlier. He should still definitely check to ensure he is not a ID theft victim. Perhaps he was prying where he shouldn't have been?
 
Realize this. UEFI is the future. It's a good thing. And it is not intrinsically any more, or any less, secure than a BIOS.

It's ability to run "extensions" might beg to differ. But I mean, bios had that too as option roms.
Called it earlier. He should still definitely check to ensure he is not a ID theft victim. Perhaps he was prying where he shouldn't have been?

Think more disgruntled employee. That's as close as I can get without going into legally iffy terrain.

I advised him of ID theft concerns earlier.
 
It's ability to run "extensions" might beg to differ. But I mean, bios had that too as option roms.


Think more disgruntled employee. That's as close as I can get without going into legally iffy terrain.

Could of been deployed remotely or through a usb drive...
 
Could of been deployed remotely or through a usb drive...

Yeah, knowing ASMedias issues thumbdrive or usb device is my bet, which is why I had him "bag" every usb device in his home and buy new.

I'd say "bag and tag" but we aren't that cool. :laugh:
 
By far the largest security holes have been due to lack of proper documentation or misunderstanding of unclear documentation provided by a certain processor manufacturer. Known issue, still a problem. :)
You have it backwards, documentation has little to do with actual security holes. In fact GPZ worked their magic due to a certain processor makers lengthy documentation, what the given company didn't do however is assess the consequences of some their haughty decisions in pursuit of vaporware* gains in IPC.
After Michael Schwarz made some interesting observations, we started
looking into variants other than the three already-known ones.

I noticed that Intel's Optimization Manual says in
section 2.4.4.5 ("Memory Disambiguation"):


A load instruction micro-op may depend on a preceding store. Many
microarchitectures block loads until all preceding store address
are known.

The memory disambiguator predicts which loads will not depend on
any previous stores. When the disambiguator predicts that a load
does not have such a dependency, the load takes its data from the
L1 data cache.

Eventually, the prediction is verified. If an actual conflict is
detected, the load and all succeeding instructions are re-executed.

According to my experiments, this effect can be used to cause
speculative execution to continue far enough to execute a
Spectre-style gadget on a pointer read from a memory slot to which a
store has been speculatively ignored.

GPZ
Jann Horn
Source

*because those gains are reversed or severely reduced today, not to mention the many (security) holes in their uarch atm.
 
Last edited:
Yeah, knowing ASMedias issues thumbdrive or usb device is my bet, which is why I had him "bag" every usb device in his home and buy new.

I'd say "bag and tag" but we aren't that cool. :laugh:
Bag-em and Tag-em. Been there done that from 2005-2010 (Avatar)
 
Realize this. UEFI is the future. It's a good thing. And it is not intrinsically any more, or any less, secure than a BIOS.
And I've grown way too comfortable with the pretty GUI :D
 
Been there, done that.
Elitegroup_761GX-M754_-_AMIBIOS_%28American_Megatrends%29_in_a_Winbond_W39V040APZ-5491.jpg

Which came first? The socketed/removable BIOS chip or the write protect jumper? And was either idea Intel's? Serious questions I don't know the answers to...
Realize this. UEFI is the future. It's a good thing. And it is not intrinsically any more, or any less, secure than a BIOS.
And I've grown way too comfortable with the pretty GUI :D

Made it too mainstream, the kb interface with blue/black screen was better to keep those who should just turn the rig on and off out of it.
 
Well seems that Intel already implemented that with a jumper, and yea "if some gained access to direct Pc, so same "if they gained the removable device.
if you read the thread, the jumper....

Physically removing the BIOS chip, as I said, would be more effective.

@MrGenius epoxied a stud to one of those to make removing it a bit easier.
 
Got the programmer, dumps only confirm my suspicions.

This represents the end of this saga I think. Board and hardware will all be reflashed over the next 3 days, and then hardware returned. I won't be reporting much more here, but take what lessons from it you can. It was certainly an interesting case.
 
Got the programmer, dumps only confirm my suspicions. This represents the end of this saga I think. Board and hardware will all be reflashed over the next 3 days, and then hardware returned. I won't be reporting much more here, but take what lessons from it you can. It was certainly an interesting case.
So no suspicions of government actors?
 
Got the programmer, dumps only confirm my suspicions.

This represents the end of this saga I think. Board and hardware will all be reflashed over the next 3 days, and then hardware returned. I won't be reporting much more here, but take what lessons from it you can. It was certainly an interesting case.
How about posting a short summary of the case, a TLDR version, since it generated 300 posts. You put in some time on this, and deserve recognition.
 
Status
Not open for further replies.
Back
Top