• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
It's just too many unanswered questions for me
Meh. I'll drop this hint since I doubt it matters, and it's generic enough.

The motive (at least in my clients case) is most likely financial. I really can't say more though. I'm sorry.

The whole thing is insane and I wish I'd never found this case, frankly. It's bad shit. The malware scene is getting a lot of resources it should not have. I'm curious from whom.
 
Joined
Mar 6, 2017
Messages
1,828 (1.63/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
So, while the Android ecosystem is indeed messier, older Apple devices are left out as well.
Most iOS devices get a good five years of updates which is absolutely amazing considering that most carrier branded Android devices in the US barely get any. About the only Android devices that get guaranteed updates are the Google branded devices and even those only get updates for two to three years.
 
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
How does the initial attack happen in the first place?
Missed this. If I had to fathom a guess, I'd say they compromise ISP hardware on the ISP side, as the modem is repeatedly the orgin foothold. But that's just a stab in the dark. I'm guessing small scale where a target lives, like a local ISP substation or something.

Frickin' CSI level shit (except no enhance).

My present advice to people believing they are affected:

Talk to your neighbors. Ask if they have been experiencing similar issues. It may lead us to a trend. For all I know, you all live in the same block.

If you have multiple affected parties, contact your ISP as a group. They will certainly look into a multiple person claim, and they may contact police as well if need be.
 
Last edited:

hat

Enthusiast
Joined
Nov 20, 2006
Messages
20,920 (4.28/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: Athlon II x4 630 3.5GHz
Motherboard ASUS P8P67 Pro :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 2x4GB DDR3 1866 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: none
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro - iLive IT153B Soundbar (optical) :: None
Power Supply FSP Hydro GE 550w :: something
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
Missed this. If I had to fathom a guess, I'd say they compromise ISP hardware on the ISP side, as the modem is repeatedly the orgin foothold. But that's just a stab in the dark. I'm guessing small scale where a target lives, like a local ISP substation or something.

Frickin' CSI level shit (except no enhance).

My present advice to people believing they are affected:

Talk to your neighbors. Ask if they have been experiencing similar issues. It may lead us to a trend. For all I know, you all live in the same block.

If you have multiple affected parties, contact your ISP as a group. They will certainly look into a multiple person claim, and they may contact police as well if need be.
That's scary for a whole mess of reasons, if that is indeed the case. I'm assuming you didn't overlook something simple, such as his IP still being the same every time, or a service like DynDNS in play? Would it be possible to attack a device via the MAC address?
 
Joined
Mar 6, 2017
Messages
1,828 (1.63/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
Usually the MAC address isn't exposed past the first router in the chain.
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
20,920 (4.28/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: Athlon II x4 630 3.5GHz
Motherboard ASUS P8P67 Pro :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 2x4GB DDR3 1866 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: none
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Creative X-Fi Titanium Fatal1ty Pro - iLive IT153B Soundbar (optical) :: None
Power Supply FSP Hydro GE 550w :: something
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
Maybe cyber ninjas can see better? Or maybe they're hitting the MAC of the router, and then the attack goes down the line?

Totally talking out of my ass here, I know next to nothing of this stuff... just presenting scenarios I think might be possible to my betters to see their answers so I can expand my own knowledge. :toast:
 
Joined
Feb 21, 2014
Messages
1,144 (0.51/day)
Location
Alabama, USA
System Name Desktop || XPS 15 9560
Processor i5 4670k || i5 7300HQ
Motherboard MSI Z87-G41 || OEM
Cooling NZXT Respire T40 || OEM
Memory 16GB 1866Mhz DDR3 || 16GB DDR4
Video Card(s) EVGA GTX 1070 FTW || GTX 1050
Storage Ultra 2 480GB + WD Black 2TB || 1TB Crucial SSD
Display(s) ASUS VS228 1080p || Dell InfinityEdge 4k
Case NZXT Source 210 White || OEM
Power Supply Corsair CXm 750w || OEM
Mouse Corsair SABRE RGB || Logitech 720 Triathlon
Keyboard Steelseries APEX RGB || OEM
Man as someone that only does hardware and software as a hobby, no matter how much better I may be than your average non-techie this stuff is lightyears from what I understand. I get the basic how of it, but the steps to get that framework in place, and then to actually act on it still sounds like science fiction to me.

Whack
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
16,146 (3.14/day)
Location
Piteå
System Name Black MC in Tokyo
Processor Ryzen 5 2600x
Motherboard Asrock B450M-HDV
Cooling AMD Wraith Spire I think
Memory 2 x 8GB G-skill Aegis 3000 or somesuch
Video Card(s) Asus GTX 760 DCU2OC 2GB
Storage Kingston A400 240GB | WD Blue 1TB x 2
Display(s) BenQ GL2450HT
Case Some old Antec
Audio Device(s) Line6 UX1 + slightly modded Sony DR-ZX302
Power Supply Fractal Design Effekt 400W
Mouse Logitech G602
Keyboard Cherry MX-Board 3.0
Software Windows 10 Pro
Benchmark Scores I once had +100 dorfs in DF, so yeah pretty great
Next level stuff this. How soon will it be fully automated and sold to script kiddies?

Anyway, one point.

I haven't heard from him in over a month, which sucks because I want to send things of his to Symantec/other AV groups/the FBI but don't know if I have his permission. Some of the evidence consists of complete, untampered with drives, so I don't feel comfortable sending them without client permission since they contain a lot of his personal stuff surely.

Advice there appreciated, actually.
Do you know at all what's on these drives? I'd be uncomfortable as well keeping others people data in my home ... considering what some people store on their drives. That is what I'd be worried about. If anyone finds anything truly bad, will you be an accomplice?
 
Joined
Sep 10, 2016
Messages
549 (0.42/day)
Location
Riverwood, Skyrim
System Name Storm Wrought
Processor AMD Ryzen 7 3700x @stock
Motherboard Gigabyte X570 Aorus Pro WIFI m-ITX
Cooling Be Quiet! Dark Rock Slim, CM MasterFan Pro 120 Air Balance, stock 200mm fan
Memory G.Skill Trident 2x8GB 3600MHz 16-15-15-35
Video Card(s) Gigabyte GTX 1080ti Aorus Xtreme Edition
Storage Adata XPG SX8200 Pro 1TB, Samsung 850EVO 500GB, 2TB Seagate Barracuda, LG Blu-ray drive
Display(s) Samsung UJ590UDE 32" UHD monitor
Case Silverstone TJ08B-E
Audio Device(s) Onboard, HD 599 cans
Power Supply Corsair RMx 550
Mouse Rapoo (can't remember the model number)
Keyboard Rapoo v56
Benchmark Scores Look in the various benchmark threads
@R-T-B I'm going to say this has to be one of the most interesting threads I've been in on a tech website and it says a lot of how much skill some people out there have if they are able to achieve these kind of attacks and keep managing to reinfect a device after it has been cleaned. In his case I think I would be saying that's enough internet for me and just pull the plug and not consider plugging it in again (with 100% new hardware) for a long time and probably consider moving at the same time.
 
Joined
Sep 28, 2005
Messages
1,085 (0.20/day)
Location
Calgary Alberta, Canada
System Name PussySlayer
Processor Intel Core i7 4770
Motherboard Asrock Z87E-ITX
Cooling Some crappy Silverstone ITX Cooler
Memory 2x8GB Gskill RipjawsX 1600
Video Card(s) GTX 1070
Storage 1x500gb Crucial SSD
Display(s) BenQ 24" 1080P
Case Couger QBX
Audio Device(s) Onboard
Power Supply 650W EVGA BR - Coil Whine Issue
Software Windows 10 64bit Pro
loved this thread. It scared me into now when I go home, I will have to do a thorough check on my computer and the network.

Anyway, please keep us updated if you get anything new come up.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
15,925 (3.54/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K at stock (hits 5 gees+ easily)
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (4 x 4GB Corsair Vengeance DDR3 PC3-12800 C9 1600MHz)
Video Card(s) Zotac GTX 1080 AMP! Extreme Edition
Storage Samsung 850 Pro 256GB | WD Green 4TB
Display(s) BenQ XL2720Z | Asus VG278HE (both 27", 144Hz, 3D Vision 2, 1080p)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair HX 850W v1
Software Windows 10 Pro 64-bit
Yep, and that's where I am. Not a lawyer and did not charge enough to afford one, but certainly seems the safe bet.

Already contacted him. The silence bothers me, frankly. But my hands are tied as of now.

I can say I had a HDD crash recently and lost a lot of my reports on the malware. The delay in remaking them may have shaken his confidence in me, but our last email was friendly and you'd think he'd claim his hardware... dunno.

I will say technically speaking, this is all way over my head now. I can bios flash. I can tell you your board is infected. I can even tell what modules are infected. But I can't fix it. Not at this level. Not when every device becomes a vector repeatedly and the orgin can't be cleaned without going ISP side. I'd need either ISP cooperation or the fricking source code to whatever this thing is and I'd probably be lost then.

I can even UNDERSTAND why they targeted him (though I can't tell you guys, I will say it's nothing bad on his part). But then we have other infections and I don't know if this isn't part of something bigger.

Wish I could help more but them damn ethics lol.
I think you're right to be concerned about having that stuff in your possession, especially if there's potentially illegal stuff on there. It's suspicious and really quite ungrateful if he's now leaving you high and dry by not responding to you.

I see that he hasn't logged onto TPU since May 30, so maybe send him a message to collect his stuff within the next couple of weeks or so, or you'll dispose of the items in a secure manner (to avoid his data getting into anyone else's hands). One way or another, you don't wanna hang on to it.
 
Joined
Oct 25, 2018
Messages
264 (0.50/day)
First time post; just joined today. This has got to be the most interesting thread I've read!!!! Crazy stuff!!!
I'm no software guy; just a 25+ year hardware nerd. First 2 things that came to mind when I read this is:
1. Its fake.
2. These people somehow got infected with a militarty cyberwarfare level worm of somesort.

Either targeted specifically or they happend to be the unlucky "test targets" before the malware gets injected
to the real intended hosts. Or in other words "went live"

Take time to concider this; If this thing is real it could basically infect every device that was connected to a "specific or local network".
So you could esentally take down a huge portion of (lets say) government network or a large company pretty quick.

If it can intrude mobile phone as well? thats crazy. So any person's phone that has been infected could "jump"
to any WIFI network. In turn now that network is infected and the worm spreads. This is starting to sound like a movie ...lol

But if this thing is real; thats just nuts. It kind of makes me think of all the accusations of China placing backdoor chips in computer
hardware and phones. To me; that seems the only way somthing like this could be real to gain such low level acccess to firmwares and such.

There is noway in my mind that a "1 size fits all" worm would fit in this category. There are thousends of different firmware chips with a thousand
types of code. I don't think that this "super worm" could identify how to intrude and identify each device unless thier was somthing common
between all the devices.
If its real; it would have to "phone home" to a large database for a specifc firmware for each indepentent device.
If thats not the case; then I don't think this thing is real. The size would be too big to distribute effectivly.
 
Joined
Oct 6, 2018
Messages
220 (0.40/day)
System Name SALTY
Processor A10-5800K
Motherboard A75
Cooling Air
Memory 10Gig DDR133
Video Card(s) HD 7660D
Storage HDD
Display(s) 4k HDR TV
Power Supply 320 Watt
This has to be the most interesting thread I have ever read and im only on page 6 :D

Mainly because I read about UEFI malware or the theory of it a while back, its also sad to see how the OP was jumped on at the very start without even giving time to post up peoples demands, to much of that happens to quickly.

I have played around with Kali Linux off and on and only know the extreme basics or less lol decided not to mess around with it after a while because I prob's could get myeslf in trouble with the things i was learning, albeit basic stuff but could lead to more, hay everyone starts somewhere when they learning something new..

It looked to me that lots is possible when it comes to hacking, if you understand coding which i don't BTW, Kali linux has quite a few prebuilt tools for testing but i'm guess they can be altered to what ever you need if you know how to code.
 
Joined
Mar 6, 2017
Messages
1,828 (1.63/day)
Location
North East Ohio, USA
System Name My Super Computer
Processor Intel Core i7 8700K
Motherboard Gigabyte Z370 AORUS Ultra Gaming
Cooling Corsair H55 AIO
Memory 2x8GB Crucial/Micron Ballistix Sport DDR4-2400
Video Card(s) ASUS GeForce GTX1060 6GB
Storage Samsung 970 EVO 500 GB NVMe SSD (System Drive), Samsung 860 EVO 500 GB SATA SSD (Game Drive)
Display(s) HP 2311x and Acer G206HQL
Case CoolerMaster MasterBox Lite 5 RGB
Audio Device(s) On-Board Sound
Power Supply EVGA Supernova 650 G3 Gold
Mouse Logitech M705
Keyboard Logitech Wave K350
Software Windows 10 Pro 64-bit
Benchmark Scores https://valid.x86.fr/liwjs3
If it can intrude mobile phone as well? That's crazy.
I mentioned Broadpwn a couple of posts back.
So any person's phone that has been infected could "jump" to any WIFI network.
It is possible.

Nitay Artenstein, the security researcher who discovered Broadpwn had this to say...
Without that fix, it would have allowed a hacker who comes within Wi-Fi range of a target not only to hack a victim's phone, but even to turn it into a rogue access point that would in turn infect nearby phones, quickly spreading from one device to the next in what Artenstein describes as the first Wi-Fi worm.

...

He eventually spotted one crucial bug in particular, hidden in Broadcom's "association" process, which allows phones to search for familiar Wi-Fi networks before they connect to one. One part of the beginning of that handshake process didn't properly constrict a piece of data sent to it by the Wi-Fi access point back to the chip, a bug known as a "heap overflow." With a carefully crafted response, the access point could send data that corrupts the module's memory, overflowing into other parts of the memory to run as commands.

"You malform it in a special way that gives you the power to write anywhere in memory," Artenstein explains. That sort of overflow is vastly harder to exploit when a hacker is remotely attacking randomized, protected memory of modern operating systems, but worked perfectly in the memory of Broadcom's Wi-Fi module on smartphones. "It’s a pretty special bug," Artenstein says.
So yes, it is very much possible.

You see, much like how GPU memory is shared and is part of what looks like the memory pool of your typical PC, the Broadcom WiFi chip is similar in nature. One exploit there and you've got full root access to just about anything you want stored in memory of the smart phone device. This is some seriously scary stuff here. If devices aren't patched, and you best believe that many Android devices still aren't patched, God knows how many people are walking around with a device that's completely open to be hacked without them even knowing it happened to them.
 
Last edited:
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
Do you know at all what's on these drives? I'd be uncomfortable as well keeping others people data in my home ... considering what some people store on their drives. That is what I'd be worried about. If anyone finds anything truly bad, will you be an accomplice?
I've thought about this. Fortunately I saw no signs of anything strange / iffy / illegal on the other drives which I actually went through pretty thouroghly to investigate the malware I assume innocence based on that, hope that's enough and that I am correct.

He was also very eager to go to the FBI last I talked which works in his favor.

I see that he hasn't logged onto TPU since May 30, so maybe send him a message to collect his stuff within the next couple of weeks or so, or you'll dispose of the items in a secure manner (to avoid his data getting into anyone else's hands). One way or another, you don't wanna hang on to it.
I think this is what I will do... I like this plan the most. I will give him a "30 days notice" in case it's just a vacation or slow email or something. After that databearing devices will be disposed of properly.

Appreciate all the advice.
 
Joined
Oct 18, 2007
Messages
1,248 (0.27/day)
System Name Firebird
Processor Intel i7 2600K @5.0'ish 24/7 stock core Voltage {5.2 w/102 bCLK}
Motherboard Intel Extreme DZ68BC SkullTrail Z68 Cougerpoint, Excellent MCH !
Cooling Scythe NINJA PLUS Rev.B[skt478] Modded to 1155 Scythe SH12 fan
Memory Samsung 32nm 16Gb 4x4 (@19xxmhz} low profile[ better than 2133 banwidth]
Video Card(s) MSI GTX980Ti Gaming / EVGA Titan SC
Storage Intel 512 SSD, Toshiba 3Tbx2,Hitachi 320,1TBx2,'Cuda 400 7200.10, WD1TBUSB,moved to SATA
Display(s) Acer K272HUL 1440 27" WQHD, Samsung 226W, Vizio M60C3 4K 60",Vizio XVT3D554SV
Case CoolerMaster HAF 932
Audio Device(s) Intel 10ch[9+1] HD Audio X540> Pioneer VSX39TX[copper chasis,Rosewood sides 5x6LCD remote
Power Supply Seasonic X750 @ 24/7
Mouse Logictech G300s
Keyboard Saitek Cyborg v7
Software Windows 7 ROG E3 X64 by Neuropass/tweakscene
Benchmark Scores 4642@665/1600 220/GAT F1 4544 220/667strap 2.5/3/2/6 Bliss 650/1500 6490 Q6700 Bliss 690/1500
If you didn't find anything on there that you felt was not illegal, I'd just put them away somewhere and still have them in case you find more issue's of similar cropping up. I mean there must be a "someone" in the cyber security system that would be willing to use the item<s> to help further track and decipher from where you have got to. After all you have done most all the leg work in narrowing it down.
Also, want to say a Huge kudu's for what you have done ! :toast: Completely respect just how far you have gone in this issue.
 
Joined
Oct 25, 2018
Messages
264 (0.50/day)
What blows my mind is that the first targeted individual seems to be some sort of "ransomware" or such.
But then the next report seems to describe the same type of behavior. Makes me wonder how people get the tools
to make these worms. The whole process of how it jumps around to different firmwares within the computer seem's
like a well thought out process. I picture a team of malware creators in front of a big white board discussing how to
to make the the infection spread with 100% percent success.

I'm no security expert by any means; but I still dont know how this malware jumps the devices frimwares. The Vbios, SSD's, and the actuall computer BIOS itself are all
different types of firmware with different programming correct? Then the talk about infecting the phones also? I'm going to take a highly uneducated guess and say
this would only be possible if root access was gained first though a network intrusion; then the malware phoned home to its master which downloaded, then imbeded itself in the different areas in the system. If not; this file size would have to be huge to catalog all the needed code to do it what these folks are claiming. Not impossible to affect a large number of (lets say Windows computers and android phones) but dosn't seem possible to also infect Iphones, Linux computers, and the 100's of other types of network devices that we use everyday....
 
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
I'm no security expert by any means; but I still dont know how this malware jumps the devices frimwares. The Vbios, SSD's, and the actuall computer BIOS itself are all
different types of firmware with different programming correct?
Yep. And that's what makes it both hard to believe (I wouldn't have believed it had I not seen it myself) and also terrifying.

They probably needed firmware source code to do this IMO. That means... either there is a big leak somewhere in many companies, or this is state level stuff. I don't know and can only theorize.
 
Joined
Oct 8, 2018
Messages
54 (0.10/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
Yep. And that's what makes it both hard to believe (I wouldn't have believed it had I not seen it myself) and also terrifying.

They probably needed firmware source code to do this IMO. That means... either there is a big leak somewhere in many companies, or this is state level stuff. I don't know and can only theorize.
If your customer doesn't respond, have you considered giving the card to the authorities?
 
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
If your customer doesn't respond, have you considered giving the card to the authorities?
It wasn't the GPU that was infected in the end. It was his mobo and various other components. But not his GPU, ironically. It always was clean.

I no longer possess the hardware and my software samples were lost in my HDD crash. The only evidence I have remaining is sadly, one complete virgin SSD and several virgin USB sticks, which I assume to be infected (they were taken from a very "sick" system). I could hand those over sure but there are all sorts of ethical reasons that make it tricky. As such, I probably won't be.

I may examine them prior to destruction though (if we get there) and try to rebuild my malware sample collection. The only issue with that is the samples aren't valuable to a criminal investigation if you tampered with the drive in pretty much any way. But if he's not contacting me anyways, we can't exactly press any charges either way, so... that might not be a bad idea.

Then at least antimalware companies would get something new to look at, and I could filter out anything personal.
 
Joined
Oct 25, 2018
Messages
264 (0.50/day)
It's kind of weird that the anti-malware company's are not more interested in this. They are all trying to 1 up each other all the time. I would think they would jump on the opportunity to be the first to discover this "super worm" so too speak. I should not be calling it a "worm" anymore; it's effectively a worm, Trojan, rootkit, and almost adware because its not hiding itself .....its like this thing wants to be found and let the user know its there but they can't do anything about about it...lol.....WTF?????
 
Joined
Oct 8, 2018
Messages
54 (0.10/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
It wasn't the GPU that was infected in the end. It was his mobo and various other components. But not his GPU, ironically. It always was clean.

I no longer possess the hardware and my software samples were lost in my HDD crash. The only evidence I have remaining is sadly, one complete virgin SSD and several virgin USB sticks, which I assume to be infected (they were taken from a very "sick" system). I could hand those over sure but there are all sorts of ethical reasons that make it tricky. As such, I probably won't be.

I may examine them prior to destruction though (if we get there) and try to rebuild my malware sample collection. The only issue with that is the samples aren't valuable to a criminal investigation if you tampered with the drive in pretty much any way. But if he's not contacting me anyways, we can't exactly press any charges either way, so... that might not be a bad idea.

Then at least antimalware companies would get something new to look at, and I could filter out anything personal.
I assume you destroyed the motherboard and the other bits?

This is frightening stuff alright. I never thought someone could end up having a machine filled with such an infectious disease. And In all my years I've never seen anyone visit a forum and ask for help on this level. Kudos to you for taking it on.

Sorry to hear your HDD crashed, typical I guess.
I was reading earlier that he said he had reported this to the FBI, did you ever check that out?

If the malware has never been seen before and foreign, I would guess this would fall into the National Security category?

Since he hasn't contacted you I can only assume he's shitting himself....somewhere.
Apologies for all the questions. I'm really fascinated by this and what you're dealing with.

Perhaps he's been messing with things he shouldn't have been messing with.
 
Last edited:
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
Perhaps he's been messing with things he shouldn't have been messing with.
I saw no evidence of that, but after what I have seen anything is possible.

His mobo was reflashed and returned to him. Worked well for about 1 month until the second, more viscious attack. I have no idea it's status now.
 
Joined
Oct 8, 2018
Messages
54 (0.10/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
I saw no evidence of that, but after what I have seen anything is possible.

His mobo was reflashed and returned to him. Worked well for about 1 month until the second, more viscious attack. I have no idea it's status now.
Sounds like the OP has been targeted as others have suggested. And perhaps pissed someone or some entity off.
Personally If I had that kinds of news I would have put the hardware through an industrial mincing machine.....Then quickly put the house up for sale.
 
Joined
Aug 20, 2007
Messages
12,690 (2.75/day)
System Name Pioneer
Processor Intel i9 9900k
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ 14-14-14-34-2T
Video Card(s) AMD RX 5700 XT (XFX THICC Ultra III)
Storage Mushkin Pilot-E 2TB NVMe SSD w/ EKWB M.2 Heatsink
Display(s) 32" 1440p LG 32GK850F Freesync 2 Monitor based on an AU Optronics true 8-bit AMVA Panel
Case Thermaltake Core X31
Audio Device(s) VGA HDMI->Panasonic SC-HTB20/Schiit Modi MB/Asgard 2 DAC/Amp to AKG Pro K7712 Headphones
Power Supply SeaSonic Prime 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 Enterprise (yes, it's legit.)
Sounds like the OP has been targeted as others have suggested. And perhaps pissed someone or some entity off.
Personally If I had that kinds of news I would have put the hardware through an industrial mincing machine.....Then quickly put the house up for sale.
I don't seem to be on anyone dangerous's radar right now at least. But it certainly hasn't been my favorite case either.
 
Status
Not open for further replies.
Top