• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Joined
Oct 25, 2018
Messages
234 (0.64/day)
Sounds like this guy went dark after the 2nd attack. I think I would do the same. Sounds like he reached out to have a "paper trail" of events too protect himself and his family. It looks like he had noticed this issues around or before March 2018; based on his post he shared at the beginning of this thread. I'll take a guess; but I don't think he will make contact again. I know I would not. I wouldn't have an issue moving too a remote location in the mountains or nice beach with white sand Beach, clear water and say f#%/ computers and modern conveniences. ...sounds great IMOP.....
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
20,636 (4.37/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: Athlon II x4 630 3.5GHz
Motherboard ASUS P8P67 Pro :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 2x4GB DDR3 1866 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: none
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Onboard - iLive IT153B Soundbar (optical) :: None
Power Supply EVGA 500w 80 Plus :: Wounded Corsair CX600
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
At this point it sounds like he needs a new identity. Physically move, get new hardware, new ISP, and return to the internet as someone else. If it were me, "hat" might disappear, and later return as someone else, of course never alluding to the fact that I used to be hat. With no common identifiers to my old identity, might be safe from such targeted attacks.
 
Joined
Jan 11, 2018
Messages
193 (0.30/day)
Location
HSV and SFO
Unreal! Makes me want to rip the cable modem out of the wall, cut my power and light a fire in the living room and throw everything electronic in it!

This is seriously the next level, and it's on purpose. People will take the power and money because there's connections to the outside world that allow them to.

I wonder how much just cutting (literally) the internet and removing all batteries/not charging cell phones would really defend in such an attack?
 
Joined
Aug 20, 2007
Messages
11,673 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Sounds like this guy went dark after the 2nd attack. I think I would do the same. Sounds like he reached out to have a "paper trail" of events too protect himself and his family. It looks like he had noticed this issues around or before March 2018; based on his post he shared at the beginning of this thread. I'll take a guess; but I don't think he will make contact again. I know I would not. I wouldn't have an issue moving too a remote location in the mountains or nice beach with white sand Beach, clear water and say f#%/ computers and modern conveniences. ...sounds great IMOP.....
This is actually what I suspect happened. Maybe not full out "go to a remote place somewhere" but at least he cut of his digital device life completely. I wouldn't blame him frankly.

The thing is, if it was targeted, they may not stop at network attacks. I wish him the best and hope things don't get ugly for him. He seemed like a nice guy from my interactions with him who just had a lot of frustration.
 
Joined
May 30, 2018
Messages
744 (1.46/day)
Location
Cusp Of Mania, FL
System Name humble reentry to pc-building after too many years
Processor Ryzen 5 2600 [4.0GHz @ 1.1v]
Motherboard Asus ROG Strix X370-F
Cooling Dark Rock 4 [CPU] 2x 140mm Corsair ML140's [front intake]
Memory 2x8GB TridentZ RGB [3200Mhz 14-14-14-28-42 @ 1.37vCore/.98vSoc]
Video Card(s) Asus ROG Strix RTX 2060 OC
Storage 970 EVO 500GB nvme, 860 EVO 250GB SATA, Seagate Barracuda 1GB HDD
Display(s) 32" Samsung F395 [1080/60]
Case NZXT S340 Elite
Audio Device(s) Schiit Modi 2 Uber, Sys, Vali 2, Scarlett 2i2 gen2 - LSR 305's, DT-990 Pro's, HD600's
Power Supply Corsair RM650x v2
Mouse iunno whatever cheap crap logitech *clutches Xbox 360 controller security blanket*
Keyboard HyperX Alloy Pro
Software Windows 10 Pro
Benchmark Scores Nothing too impressive, but it serves me well. Good to be fully back in it with a decent build!
Yeah... this all gives me the creeps, especially as I help my parents tighten down after their recent savings account breach. Money is safe - still looking into the status of my mom's identity, though. Bank isn't giving details about how the breach occurred other than "Your computer was hacked." My non-technically-inclined parents picture some master hacker typing away as he scours their hard drive and instantaneously plucks every bit of sensitive info from betwixt all of the ones and zeros - just like that, as though he is literally on their PC watching every single thing they do, while I kind of laugh to myself at how ridiculous that image is, knowing what I do about how security generally works and what likely actually happened - I can look at her habits and see where she had low-hanging fruit. I like to think I know well enough how these things tend to go in reality, so the idea of the aforementioned scenario and what's shown in this thread just sounds so far beyond out there. You instinctively dismiss it as something that only happens in b-list sci-fi and look to a more "realistic" approach. "Haha, what? Oh no, it's nothing like that..."

But then... seeing that stuff like this is even possible at all (like, not just as a demonstrable theory but in the wild) really makes you think about how little you actually know and how much you may be taking for granted. I guess sometimes it really is like in the movies o_O The precedent stuff like this sets is actually kind of staggering. It shouldn't be possible, but then you start thinking about it and you realize it's merely improbable...

Usually, you think you just carry out the best practices you can in the most effective/practical way, consider the possibilities, adopt proper measures, and that's "enough." Maybe it doesn't cover everything but the chances are slim enough not to worry, for you, anyway. Your bases are covered - your level of protection is limited only by how far you are willing to go. You assume it is generally possible to go further than would be worth going for someone who wants what you have. Or at least it would be so impractical as to be unattainable by anyone other than a mad genius.

And if there is a breach, you figure it will at least be containable once identified, even if data is lost/surrendered before you regain control. Sometimes it gets involved, but you whittle it down and find it. You then pick up the pieces, re-adapt, and move on. Who could ever expect to be held captive by it indefinitely? That's not supposed to be possible. I feel like you could present this story on paper as a potential scenario, describing it clearly and logically, step by step, in painstakingly minute detail, as a renowned expert, and even people who really understand this stuff would laugh and say you have a great imagination. Next you're gonna tell me it's following him around the world, or maybe into space!

It's just... like, in the general populous' general conception of tech there exists the concept of this magic key that someone with enough know-how can acquire and use to get total access or control. A doomsday virus. It dodges every counter-measure through undetectable means and wreaks havoc on major systems. It quickly takes hardware and makes junk out of it through unseen vectors. But the thing is, it's supposed to be symbolic!


The suspense is killing me. And chances are we may never know what really happened. What if it was something stupid or there's another side to the story? That almost seems less likely at this point, but not knowing how this has really been possible is a friggin gut-twister, man! Just... ...the requisites for pulling this off are pretty astronomical in my tiny head. And yet, here we have a pretty compelling story. I don't wanna say I don't believe it because I honestly don't know what to think. I think I don't want to believe it.

I guess if there's anything to this, we'll hear all about it eventually. Or maybe if things like this really are happening, that's precisely why we'll never know. On one hand, some things... one is better off not knowing, but sometimes seeing something terrible happen to someone else is the only way to prevent yourself from sharing their fate. Tough to know where the line is between being a cautious observer and an unwilling participant.

Regardless, it's a fascinating story. Deep down inside I really hope you hear from that guy again, R-T-B, though I understand very well why you would want to wash your hands of something like this. Much respect for actually delving in as much as you have and maintaining a good sense of ethics and personal responsibility. I think you've handled it better than the rest of us would have, if we'd even have touched it at all. I really appreciate you sharing your side of the story and doing all of the work you've done, and I'm sure I'm not alone there.

Just getting the thought out there makes a difference, yanno? I've been inspired to rethink my own security practices because of it, even knowing I will likely never be a target for anything even remotely like this. Maybe I'm being a little dramatic here... ...it's a craaazy story though! I'm sure the reality isn't quite as mysterious as it seems to us. But it really does make you wonder how things like this happen.
 
Last edited:

hat

Enthusiast
Joined
Nov 20, 2006
Messages
20,636 (4.37/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: Athlon II x4 630 3.5GHz
Motherboard ASUS P8P67 Pro :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 2x4GB DDR3 1866 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: none
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Onboard - iLive IT153B Soundbar (optical) :: None
Power Supply EVGA 500w 80 Plus :: Wounded Corsair CX600
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
I'll admit it has me wondering as well, what I can do to tighten things down. It'd be nice if there was some sort of guide somewhere... but anything I can find usually falls basics like changing your default router password and putting a password on your wifi, to doing more, less effective things like a mac filter, hiding the SSID, etc... all of which are easily sidestepped by anyone who would be trying to hack you, anyway.
 
Joined
Oct 8, 2018
Messages
54 (0.14/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
I don't seem to be on anyone dangerous's radar right now at least. But it certainly hasn't been my favorite case either.
It just goes to show how easily malware can spread. I'm sure we'd all like to know how it ended up in his machine.
After your research has concluded will you be issuing a white paper regarding this by any chance?
(Or a book ;))

I'll admit it has me wondering as well, what I can do to tighten things down. It'd be nice if there was some sort of guide somewhere... but anything I can find usually falls basics like changing your default router password and putting a password on your wifi, to doing more, less effective things like a mac filter, hiding the SSID, etc... all of which are easily sidestepped by anyone who would be trying to hack you, anyway.
I've only had my personal details stolen once. That was when an online store here in the UK had their systems breached. Cheeky SOB's spent 2k on my credit card making purchases from that very store, then exchanged currencies that incurred a fee. No apologies from the store. The CC company quickly refunded me and that was that.
Now I do all I can security wise, from changing the router password regularly and making it as difficult as possible (This annoys my wife BTW) to breach, to changing my banking and other online account passwords on a regular basis. I'm not paranoid. It's all in the media. Some ignore it at their own peril then complain when they are hacked.
 
Joined
Oct 25, 2018
Messages
234 (0.64/day)
Remember a few years back with all the Snowden leaks? the whole XKeyscore system? It was only 5 years ago but people are quick to forget....
https://www.reddit.com/r/news/comments/1jfcf8 What is funny is the few leaks that he released was data from 2008!!! 10 years ago!!!! I can only imagine what they are using now....lol....

That's when I finally realized that internet security is pretty much a joke. it really only keeps 75% of the population from
hacking your stuff or stealing your ID. I view that like simple door locks on your car. it keeps the average guy from breaking into your car basically as a "deterrent".

For example the professional thief; he knows several different ways to gets what he wants.
If there is something of value inside the car (or the maybe the car itself) those door locks are pretty laughable really.
Remember this; If someone wants something bad enough they will usually get it.

That's how I view so called "security" of online activity. You have to change your mindset too "everything I do may or may not be viewed or logged by a 3rd party"
Think of it as someone "could" have a keylogger installed when you login to your online bank account, or someone
"could" remote into your computer and see all that cracked software or porn from torrent sites....ect....
Any online activity should be assumed viewable or traceable by a 3rd party.

Think of this also, Google and many other search sites (Facebook included now) track your searches and which sites you visited so they can send you relative ads.
This has been going on probably 10 years (at least from my memory anyhow.)
Ironically, all of the sudden you get "relevant Ad's from Windows 10 pop up on your computer from sites you visited, online purchases...ect..
That is the very same thing a place of buisness selling your info to another company. Is that not supposed to be against the law?
 
Joined
Oct 8, 2018
Messages
54 (0.14/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
Well said, I couldn't agree more. Until people are taught the security dangers this stuff will continue. Perhaps it should be taught in schools.

As for adverts popping up. Nope, non here. Not if you have a decent browser and ad blocking apps.
Windows 10 can be tamed a little. Not clearing cookies will allow you to be followed around unless you delete then as soon as your browser is closed.
But then again all efforts to keep safe can be broken with updates, then you're back to square one.
The list is endless.

I don't think there is a law against selling users data unfortunately. Perhaps we are all being profiled in one way or another.
From shopping habits, what movies you watch, to who you know. Information that was scarce before the PC's were introduced into the home.
 
Last edited:
Joined
Oct 25, 2018
Messages
234 (0.64/day)
Yes, of course your'e correct; Windows can be tamed, and Ad blocks can be installed. I should have stated that by defuult alot of programs
and OS's have to be tweaked. The user has to go out of his way to remove cookies, empty browser cache, turn off reletive ads in windows setting
(Of which seems to change all the time, and I still can't remember where stuff is!!!!) and install a good 3rd party adblocker/remover.

https://www.businessinsider.com/facebook-gets-top-fine-ico-cambridge-analytica-data-breach-2018-10

lol...this is good. I have never liked Facebook anyways.

But its probably only a spank on the hand; they have DEEEP pockets; I have always thought that have ties to GOV.

I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them.
 
Joined
Jan 11, 2018
Messages
193 (0.30/day)
Location
HSV and SFO
I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them.
Yep, and at a resume and job seminar the head of HR of a company said to make sure you don't post anything you don't want anyone to see, even if it's private because ALL companies HR have back doors to see EVERYTHING. And this is just HR depts--your friendly gov will have much more ability to see stuff.

But it's funny because I don't think anyone could have developed such a brilliant system to spy on their citizens down to every minute detail--it's deviously genius.
 
Joined
Oct 25, 2018
Messages
234 (0.64/day)
I know right??...Does anyone remember Myspace? was myspace first? or facebook first? I dont remember....that was like 14 years ago...lol.
I always liked Myspace better. It was more of like and ad for yourself to hook up with girls and such.
Good ol' times.....I remember my flip phone back then...:rockout::rockout:
people make fun of those phones but the fact that they we not connected to the internet 5 different ways was sweet. simple 2 band phone 900Mhz/1900Mhz that
was it. you could get data on your black and white screen; but it was worse than dial up speeds..lol. but you could disable it.
The only way they could trace you was the good old "keep em on the phone for 45 sec so we can triangulate him by pinging off of 3 cell towers"

I was thinking about this; every new smart phone has Wi-Fi, Bluetooth, 4GLTE, Built-in GPS, and the regular Talk bands (CDMA or GSM)
That is 5 ways for anyone to track you down or find out what your doing. All of those protocols can be hacked!
We are all walking transmitters....
 
Joined
Jan 11, 2018
Messages
193 (0.30/day)
Location
HSV and SFO
Friendster and Myspace were the leaders in the time before fb, and once someone figures out that all they need is to be able to change the front end dynamically for any ui, there will only be one network that can look like any of the others--fb, yt, ig, blah, blah. All the data is in a database, and a lot of times it's the same data across different networks. If one network could look and function like any network--existing or not even made yet--it would be the only social network. If I knew how to program I would have already built this and killed fb and all the others with my site that looks like any one you want it to, all at a click. You'd never leave my site but basically would have your fb, yt, myspace, everything in one site, one place, one owner of ALL the data...mwahahahaha! :eek:

The early days of cell phones were definitely simpler, and they also worked better as phones. You didn't have to tap, press, swipe 10 different times just to dial a single number. :shadedshu:
 
Joined
Oct 8, 2018
Messages
54 (0.14/day)
Location
UpNorth-UK
System Name Overkill!
Processor i7-8700k
Motherboard Asus Prime Z370-A
Cooling Corsair H100i v2
Memory 32GB DDR4@2400Mhz
Video Card(s) Evga 980ti FTW
Storage Samsung Evo 500GB
Power Supply Evga 1000W G2
Software Win 10 Pro
Yes, of course your'e correct; Windows can be tamed, and Ad blocks can be installed. I should have stated that by defuult alot of programs
and OS's have to be tweaked. The user has to go out of his way to remove cookies, empty browser cache, turn off reletive ads in windows setting
(Of which seems to change all the time, and I still can't remember where stuff is!!!!) and install a good 3rd party adblocker/remover.
I do the same. Lesson learned from using a PC in the early days of the internet.

I'm surprised people were shocked by this. Didn't Snowden tell the world about this type of activity a few years ago?
Yep, I think he did. But then some have short memories and don't really care.

But its probably only a spank on the hand; they have DEEEP pockets; I have always thought that have ties to GOV.
I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them
Agreed.
I've seen people air dirty laundry on Facebook many times as if others outside their circle aren't watching. Must make great entertainment for those who do.
 
Joined
Aug 20, 2007
Messages
11,673 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.
 

hat

Enthusiast
Joined
Nov 20, 2006
Messages
20,636 (4.37/day)
Location
Ohio
System Name Starlifter :: Dragonfly
Processor i7 2600k 4.4GHz :: Athlon II x4 630 3.5GHz
Motherboard ASUS P8P67 Pro :: GIgabyte GA-770T-USB3
Cooling Corsair H70 :: Thermaltake Big Typhoon
Memory 2x4GB DDR3 1866 :: 2x1GB DDR3 1333
Video Card(s) 2x PNY GTX1070 :: none
Storage Plextor M5s 128GB, WDC Black 500GB :: Mushkin Enhanced 60GB SSD, WD RE3 1TB
Display(s) Acer P216HL HDMI :: None
Case Antec SOHO 1030B :: Old White Full Tower
Audio Device(s) Onboard - iLive IT153B Soundbar (optical) :: None
Power Supply EVGA 500w 80 Plus :: Wounded Corsair CX600
Software Windows 10 Pro - Plex Server on Dragonfly
Benchmark Scores >9000
I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.
Thanks, let us know any updates when/if you hear... :toast:
 
Joined
May 30, 2018
Messages
744 (1.46/day)
Location
Cusp Of Mania, FL
System Name humble reentry to pc-building after too many years
Processor Ryzen 5 2600 [4.0GHz @ 1.1v]
Motherboard Asus ROG Strix X370-F
Cooling Dark Rock 4 [CPU] 2x 140mm Corsair ML140's [front intake]
Memory 2x8GB TridentZ RGB [3200Mhz 14-14-14-28-42 @ 1.37vCore/.98vSoc]
Video Card(s) Asus ROG Strix RTX 2060 OC
Storage 970 EVO 500GB nvme, 860 EVO 250GB SATA, Seagate Barracuda 1GB HDD
Display(s) 32" Samsung F395 [1080/60]
Case NZXT S340 Elite
Audio Device(s) Schiit Modi 2 Uber, Sys, Vali 2, Scarlett 2i2 gen2 - LSR 305's, DT-990 Pro's, HD600's
Power Supply Corsair RM650x v2
Mouse iunno whatever cheap crap logitech *clutches Xbox 360 controller security blanket*
Keyboard HyperX Alloy Pro
Software Windows 10 Pro
Benchmark Scores Nothing too impressive, but it serves me well. Good to be fully back in it with a decent build!
As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.
Honestly, given his situation... ...that's just a generally prudent way to operate. When this all started he had to know something was distinctly unusual, but he probably didn't anticipate the FBI investigation and everything else that has followed. I know if I had crap like that to deal with, I wouldn't even be talking to too many people I actually know about it, let alone strangers on the internet. Why expose yourself if you can avoid it? I mean... ...blabbing to people you don't know about a big problem with an unknown source is just... ...for me it wouldn't be a matter of paranoia or necessarily trust, just principle. It's not about whether anyone here even could have anything to do with anything. That would be a little silly. It's the idea of it. Not the best time to go putting yourself out there for no reason... ...not when you're already in a vulnerable position.

Seems like he's in good hands, and they seem to have given him good advice. I'm sure they'll get it figured out. And what a story that would be. Or maybe it wouldn't, hah. Crazy stuff. Here's hoping they've collected something good.
 

RootnBoot/dev/null

New Member
Joined
Oct 25, 2018
Messages
2 (0.01/day)
Sorry, if something really that sophisticated has attacked your computer, you'll just have to buy everything new again...
I have been dealing with a similar malware infection for several months... While i can actually flash the vbios and mb bios, or atleast i can go through the process which reports success.. But it does zero good. Ultimately what we are seeeing is not a piece of malware but a framework like metasploit for kali linux, only this is pieced together using many legitimate tools and files that have been repurposed. My extensive reading of logs, config files as well as plain text data located in many of the corrupt .dlls indicate something that is actively being developed, i wont go into the entire craziness that i have witnessed as this basically ate a brand new highend desktop and laptop as well as a handfull of old junk boxes i used to research and study. At the end of the day the reason it seems undefeatable is because it has corrupted the spi flash memory.. And therefore is god. The uefi bios is most likely being loaded from a repository thats been created in reported bad clusters on the hdds.. Which gives it space that isnt even looked at by anything, beyond that it runs a fuse file system on the hdds ensuring you will likely never access the real root directory... And in my case my os installs. are basically being virtualized... Turning my systwm into a vm ...

It was creating virtual raid array and utilizing gpu memory as a virtual hd in the array.

The motherboard will need to be rma'd and the spi reflashed along with the uefi bios, thwn fresh hd fresh install media and periphrials. The card SHOULD BE OK AT THAT POINT so says asus. Good luck.
 
Joined
May 8, 2016
Messages
853 (0.67/day)
System Name BOX
Processor Xeon E5-1680 v2 @ 4,3GHz
Motherboard Sabertooth X79 (BIOS 4801 + NVMe mod + uCode update)
Cooling Thermalright Venomous-X (w/LGA 2011 kit) + 2x Delta PWM Push-Pull
Memory 8x A-Data Xtreme 2000X 2GB (1868MHz CL8.9.8.24 CR2T @ 1,65V)
Video Card(s) ASUS GTX 1080 (FE)
Storage Samsung SM961 256GB NVMe, RAID0 2x WD10EZEX (1TB), HGST HUS726060ALE610 (6TB)
Display(s) Samsung T240
Case NZXT Tempest (Nanoflux/PWM fans only, some w/LEDs)
Audio Device(s) ASUS Essence ST Deluxe 7.1
Power Supply Seasonic X-760 (760W)
Mouse Roccat Savu
Keyboard Logitech UltraXPremium
Software Windows 10 Pro x64
Benchmark Scores https://www.passmark.com/baselines/V9/display.php?id=108080818886
Side question : Can this malware work on PC that doesn't support virtualisation or/and has non-UEFI MB (ie. Pentium 4 Prescott-1M [E0] or 1-st gen Core i7 with legacy BIOS) ?
 
Last edited:
Joined
Aug 20, 2007
Messages
11,673 (2.62/day)
System Name Pioneer
Processor Intel i9 9900k @ Stock
Motherboard ASRock Z390 Taichi
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory G.SKILL TridentZ Series 32GB (4 x 8GB) DDR4-3200 @ DDR4-3400 14-14-14-34-2T
Video Card(s) EVGA GTX 1080 FTW2
Storage HGST UltraStar 7K6000 3.5" HDD 2TB 7200 RPM (w/128MBs of Cache)
Display(s) LG 32GK850G-B 1440p 32" AMVA Panel G-Sync 144hz Display
Case Thermaltake Core X31
Audio Device(s) USB Schiit Modi Multibit to Asgard 2 Amp to AKG K7XX Ruby Red Massdrop Headphones
Power Supply Seasonic PRIME 750W 80Plus Titanium
Mouse ROCCAT Kone EMP
Keyboard WASD CODE 104-Key w/ Cherry MX Green Keyswitches, Doubleshot Vortex PBT White Transluscent Keycaps
Software Windows 10 x64 Enterprise... yes, it's legit.
Side question : Can this malware work on PC that doesn't support virtualisation or/and has non-UEFI MB (ie. Pentium 4 Prescott-1M [E0] or 1-st gen Core i7 with legacy BIOS) ?
Probably not this variant. But there are probably variants that can, if I were to guess.
 
Joined
Oct 25, 2018
Messages
234 (0.64/day)
I have been dealing with a similar malware infection for several months... While i can actually flash the vbios and mb bios, or atleast i can go through the process which reports success.. But it does zero good. Ultimately what we are seeeing is not a piece of malware but a framework like metasploit for kali linux, only this is pieced together using many legitimate tools and files that have been repurposed. My extensive reading of logs, config files as well as plain text data located in many of the corrupt .dlls indicate something that is actively being developed, i wont go into the entire craziness that i have witnessed as this basically ate a brand new highend desktop and laptop as well as a handfull of old junk boxes i used to research and study. At the end of the day the reason it seems undefeatable is because it has corrupted the spi flash memory.. And therefore is god. The uefi bios is most likely being loaded from a repository thats been created in reported bad clusters on the hdds.. Which gives it space that isnt even looked at by anything, beyond that it runs a fuse file system on the hdds ensuring you will likely never access the real root directory... And in my case my os installs. are basically being virtualized... Turning my systwm into a vm ...

It was creating virtual raid array and utilizing gpu memory as a virtual hd in the array.

The motherboard will need to be rma'd and the spi reflashed along with the uefi bios, thwn fresh hd fresh install media and periphrials. The card SHOULD BE OK AT THAT POINT so says asus. Good luck.
WTF?? This is insane.

If what you are saying is true; this is some high level stuff.
I'm only saying that becuse of the time involved in making that type of "super" malware. Sounds like years too me.
And how would somwone get all the needed "spoof" firmwares? thats beyond my understanding.
It dosn't strike me as being created by a guy in his basement. It sounds pretty well thought out to me....

crazy stuff,
 
Joined
Apr 12, 2013
Messages
2,586 (1.08/day)
I would love to expand. All I can say without his permission is that the second attack was a sophisticated network based attack, using his modem as the bridge. And no matter what modem we replaced it with, it would happen again. It would then proceed to infect home devices. (We know this from a firewall netlog showing them contacting malware ips).

He basically shoveled money at this problem with no end in site. I don't think he'd disagree with that statement. It's part of why I couldn't work for him anymore: I couldn't take his money and gurantee success; he needed someone better skilled at network issues and able to "do the job right." I'm a firmware guy, it left that turf.

It was almost as if his home was cursed. I could remove devices from the premise, cure them via a hardware flash, and they'd remain fine. Put them back in his home and they'd not last 2 nights. Of course it wasn't cursed, it was just a repeatedly infected modem/router. I almost wonder if the cable end was compromised at the ISP's side... that's basically why I told him "call the FBI."

I haven't heard from him in over a month, which sucks because I want to send things of his to Symantec/other AV groups/the FBI but don't know if I have his permission. Some of the evidence consists of complete, untampered with drives, so I don't feel comfortable sending them without client permission since they contain a lot of his personal stuff surely.

Advice there appreciated, actually.

Plus, it's odd having a box of SSDs and thumb drives on the mantle labeled "INFECTED - DO NOT USE." It's not a good conversation piece when you can't say much: I'd be glad to be rid of it.
Alright, not to sound alarmist but do these guys also know about you ~ identity or existence? Was this a life threatening situation? I know you may not be in a situation to judge that but if it is, shouldn't you contact law enforcement or at least someone who can get closer to the truth?

Again, from the outside it seems a fair bit OTT for an avg Joe (your client) to deal with, but if it's indeed that deep down the rabbit hole it (the events) & you could be a part of our invaluable history.

edit ~ saw your last few comments, glad the situation's controlled atm.
 
Last edited:
Low quality post by Atreides

FreedomEclipse

~Technological Technocrat~
Joined
Apr 20, 2007
Messages
19,780 (4.33/day)
Location
London,UK
System Name Codename: Icarus Mk.V
Processor Intel 8600k@4.8Ghz
Motherboard Asus ROG Strixx Z370-F
Cooling Be Quiet! Dark Rock Pro 4
Memory 16 Corsair Vengeance White LED DDR4 3200Mhz
Video Card(s) Gigabyte 1080Ti Gaming OC|Accelero Xtreme IV
Storage Samsung 970Evo 512GB SSD (Boot)|WD Blue 1TB SSD|2x 3TB Toshiba DT01ACA300
Display(s) Asus PB278Q 27"
Case Corsair 760T (White) {1x140mm NF-P14s|1xCorsair ML120 Pro|4xML140 Pro}
Audio Device(s) Creative SB Z {AVR:Yamaha RX-V573|Speakers: JBL Control One|Auna 300-CN|Wharfedale Diamond SW150}
Power Supply Corsair AX760
Mouse Logitech G900/G502
Keyboard Duckyshine Dead LED(s) III
Software Windows 10 Pro
Benchmark Scores (ノಠ益ಠ)ノ彡┻━┻
I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.
I thought he might of found himself a Will Smith and become an Enemy Of The State.

In a few years time after this has cleared im sure he could write a book or a movie about it
 
Top