Ok boys another paranoid lunatic here 0/. Im posting mainly coz i fell sorry for the guy that got paranoid and disappeared.
Short intorduction,im 28,been doing electronics/electrics since i was a kid,i can fix basically everything that you can plug in to electricity,thats kinda a family trade,and i just love poking around computer,kinda autistic about it
I've seen some stuff thru the years but this that im fighting for past three weeks,oh boy,this is next level. Bassicaly the guy was on point,there is a malware that deploys thru nvidia gpus. Ive formated my drives multiple times,used killdisc,tried thru linux,tried thru bootable wipers after lets say a week i concluded it is not on the drives. And all this wipes are gonna kill my ssds. Next step was all the above plus bios flash,vbios . Ofc no luck. Tried again,no luck. Next step,was nvidia-smi and there it got a bit interesting,persistance mode was blanked out,accounting disabled with accounting mode buffer size of 4000. Driver models indicate that its ok,wddm mode runing when i look at it from windows cannot switch to tcc, then serial number blank. Gpu id seems genuine gigabyte and i have no doubt that i have a genuine card. And then when i get to bar1 memory it gets really interesting the memory is full,but i cannot dump it read it kill it,nothing. Then most of the readings further in the query are just blank,like the card is unloaded,oh power limit is 40w more than it should be,both max and enforced. Under processes there are always a few,when in windows the "usual" ones that microsoft puts there to make the windows "faster" but 2 of them blanked out with one showing a pid of dwm when compared to task manager and one that is rogue,no info. All of them are unkillable,memory cannot be released. Oh its eating additional 4gb shared memory out of windows but i guess that is from accounting mode,that is disabled cant do any of device modification options. Bassicaly someone loaded 260mb of something into its memory and locked it. Oh yes,when i noticed a funky file on my pc that points to my gpu and started this ghost chase first i checked the vbios naturally and it was a mining vbios for my card that is located here on the forums now im getting excited coz last time i encoutered something this wicked i had fun for a month,some 6-7 years ago.And then it hits me,its the same user string in windows that i am seeing,just like years ago,so fu*k yeah we are having fun again. So far i concluded it deploys when you install the windows,on the first reboot during the instal,gpu loads before setup does after restart and just hijacks the setup,and after that you don't own the installation any more. It does it with custom wdf and umdf drivers that gpu spits on the drive just before the reboot. Cant find inf for the drivers files coz ofc they burn on the install but i can see thru inf,bt and panther logs what they were doing,to some degree atleast. They make reg hives that i cant find in regedit,a loooot of file migration,they edit inf for task manager,resource manager etc. Pc seems to idle but its actually running like mad,i was measuring temps around 80-85 with laser and ntc probe on my cpu cooler,gpu was peaking around 80 with fans off. Amp draw on the main cable with clamps is 1.4-1.6A,i run 220v so go figure the power draw. So bassicaly no Western av gets it,no russian av finds it,usualy they detect a lot more than the s*it than we get here in europe,none of these files or registry keys are not suspicious to avs,well why would they be they are in the right folders ,all that av cares for most part,and beeping falspositives to take your money. They even dont respond on firewall being packed with rules with no users or users that do not exist in user registry or even completely open rules to anyone. People on ms forum say this is all ok,i did not ask directly but i googled most of this "edits",then again back in the days on my win 7 when i got this user strings people on msd were saying that folders and files affected can be repaired and that they are not intrusions but windows update corruptions xD. The thing is adaptive,evasive,it doesent get picked up by any logging software used for diagnostics. I got some on wireshark but i cant get anywhere with the addresses i get. What does it do,well it mines,what it mines,better question for who it mines. This are no little scriptkids,this stuff that they are doing im finding in books from 2017+ about computing and things that are yet to have proof of concept. Oh yeah,it also uses telnet when it has an inbound connection from its master,and to use telnet on my isp and my router you need the isp info,like service user and pass. I understand most of this things,how and why it is doing,but how it got thru telnet port,beats me,the port is completely stealth and under supervision from isp. Guy,this thing is not new,ive seen it before,and as i search thru the net i see people ignore it . I have no doubt i will fix it,ina week probably,i work 8-4 but often i go out of town,get home late so sometimes i have just 2-3 hour of playtime When i get this guys,im gonna share the info and the material i gathered,but untill then I can't,it will just make it harder to do it,people like that read forums. All i can say,check your windows firewalls,check your credential managers,check your gpus thru nvidia system managment interface and your amds with rocm,if you see something strange don't hesitate to change your passwords for important things,not from the infected machine ofc.Oh yea i almost forgot,it uploads system image thru bits. So yeah,change your passwords and accept that your homemade porn is out there. I just need to find a way how to get it out of the gpu,and thats it,i guess. And if i don't i guess we are gonna get a fix for it after the next big ransomware attack wave,but like i care,nothing important was on my pc
cheers!
