GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[MadBrit]

My situation is sad, but true. I have attached requested evidence / screenshots below. Please be very, very careful with the .rom file though. I do not want to be responsible for spreading whatever *that* is any further.

GPU-Z was blank when I first ran it - and thought it was a bug. I have flashed MB Bios's for years - this is my second or third GPU flash ever.

Background: My first post many weeks ago before Symantec got involved.

<Bleeping Computer Link>
https://www.bleepingcomputer.com/forums/t/673759/chinese-malware-infecting-bios-hidden-on-hdd/

After a few weeks of trying to fix this myself, I got Symantec involved. Symantec couldn't find anything (paid for their cleaning service) with their forensic tool and gave up after a few days. I offered to personally drive one of the SSD's down to MountainView and put it in the hands of a virus researcher, but the support people were in India / Philippians and probably don't know where MV is. Their level 3 support was atrocious and they believed *something was there* but couldn't say what. Friend at Cylance's response was the same. They are too busy...however, many of these GPU findings were made today - as were the SSD firmware mods - but I had my suspicions.

The GPU screenshots are after the first flash. Luckily, I saved the rom before flashing.

I believe it may have used Spectre or Meltdown for the inital infiltration / exploit. The main payload came in via email. It was a spear phishing email. EaseUS is involved in this somehow. I saw the email notification and Norton jumped into Heuristics mode then died. Also had malwarebytes installed...nada. Nothing else (other than a 2012 version of SuperantiSpyware I had on an old USB stick) could detect anything. SAS detected Rouge.Agent.Gen Nullo (BIN) but I think it was a FPositive. Dr. Web caught some obscure userblocker and Winlogon was modified in the reg.

"Why not just do a fresh install of the OS to the HD or get a new HD.??"

You didn't read the post properly. It is embedded in the system GPU / SSD / MB firmware BIOS. Not making this up. IT is not detectable in user space. I have reinstalled / LL formatted over 20 times in the last few months. Same thing every time.

My wife told me to go get a new laptop so that I can continue my business, but I objected as I couldn't find the infection source. I lost that fight and I now have a bricked ASUS laptop sitting here as a doorstop. Right now, I don't trust anything on the network.

For all you neighsayers out there - rather than taking pot shots at my request for help and accusing me of *whatever*, please try and make a positive suggestion that does not involve torching the box...although, it may just come to that.

Cheers!

Here are the supporting files. Have other screens to substantiate my claims....

Rom Files / IFR Dump

 

[Vayra86]

Well, my solution would most certainly be to torch this machine, or sell it off to someone you REALLY hate.

At the very least get some fun out of it. And remember: time is money, too.

I'm not even joking, I would be at a complete loss if you cannot localize this AND it keeps replicating across firmwares and BIOS.

Or: take it apart entirely, and power drain every component - remove CMOS battery, unplug, let it sit there for a week, hold power button and then disassemble > reassemble. When you reassemble only use single stick of RAM, no GPU, and a new storage medium starting from scratch.

 

[R-T-B]

please try and make a positive suggestion that does not involve torching the box.

If true, I appologize for my skepticism. A hardware programmer is indeed the answer then. Is this a desktop? If so, please send a quick photo of the gpu-pcb. I may be able to advise what you need to order.

Alternatively, I would be willing to flash it for you with my hardware programmer. It would cost about $30.00. I would reccomend sending the mobo as well, and replacing the hdd(s) and any other drives entirely(no easy way to hardware flash them).

 

[MrGenius]

Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.

PS, I'm mentally ill myself. I've been hospitalized for it on numerous occasions in the last 25 years. And been through years and years of psychotherapy. Many of my family members are crazy too, with all manner of differing mental disorders(everybody on my mom's side has something or another, or a bunch of things). I've seen more than enough crazy in my life to know it when I see/hear it. I know it front/back, top/bottom, inside/out. I've seen things you wouldn't even believe if I told you. Experience has taught me...if there's one thing I know...it's crazy.

 

[R-T-B]

Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.

When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information...r-offer-superior-stealth-and-computing-power/

Experience has taught me...if there's one thing I know...it's crazy.

You know then you can be crazy and still be correct at times.

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?

 

[MadBrit]

@R-T-B ; I would appreciate any feedback or response you have. Thanks for taking the time. It is a desktop. Image attached...

@Mr Genius ; What other proof would you like? I can provide anything (logs, screenshots). Either that, or you're deliberately distracting and probably a malware guy yourself. If not, perhaps you should read up on malware research as I have done. All of the techniques used in this infection have been researched in the past and have validated proof of concepts - from many years ago (BHat 2012 for GPU malware, etc.). But I agree it's redic to see it in the wild - however, I am not the only one...these guy's have something similar.

https://forums.malwarebytes.com/top...s-disk-wipes-and-hijacks-any-new-os-installs/

@Vayra86; Agree with you 100%. At this point, pouring gas on it and lighting a match may provide a lot of satisfaction - if nothing else. However, if I'm not crazy and this thing is real, we are all in a world of hurt. Hate for anyone else to go through what I am going through. If I didn't see Norton barf, I would never have known that I was infected. I rarely look at the hardware specs of a system other than during the build, but this may be a good way of profiling the malware - analyzing hardware specs, expected performance, and comparing .ROM dumps to known good versions.

I had another thought...it may not be infecting the MB Bios - but if the GPU is the culprit, it can affect screen output in some way. For example, on using a bottdisk for BCDWipe to clean the HPA / DCO, the GPU restarts and the screen goes blank when searching for drives...then nothing. There's nothing else to do but reboot. When I used the onboard (MB) HDMI port, it works fine (as I just found out). This has been an ongoing battle with rescue disks either dropping to GRUB or just not loading at all - making it appear like a MB UEFI infection when it's probably only the GPU and SSD firmware infected.

At this point I am willing to drop ship this bloody system to any AV company that wants it if they pay for the cost of the hardware.

Any other suggestions?

 

[Solaris17]

When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information...r-offer-superior-stealth-and-computing-power/



You know then you can be crazy and still be correct at times.

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?

Same

 

[R-T-B]

Worse yet is his malware bios seems to have a valid signature as best I can tell via his nvflash logs... meaning it's flashable and is perhaps even factory signed. So either it's not a malware bios and I'm barking up the wrong tree, or they found a way to fool falcon inside the firmware image, or a factory actually fricking signed a malware bios.

I think it goes without saying that you SHOULD NOT flash that bios. There are at least 8kbs of code inserted in it that I have no idea what they do vs the one on the database.

 

[W1zzard]

So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents

 

[R-T-B]

So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents

OH! I downloaded the nearly identical one without the -1 on the end. That explains the massive differences.

Yeah, this looks like just Info rom differences honestly. I still would like to look at your mobo bios though.

 

[W1zzard]

from multiple CDN's that are not legit. All files are signed

What's the URLs? Who's digital signature is used?

 

[coonbro]

thing is GPU-z will not read the card info fully under basic default standard vga driver that a safe mode driver built in to windows . once you install the NVidia full driver for the card all that info will be displayed correctly and fully

from his gpu-z results screenshot he posted [windows basic display adaptor ] not a full NVidia driver . install the driver from NVidia

 

[qubit]

@MadBrit It does look like maybe you're really unlucky with this and have been nailed with a BIOS level malware. I'm still not completely convinced that it's not something else, but I'll go with it for now since you've said that you've done clean Windows installs several times now.

Since the others on here reckon that your graphics card BIOS isn't infected after the hex dump comparison, I suggest flashing your mobo BIOS from a command line level flasher if you can. In other words, boot from USB or CD, not the Windows installation. I would then do that fresh install (yes, this again sorry! ) with that clean W10 DVD and hope that the problem has gone away. Before doing so, save that current mobo BIOS.

Is it possible that there's another infected computer on your network that keeps nailing this one?

 

[R-T-B]

What's the URLs? Who's digital signature is used?

Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.

 

[qubit]

Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.

You da man for going the extra mile. Respect.

 

[R-T-B]

The certs I think are a false root authority (they identify as "Microsoft" and such but are clearly infected). Asking him about IPs for the cdns now. I'm afraid to remote into the "rancid" machine myself, despite his offer to let me.

 

[jboydgolfer]

I think no one is doubting the possibility of an invasive piece of software installing itself in bios memory , or anywhere writable storage exists, imo, what seems far more likely to be the reason people question this op's post, is the level of sophistication in something like this ,simply to access some dude's computer. This is some definite high-level malicious software (if it is indeed what's happening), and I just can't see someone pulling an "Ocean's Eleven", just to steal eight dollars out of a nine-year-old's piggy bank , so to speak. That is what i feel the questionable part is. Not the existence, rather the likeliness. certainly no offense intended to OP

 

[AltCapwn]

It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.

 

[R-T-B]

His bios is chock full of extra modules from stock:

 

[eidairaman1]

His bios is chock full of extra modules from stock:

View attachment 101178

So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?

 

[FireFox]

It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.

 

[R-T-B]

So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?

I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.

It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)

 

[eidairaman1]

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.

That or he ticked someone off

I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.



It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)

for that kind of infection it sounds like he pissed someone off

 

[R-T-B]

I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.

 

[eidairaman1]

I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.

If you say squirrel i understand lol

He might want to check for ID theft too