• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

GTX 1070 Firmware Overwritten by Malware - Unable to Reset

Status
Not open for further replies.

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.00/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
My situation is sad, but true. I have attached requested evidence / screenshots below. Please be very, very careful with the .rom file though. I do not want to be responsible for spreading whatever *that* is any further.

GPU-Z was blank when I first ran it - and thought it was a bug. I have flashed MB Bios's for years - this is my second or third GPU flash ever.

Background: My first post many weeks ago before Symantec got involved.

<Bleeping Computer Link>
https://www.bleepingcomputer.com/forums/t/673759/chinese-malware-infecting-bios-hidden-on-hdd/

After a few weeks of trying to fix this myself, I got Symantec involved. Symantec couldn't find anything (paid for their cleaning service) with their forensic tool and gave up after a few days. I offered to personally drive one of the SSD's down to MountainView and put it in the hands of a virus researcher, but the support people were in India / Philippians and probably don't know where MV is. Their level 3 support was atrocious and they believed *something was there* but couldn't say what. Friend at Cylance's response was the same. They are too busy...however, many of these GPU findings were made today - as were the SSD firmware mods - but I had my suspicions.

The GPU screenshots are after the first flash. Luckily, I saved the rom before flashing.

I believe it may have used Spectre or Meltdown for the inital infiltration / exploit. The main payload came in via email. It was a spear phishing email. EaseUS is involved in this somehow. I saw the email notification and Norton jumped into Heuristics mode then died. Also had malwarebytes installed...nada. Nothing else (other than a 2012 version of SuperantiSpyware I had on an old USB stick) could detect anything. SAS detected Rouge.Agent.Gen Nullo (BIN) but I think it was a FPositive. Dr. Web caught some obscure userblocker and Winlogon was modified in the reg.

"Why not just do a fresh install of the OS to the HD or get a new HD.??"

You didn't read the post properly. It is embedded in the system GPU / SSD / MB firmware BIOS. Not making this up. IT is not detectable in user space. I have reinstalled / LL formatted over 20 times in the last few months. Same thing every time.

My wife told me to go get a new laptop so that I can continue my business, but I objected as I couldn't find the infection source. I lost that fight and I now have a bricked ASUS laptop sitting here as a doorstop. Right now, I don't trust anything on the network.

For all you neighsayers out there - rather than taking pot shots at my request for help and accusing me of *whatever*, please try and make a positive suggestion that does not involve torching the box...although, it may just come to that.

Cheers!

Here are the supporting files. Have other screens to substantiate my claims....

Rom Files / IFR Dump
 

Attachments

  • NVFlash Screen Output.txt
    5.1 KB · Views: 679
  • CPU-Z CPU.PNG
    CPU-Z CPU.PNG
    45.8 KB · Views: 775
  • CPU-Z GPU.PNG
    CPU-Z GPU.PNG
    29.3 KB · Views: 755
  • Crucial_SSD_BIOS.PNG
    Crucial_SSD_BIOS.PNG
    90.2 KB · Views: 761
  • GPU-Z Results.gif
    GPU-Z Results.gif
    28.7 KB · Views: 731
  • GPU-Z Advanced Results.gif
    GPU-Z Advanced Results.gif
    12.7 KB · Views: 692
  • GPU-Z Sensors Results.gif
    GPU-Z Sensors Results.gif
    14.8 KB · Views: 683
  • BIOS_Update_ErrorMsg.PNG
    BIOS_Update_ErrorMsg.PNG
    111.4 KB · Views: 706
  • Asus.GTX1070.Malware.infoRom.txt
    880 bytes · Views: 419
  • Asus.GTX1070.malware.Rom.txt
    258.5 KB · Views: 235
Joined
Sep 17, 2014
Messages
20,776 (5.97/day)
Location
The Washing Machine
Processor i7 8700k 4.6Ghz @ 1.24V
Motherboard AsRock Fatal1ty K6 Z370
Cooling beQuiet! Dark Rock Pro 3
Memory 16GB Corsair Vengeance LPX 3200/C16
Video Card(s) ASRock RX7900XT Phantom Gaming
Storage Samsung 850 EVO 1TB + Samsung 830 256GB + Crucial BX100 250GB + Toshiba 1TB HDD
Display(s) Gigabyte G34QWC (3440x1440)
Case Fractal Design Define R5
Audio Device(s) Harman Kardon AVR137 + 2.1
Power Supply EVGA Supernova G2 750W
Mouse XTRFY M42
Keyboard Lenovo Thinkpad Trackpoint II
Software W10 x64
Well, my solution would most certainly be to torch this machine, or sell it off to someone you REALLY hate.

At the very least get some fun out of it. And remember: time is money, too.

I'm not even joking, I would be at a complete loss if you cannot localize this AND it keeps replicating across firmwares and BIOS.

Or: take it apart entirely, and power drain every component - remove CMOS battery, unplug, let it sit there for a week, hold power button and then disassemble > reassemble. When you reassemble only use single stick of RAM, no GPU, and a new storage medium starting from scratch.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
please try and make a positive suggestion that does not involve torching the box.

If true, I appologize for my skepticism. A hardware programmer is indeed the answer then. Is this a desktop? If so, please send a quick photo of the gpu-pcb. I may be able to advise what you need to order.

Alternatively, I would be willing to flash it for you with my hardware programmer. It would cost about $30.00. I would reccomend sending the mobo as well, and replacing the hdd(s) and any other drives entirely(no easy way to hardware flash them).
 
Last edited:
Joined
Feb 2, 2015
Messages
2,707 (0.81/day)
Location
On The Highway To Hell \m/
Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.

PS, I'm mentally ill myself. I've been hospitalized for it on numerous occasions in the last 25 years. And been through years and years of psychotherapy. Many of my family members are crazy too, with all manner of differing mental disorders(everybody on my mom's side has something or another, or a bunch of things). I've seen more than enough crazy in my life to know it when I see/hear it. I know it front/back, top/bottom, inside/out. I've seen things you wouldn't even believe if I told you. Experience has taught me...if there's one thing I know...it's crazy.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Nope. Still not buying it. HUGE gaping holes to be filled with REAL evidence. Of which none has yet been provided(nor ever will be). Just the pseudo-intelligent ramblings of some poor fellow in dire need of psychiatric help. Oh it's true alright. And sad as well. Best wishes my friend.

When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information...r-offer-superior-stealth-and-computing-power/

Experience has taught me...if there's one thing I know...it's crazy.

You know then you can be crazy and still be correct at times. ;)

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?
 
Last edited:

MadBrit

New Member
Joined
May 17, 2018
Messages
6 (0.00/day)
System Name HomeBuild
Processor Intel i7-7700K
Motherboard ASUS Z270F
Cooling Corsair H55 Hydro Series
Memory 32GB G.Skill Ripjaws V (PC4 25600)
Video Card(s) ASUS STRIX-GTX 1070 8G Gaming
Storage Samsung 850 Pro x 3, Crucial M4 (spare boot)
Display(s) LG 34UC79-G
Case Thermaltake View 31
Audio Device(s) N/A
Power Supply Thermaltake Toughpower 850W
Mouse Logitec
Keyboard Logitec
Software Win 10 1803
Benchmark Scores With or without malware infection?
@R-T-B ; I would appreciate any feedback or response you have. Thanks for taking the time. It is a desktop. Image attached...

@Mr Genius ; What other proof would you like? I can provide anything (logs, screenshots). Either that, or you're deliberately distracting and probably a malware guy yourself. If not, perhaps you should read up on malware research as I have done. All of the techniques used in this infection have been researched in the past and have validated proof of concepts - from many years ago (BHat 2012 for GPU malware, etc.). But I agree it's redic to see it in the wild - however, I am not the only one...these guy's have something similar.

https://forums.malwarebytes.com/top...s-disk-wipes-and-hijacks-any-new-os-installs/

@Vayra86; Agree with you 100%. At this point, pouring gas on it and lighting a match may provide a lot of satisfaction - if nothing else. However, if I'm not crazy and this thing is real, we are all in a world of hurt. Hate for anyone else to go through what I am going through. If I didn't see Norton barf, I would never have known that I was infected. I rarely look at the hardware specs of a system other than during the build, but this may be a good way of profiling the malware - analyzing hardware specs, expected performance, and comparing .ROM dumps to known good versions.

I had another thought...it may not be infecting the MB Bios - but if the GPU is the culprit, it can affect screen output in some way. For example, on using a bottdisk for BCDWipe to clean the HPA / DCO, the GPU restarts and the screen goes blank when searching for drives...then nothing. There's nothing else to do but reboot. When I used the onboard (MB) HDMI port, it works fine (as I just found out). This has been an ongoing battle with rescue disks either dropping to GRUB or just not loading at all - making it appear like a MB UEFI infection when it's probably only the GPU and SSD firmware infected.

At this point I am willing to drop ship this bloody system to any AV company that wants it if they pay for the cost of the hardware.

Any other suggestions?
 

Attachments

  • System.JPG
    System.JPG
    109.2 KB · Views: 426

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,774 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
When I get home, I'll analyze his bios dump and know for certain.

There were some anonymous groups working on this in 2015, and if true, the code is almost certainly similar:

https://arstechnica.com/information...r-offer-superior-stealth-and-computing-power/



You know then you can be crazy and still be correct at times. ;)

EDIT: All I can say right now is that is certainly an odd bios.

I will report more when I get home, android hex editors suck, but, sir, you have my interest... Can we get your likely infected motherboard bios as well?

Same
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
Worse yet is his malware bios seems to have a valid signature as best I can tell via his nvflash logs... meaning it's flashable and is perhaps even factory signed. So either it's not a malware bios and I'm barking up the wrong tree, or they found a way to fool falcon inside the firmware image, or a factory actually fricking signed a malware bios.

I think it goes without saying that you SHOULD NOT flash that bios. There are at least 8kbs of code inserted in it that I have no idea what they do vs the one on the database.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,956 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents

 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So I looked at your BIOS and compared against https://www.techpowerup.com/vgabios/187068/asus-gtx1070-8192-161020-1 which is for the same card, nearly identical BIOS version.

The BIOSes are pretty much identical. The differences are just some serial numbers and the associated housekeeping stuff like different checksums due to slightly different contents


OH! I downloaded the nearly identical one without the -1 on the end. That explains the massive differences.

Yeah, this looks like just Info rom differences honestly. I still would like to look at your mobo bios though.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
26,956 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Joined
Mar 29, 2018
Messages
590 (0.27/day)
thing is GPU-z will not read the card info fully under basic default standard vga driver that a safe mode driver built in to windows . once you install the NVidia full driver for the card all that info will be displayed correctly and fully

from his gpu-z results screenshot he posted [windows basic display adaptor ] not a full NVidia driver . install the driver from NVidia
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
@MadBrit It does look like maybe you're really unlucky with this and have been nailed with a BIOS level malware. I'm still not completely convinced that it's not something else, but I'll go with it for now since you've said that you've done clean Windows installs several times now.

Since the others on here reckon that your graphics card BIOS isn't infected after the hex dump comparison, I suggest flashing your mobo BIOS from a command line level flasher if you can. In other words, boot from USB or CD, not the Windows installation. I would then do that fresh install (yes, this again sorry! :) ) with that clean W10 DVD and hope that the problem has gone away. Before doing so, save that current mobo BIOS.

Is it possible that there's another infected computer on your network that keeps nailing this one?
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
What's the URLs? Who's digital signature is used?

Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Working with him to get his mobo bios now in a private chat. HIs mobo bios is a 16MB rom with a lot of free space. If this is really a firmware infection, it's living there not in his GPU I think. I'll search it for strings and see if I can't get him to tell us more details about the CDN part too.
You da man for going the extra mile. Respect. :cool:
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
The certs I think are a false root authority (they identify as "Microsoft" and such but are clearly infected). Asking him about IPs for the cdns now. I'm afraid to remote into the "rancid" machine myself, despite his offer to let me. ;)
 
Joined
Oct 17, 2012
Messages
9,781 (2.34/day)
Location
Massachusetts
System Name Americas cure is the death of Social Justice & Political Correctness
Processor i7-11700K
Motherboard Asrock Z590 Extreme wifi 6E
Cooling Noctua NH-U12A
Memory 32GB Corsair RGB fancy boi 5000
Video Card(s) RTX 3090 Reference
Storage Samsung 970 Evo 1Tb + Samsung 970 Evo 500Gb
Display(s) Dell - 27" LED QHD G-SYNC x2
Case Fractal Design Meshify-C
Audio Device(s) on board
Power Supply Seasonic Focus+ Gold 1000 Watt
Mouse Logitech G502 spectrum
Keyboard AZIO MGK-1 RGB (Kaith Blue)
Software Win 10 Professional 64 bit
Benchmark Scores the MLGeesiest
I think no one is doubting the possibility of an invasive piece of software installing itself in bios memory , or anywhere writable storage exists, imo, what seems far more likely to be the reason people question this op's post, is the level of sophistication in something like this ,simply to access some dude's computer. This is some definite high-level malicious software (if it is indeed what's happening), and I just can't see someone pulling an "Ocean's Eleven", just to steal eight dollars out of a nine-year-old's piggy bank , so to speak. That is what i feel the questionable part is. Not the existence, rather the likeliness. certainly no offense intended to OP
 
Joined
Nov 1, 2017
Messages
521 (0.22/day)
It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
His bios is chock full of extra modules from stock:

1526590785721.png
 
Last edited by a moderator:

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
His bios is chock full of extra modules from stock:

View attachment 101178

So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?
 

FireFox

The Power Of Intel
Joined
Feb 19, 2014
Messages
7,507 (2.03/day)
Location
Germany
Processor Intel i7 10700K
Motherboard Asus ROG Maximus XII Hero
Cooling 2x Black Ice Nemesis GTX 480 - 1x Black Ice Nemesis GTX 420 - D5 VPP655P - 13x Corsair LL120 - LL140
Memory 32GB G.SKILL Trident Z RGB 3600Hz
Video Card(s) EVGA GEFORCE RTX 3080 XC3 Ultra
Storage Samsung 970 EVO PLUS 500GB/1TB - WD Blue SN550 1TB - 2 X WD Blue 1TB - 3 X WD Black 1TB
Display(s) Asus ROG PG278QR 2560x1440 144Hz (Overclocked 165Hz )/ Samsung
Case Corsair Obsidian 1000D
Audio Device(s) I prefer Gaming-Headset
Power Supply Enermax MaxTytan 1250W 80+ Titanium
Mouse Logitech G502 spectrum
Keyboard Virtuis Advanced Gaming Keyboard ( Batboard )
Software Windows 10 Enterprise/Windows 10 Pro/Windows 11 Pro
Benchmark Scores My PC runs FiFA
It's so interesting. I'm here just to see the updates about this story. I can't believe there's some malware like that in the wild.

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
So from your analysis he needs to just go ahead and buy a new bios eeprom right? Or do you think a SPI or flash Cat might be able to completely erase his existing ee prom to replace it with the correct stock bios?

I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.

There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.

It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
There is even worse, what i don't understand is why the target is a single person, those kind of Viruses/Malware or however you want to call it you just get/find it in places/website where you have nothing to do there.

That or he ticked someone off

I'm trying to scrub the bios now of malware and force flash it with a dos tool in hopes it won't reload itself.

All his storage devices are infected, like Kaspersky labs reports. His SSD doesn't even identify as genuine anymore. I told him to flash in dos, chuck them, and see if he can boot a clean usb.



It's targeted, we don't know why. These modules in the bios? A lot of them are tailored to his setup as far as I can tell (ASUS Fanboy malware package, basically)

for that kind of infection it sounds like he pissed someone off
 
Joined
Aug 20, 2007
Messages
20,709 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.
 

eidairaman1

The Exiled Airman
Joined
Jul 2, 2007
Messages
40,435 (6.61/day)
Location
Republic of Texas (True Patriot)
System Name PCGOD
Processor AMD FX 8350@ 5.0GHz
Motherboard Asus TUF 990FX Sabertooth R2 2901 Bios
Cooling Scythe Ashura, 2×BitFenix 230mm Spectre Pro LED (Blue,Green), 2x BitFenix 140mm Spectre Pro LED
Memory 16 GB Gskill Ripjaws X 2133 (2400 OC, 10-10-12-20-20, 1T, 1.65V)
Video Card(s) AMD Radeon 290 Sapphire Vapor-X
Storage Samsung 840 Pro 256GB, WD Velociraptor 1TB
Display(s) NEC Multisync LCD 1700V (Display Port Adapter)
Case AeroCool Xpredator Evil Blue Edition
Audio Device(s) Creative Labs Sound Blaster ZxR
Power Supply Seasonic 1250 XM2 Series (XP3)
Mouse Roccat Kone XTD
Keyboard Roccat Ryos MK Pro
Software Windows 7 Pro 64
I kind of gleaned why someone would want to target him in discussions, I won't say more than that. I will say it's a legit job he works, and not something sketchy or weird, but lucrative to infect.

If you say squirrel i understand lol

He might want to check for ID theft too
 
Status
Not open for further replies.
Top