GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[Regeneration]

UEFI malware isn't so common but its a real thing.

 

[R-T-B]

UEFI malware isn't so common but its a real thing.

Yep, I knew of it but only as demonstration proof of concept kits initially. This is really my first in the wild sighting.

 

[AltCapwn]

After reading all of this story, I booked myself a week-end of maintenance to update everything I have on the network. I had a nightmare last night and it wasn't cool at all.

R-T-B professionalism is exemplar. I want to become as cool as you.

Let's all hope this story will have a good ending for MadBrit. I'd like to help but this sutation seems over my field of expertise. If you have issues with malware over the network or packets to examine I'm glad to help you guys.

Cheers!

 

[TheMailMan78]

Hardware level infection is as old as computers. You guys just came up in an era of modern OS's. Ask guys like @95Viper or some of the reviewers on this site and they will tell you this isn't all that uncommon when dealing with a particular kinds of people. Pedofiles and terrorists.

NOW I AM NOT ACCUSING ANYONE OF THAT! I'm just saying this kind of thing isn't as uncommon as you suspect and its really a very old way of infecting systems reserved for people on the dark web and state actors.

RTB has a big heart and I myself love to help people. With that being said I wouldn't give a jump start to someone with a ski mask outside of a bank. Sure maybe he just came off the slopes, but why risk it.

@MadBrit I want to be clear. Im not accusing you of any of that. I dont know you and I dont assume this of you. With that being said you come in the TPU forums with a hardware level infection people are going to be suspicious. Trust me its nothing personal. This is just a community watching out for each other. I wish you the best if what you say is true AND I hope you catch who is responsible.

 

[the54thvoid]

Thankfully @R-T-B pulled the truth out of this. I was skeptical but few of use knew enough background to the initial post.
As for helping, I support R-T-B and what he's doing. This is what the forum is for. Real problems sometimes hit walls but @MadBrit persevered and that got him the help he wanted.
If we weren't Samaritans occasionally, we may as well just wall our borders, turn on our allies and eat burgers in bed. Altruism makes us better, paranoia might keep you alive, but it also keeps you alone.
Pay it back.

 

[MadBrit]

@TheMailMan78 ; I understand your hesitancy and no offence intended. Lots of trolls out there. It has just been 8 weeks of hell and I am stoked that R-T-B was willing to listen when no one else was. Kinda overwhelmed by all of this actually. Not every day you get something like this show up - and I am asking "Why me?". Perhaps I pissed off the wrong person (only one person I know could do the job to this level and they are very vindictive). Perhaps this was a dry run on a non-critical target(s) to test the malware by a state actor? Who knows...but with $3K of infected hardware and 8+ weeks of lost work (plus 5 months of lost project work), I want to nail this malware and stop it before it does some real damage. That's where you guy's come in.

 

[TheMailMan78]

Thankfully @R-T-B pulled the truth out of this. I was skeptical but few of use knew enough background to the initial post.
As for helping, I support R-T-B and what he's doing. This is what the forum is for. Real problems sometimes hit walls but @MadBrit persevered and that got him the help he wanted.
If we weren't Samaritans occasionally, we may as well just wall our borders, turn on our allies and eat burgers in bed. Altruism makes us better, paranoia might keep you alive, but it also keeps you alone.
Pay it back.

You say eating burgers in bed like its a bad thing.

 

[R-T-B]

@TheMailMan78 ; I understand your hesitancy and no offence intended. Lots of trolls out there. It has just been 8 weeks of hell and I am stoked that R-T-B was willing to listen when no one else was. Kinda overwhelmed by all of this actually. Not every day you get something like this show up - and I am asking "Why me?". Perhaps I pissed off the wrong person (only one person I know could do the job to this level and they are very vindictive). Perhaps this was a dry run on a non-critical target(s) to test the malware by a state actor? Who knows...but with $3K of infected hardware and 8+ weeks of lost work (plus 5 months of lost project work), I want to nail this malware and stop it before it does some real damage. That's where you guy's come in.

The amount of dead sweet ssd you went through alone makes me want to cry...

 

[cadaveca]

@TheMailMan78 ; I understand your hesitancy and no offence intended. Lots of trolls out there. It has just been 8 weeks of hell and I am stoked that R-T-B was willing to listen when no one else was. Kinda overwhelmed by all of this actually. Not every day you get something like this show up - and I am asking "Why me?". Perhaps I pissed off the wrong person (only one person I know could do the job to this level and they are very vindictive). Perhaps this was a dry run on a non-critical target(s) to test the malware by a state actor? Who knows...but with $3K of infected hardware and 8+ weeks of lost work (plus 5 months of lost project work), I want to nail this malware and stop it before it does some real damage. That's where you guy's come in.

It's super odd, beucase people that usually would be a vector for this would simply just buy new hardware and be done with it. I mean, that's how you really fix stuff like this. There is no real defense from an active attack once your system is known, and the minor costs you have raised are just that.. minor. Change your mac id, and you're golden. They don't toss out phones in movies when being tracked for no reason.

You know, privacy doesn't really exist any more these days, so why don't you fill in the blanks that people seem to be asking for? There's no reason to hide anything.


Because to me, this just looks like social engineering. Catfishing, some would call it.

The amount of dead sweet ssd you went through alone makes me want to cry...

Comments like this merely affirm my thinking. You're alluding to a private conversation in public. Why, exactly? Doesn't seem to be any other reason other than a lack of testosterone if you're being honest.

 

[R-T-B]

You're alluding to a private conversation in public. Why, exactly? Doesn't seem to be any other reason other than a lack of testosterone if you're being honest.

Because dead 850 pros make baby jesus cry.

That said, I'll really let my client be the judge of if I have said a little or a lot, thanks.

I've also been collecting viral samples and have absolutely no doubt that he is infected.

 

[cadaveca]

my client

ROFL. Triggered. I really wondered if you'd take that tact, but you did, and I'm happy.

Conspiracy confirmed.

So have fun.

 

[R-T-B]

ROFL. Triggered. I really wondered if you'd take that tact, but you did, and I'm happy.

Conspiracy confirmed.

So have fun.

Helping a client with computer malware issues is a conspiracy now?

I mean, yeah, he pays me when I fix it we agreed on that. Is that a conspiracy? I don't think it's much of one. If it is...

...

I guess I love me a conspiracy. But I tend to refer to them as "jobs."

 

[DRDNA]

the direction the thread is going is starting to turn sour....bummer!

 

[R-T-B]

the direction the thread is going is starting to turn sour....bummer!

I'm sorry for that. I'm keeping it to technical posts from here. Update likely this evening.

EDIT: Furthermore, sorry for biting your head off Dave. I let my pride here get the better of me.

 

[eidairaman1]

Here it is one of the first notable Viruses to screw up bios. (I knew it existed around that Time)

https://en.m.wikipedia.org/wiki/CIH_(computer_virus)

https://en.m.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms

 

[R-T-B]

The management engine held on to the bitter end refusing downgrades or removal... but my claims of infection there were seemingly unfounded ( was an odd version but the firmware is signed by intel so infection is kinda hard to do, probably legit). It seems we have cleansed the machine. MadBrit is reinstalling now. So far, so good.

EDIT:

Ok, we're infected again. It took a long long time to come up to full speed but there you have it.

I'm going to have him send me the board for a hardware dump and reflash via spi. I don't think we can get on fair footing with a malware uefi calling the shots like this.

 

[biffzinker]

Did you at least manage to disable ME other than what's needed on POST?

 

[Nuckles56]

View attachment 101207

The Gene Hackman of TPU...

That gif punched me right in the feels

On topic: This thing sounds pretty insane, seeing as it has come back again

 

[R-T-B]

Did you at least manage to disable ME other than what's needed on POST?

Nope.

And given it's come back, it is again a suspect area.

This shit is unreal, frankly. It does not play fair on any level. Short of an external programmer, there can be no victory.

 

[biffzinker]

Ah ok, didn't see the edit you appended to your one post even though I scrolled up earlier.

 

[R-T-B]

Ah ok, didn't see the edit you appended to your one post even though I scrolled up earlier.

If @W1zzard is ok I can start posting technical evidence here of the malware here in the form of infected UEFI DXEs, PEIs and such. I just don't know if it's a good idea seeing as it's relatively easy to inject bios modules and many of them can/could be abused, possibly even on other boards.

If anyone wants to help me on something that could really prove something, I need a stock, known uninfected Intel Management Firmware region file version 11.8.50.3399 to compare to his.

There appears to be one from lenovo but it is completely locked down by a device specific exe and unextractable.

https://support.lenovo.com/us/en/downloads/ds501133

EDIT: Found one from a gigabyte board, the z370 aorus gaming 7, bios f4. Extracted the stock region version 11.8.50.3399 and working on a comparison now.

 

[eidairaman1]

If @W1zzard is ok I can start posting technical evidence here of the malware here in the form of infected UEFI DXEs, PEIs and such. I just don't know if it's a good idea seeing as it's relatively easy to inject bios modules and many of them can/could be abused, possibly even on other boards.

If anyone wants to help me on something that could really prove something, I need a stock, known uninfected Intel Management Firmware region file version 11.8.50.3399 to compare to his.

There appears to be one from lenovo but it is completely locked down by a device specific exe and unextractable.

https://support.lenovo.com/us/en/downloads/ds501133

He needs to do security hardening then, purge all other systems off the network, replace his modem and router, request a new ip address, update firmware of modem and router, add a hardware firewall if possible.

If @W1zzard is ok I can start posting technical evidence here of the malware here in the form of infected UEFI DXEs, PEIs and such. I just don't know if it's a good idea seeing as it's relatively easy to inject bios modules and many of them can/could be abused, possibly even on other boards.

If anyone wants to help me on something that could really prove something, I need a stock, known uninfected Intel Management Firmware region file version 11.8.50.3399 to compare to his.

There appears to be one from lenovo but it is completely locked down by a device specific exe and unextractable.

https://support.lenovo.com/us/en/downloads/ds501133

EDIT: Found one from a gigabyte board, the z370 aorus gaming 7, bios f4. Extracted the stock region version 11.8.50.3399 and working on a comparison now.

Heres some info that might help.

https://hothardware.com/news/resear...-off-intel-management-engine-11-thanks-to-nsa

https://www.csoonline.com/article/3...able-intel-me-backdoor-thanks-to-the-nsa.html

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1

 

[R-T-B]

He needs to do security hardening then, purge all other systems off the network, replace his modem and router, request a new ip address, update firmware of modem and router, add a hardware firewall if possible.



Heres some info that might help.

https://hothardware.com/news/resear...-off-intel-management-engine-11-thanks-to-nsa

https://www.csoonline.com/article/3...able-intel-me-backdoor-thanks-to-the-nsa.html

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html?m=1

I've tried all the me_cleaner based techniques already. It's using an intel anti-downgrade feature to refuse all flashes to the ME region from UEFI.

 

[eidairaman1]

I've tried all the me_cleaner based techniques already. It's using an intel anti-downgrade feature to refuse all flashes to the ME region from UEFI.

I heard the ime is built into the cpu/pch. If it was a separate chip on the board too bad there is no way of tricking the cpu/pch thinking it is there but is not...

 

[R-T-B]

I heard the ime is built into the cpu/pch. If it was a separate chip on the board too bad there is no way of tricking the cpu/pch thinking it is there but is not...

Built into the cpu die in latest revisions.

Anyhow, attaching a me-tools layout anlaylsis of clean stock firmware vs his. Both identify as version 11.8.50.3399. Inside they are quite different. Note the versions.

The infected one is really 11.6.0.1126 inside, horrifically outdated, and most likely has sig level exploits that let them run code.

I'm going to start dumping and attempting to read the individual partitions. Need to compile minix's filesystem into my linux server's kernel first I bet.

But bottom line: I think short of hardware killing the management engine, we'll never defeat this thing. So yeah, he needs to send it in.