GTX 1070 Firmware Overwritten by Malware - Unable to Reset

[lexluthermiester]

But it certainly hasn't been my favorite case either.

Easily understood.

 

[juiseman]

Sounds like this guy went dark after the 2nd attack. I think I would do the same. Sounds like he reached out to have a "paper trail" of events too protect himself and his family. It looks like he had noticed this issues around or before March 2018; based on his post he shared at the beginning of this thread. I'll take a guess; but I don't think he will make contact again. I know I would not. I wouldn't have an issue moving too a remote location in the mountains or nice beach with white sand Beach, clear water and say f#%/ computers and modern conveniences. ...sounds great IMOP.....

 

[hat]

At this point it sounds like he needs a new identity. Physically move, get new hardware, new ISP, and return to the internet as someone else. If it were me, "hat" might disappear, and later return as someone else, of course never alluding to the fact that I used to be hat. With no common identifiers to my old identity, might be safe from such targeted attacks.

 

[SamirD]

Unreal! Makes me want to rip the cable modem out of the wall, cut my power and light a fire in the living room and throw everything electronic in it!

This is seriously the next level, and it's on purpose. People will take the power and money because there's connections to the outside world that allow them to.

I wonder how much just cutting (literally) the internet and removing all batteries/not charging cell phones would really defend in such an attack?

 

[R-T-B]

Sounds like this guy went dark after the 2nd attack. I think I would do the same. Sounds like he reached out to have a "paper trail" of events too protect himself and his family. It looks like he had noticed this issues around or before March 2018; based on his post he shared at the beginning of this thread. I'll take a guess; but I don't think he will make contact again. I know I would not. I wouldn't have an issue moving too a remote location in the mountains or nice beach with white sand Beach, clear water and say f#%/ computers and modern conveniences. ...sounds great IMOP.....

This is actually what I suspect happened. Maybe not full out "go to a remote place somewhere" but at least he cut of his digital device life completely. I wouldn't blame him frankly.

The thing is, if it was targeted, they may not stop at network attacks. I wish him the best and hope things don't get ugly for him. He seemed like a nice guy from my interactions with him who just had a lot of frustration.

 

[robot zombie]

Yeah... this all gives me the creeps, especially as I help my parents tighten down after their recent savings account breach. Money is safe - still looking into the status of my mom's identity, though. Bank isn't giving details about how the breach occurred other than "Your computer was hacked." My non-technically-inclined parents picture some master hacker typing away as he scours their hard drive and instantaneously plucks every bit of sensitive info from betwixt all of the ones and zeros - just like that, as though he is literally on their PC watching every single thing they do, while I kind of laugh to myself at how ridiculous that image is, knowing what I do about how security generally works and what likely actually happened - I can look at her habits and see where she had low-hanging fruit. I like to think I know well enough how these things tend to go in reality, so the idea of the aforementioned scenario and what's shown in this thread just sounds so far beyond out there. You instinctively dismiss it as something that only happens in b-list sci-fi and look to a more "realistic" approach. "Haha, what? Oh no, it's nothing like that..."

But then... seeing that stuff like this is even possible at all (like, not just as a demonstrable theory but in the wild) really makes you think about how little you actually know and how much you may be taking for granted. I guess sometimes it really is like in the movies The precedent stuff like this sets is actually kind of staggering. It shouldn't be possible, but then you start thinking about it and you realize it's merely improbable...

Usually, you think you just carry out the best practices you can in the most effective/practical way, consider the possibilities, adopt proper measures, and that's "enough." Maybe it doesn't cover everything but the chances are slim enough not to worry, for you, anyway. Your bases are covered - your level of protection is limited only by how far you are willing to go. You assume it is generally possible to go further than would be worth going for someone who wants what you have. Or at least it would be so impractical as to be unattainable by anyone other than a mad genius.

And if there is a breach, you figure it will at least be containable once identified, even if data is lost/surrendered before you regain control. Sometimes it gets involved, but you whittle it down and find it. You then pick up the pieces, re-adapt, and move on. Who could ever expect to be held captive by it indefinitely? That's not supposed to be possible. I feel like you could present this story on paper as a potential scenario, describing it clearly and logically, step by step, in painstakingly minute detail, as a renowned expert, and even people who really understand this stuff would laugh and say you have a great imagination. Next you're gonna tell me it's following him around the world, or maybe into space!

It's just... like, in the general populous' general conception of tech there exists the concept of this magic key that someone with enough know-how can acquire and use to get total access or control. A doomsday virus. It dodges every counter-measure through undetectable means and wreaks havoc on major systems. It quickly takes hardware and makes junk out of it through unseen vectors. But the thing is, it's supposed to be symbolic!


The suspense is killing me. And chances are we may never know what really happened. What if it was something stupid or there's another side to the story? That almost seems less likely at this point, but not knowing how this has really been possible is a friggin gut-twister, man! Just... ...the requisites for pulling this off are pretty astronomical in my tiny head. And yet, here we have a pretty compelling story. I don't wanna say I don't believe it because I honestly don't know what to think. I think I don't want to believe it.

I guess if there's anything to this, we'll hear all about it eventually. Or maybe if things like this really are happening, that's precisely why we'll never know. On one hand, some things... one is better off not knowing, but sometimes seeing something terrible happen to someone else is the only way to prevent yourself from sharing their fate. Tough to know where the line is between being a cautious observer and an unwilling participant.

Regardless, it's a fascinating story. Deep down inside I really hope you hear from that guy again, R-T-B, though I understand very well why you would want to wash your hands of something like this. Much respect for actually delving in as much as you have and maintaining a good sense of ethics and personal responsibility. I think you've handled it better than the rest of us would have, if we'd even have touched it at all. I really appreciate you sharing your side of the story and doing all of the work you've done, and I'm sure I'm not alone there.

Just getting the thought out there makes a difference, yanno? I've been inspired to rethink my own security practices because of it, even knowing I will likely never be a target for anything even remotely like this. Maybe I'm being a little dramatic here... ...it's a craaazy story though! I'm sure the reality isn't quite as mysterious as it seems to us. But it really does make you wonder how things like this happen.

 

[hat]

I'll admit it has me wondering as well, what I can do to tighten things down. It'd be nice if there was some sort of guide somewhere... but anything I can find usually falls basics like changing your default router password and putting a password on your wifi, to doing more, less effective things like a mac filter, hiding the SSID, etc... all of which are easily sidestepped by anyone who would be trying to hack you, anyway.

 

[OutThereSomewhere]

I don't seem to be on anyone dangerous's radar right now at least. But it certainly hasn't been my favorite case either.

It just goes to show how easily malware can spread. I'm sure we'd all like to know how it ended up in his machine.
After your research has concluded will you be issuing a white paper regarding this by any chance?
(Or a book )

I'll admit it has me wondering as well, what I can do to tighten things down. It'd be nice if there was some sort of guide somewhere... but anything I can find usually falls basics like changing your default router password and putting a password on your wifi, to doing more, less effective things like a mac filter, hiding the SSID, etc... all of which are easily sidestepped by anyone who would be trying to hack you, anyway.

I've only had my personal details stolen once. That was when an online store here in the UK had their systems breached. Cheeky SOB's spent 2k on my credit card making purchases from that very store, then exchanged currencies that incurred a fee. No apologies from the store. The CC company quickly refunded me and that was that.
Now I do all I can security wise, from changing the router password regularly and making it as difficult as possible (This annoys my wife BTW) to breach, to changing my banking and other online account passwords on a regular basis. I'm not paranoid. It's all in the media. Some ignore it at their own peril then complain when they are hacked.

 

[juiseman]

Remember a few years back with all the Snowden leaks? the whole XKeyscore system? It was only 5 years ago but people are quick to forget....

https://www.reddit.com/r/news/comments/1jfcf8

What is funny is the few leaks that he released was data from 2008!!! 10 years ago!!!! I can only imagine what they are using now....lol....

That's when I finally realized that internet security is pretty much a joke. it really only keeps 75% of the population from
hacking your stuff or stealing your ID. I view that like simple door locks on your car. it keeps the average guy from breaking into your car basically as a "deterrent".

For example the professional thief; he knows several different ways to gets what he wants.
If there is something of value inside the car (or the maybe the car itself) those door locks are pretty laughable really.
Remember this; If someone wants something bad enough they will usually get it.

That's how I view so called "security" of online activity. You have to change your mindset too "everything I do may or may not be viewed or logged by a 3rd party"
Think of it as someone "could" have a keylogger installed when you login to your online bank account, or someone
"could" remote into your computer and see all that cracked software or porn from torrent sites....ect....
Any online activity should be assumed viewable or traceable by a 3rd party.

Think of this also, Google and many other search sites (Facebook included now) track your searches and which sites you visited so they can send you relative ads.
This has been going on probably 10 years (at least from my memory anyhow.)
Ironically, all of the sudden you get "relevant Ad's from Windows 10 pop up on your computer from sites you visited, online purchases...ect..
That is the very same thing a place of buisness selling your info to another company. Is that not supposed to be against the law?

 

[OutThereSomewhere]

Well said, I couldn't agree more. Until people are taught the security dangers this stuff will continue. Perhaps it should be taught in schools.

As for adverts popping up. Nope, non here. Not if you have a decent browser and ad blocking apps.
Windows 10 can be tamed a little. Not clearing cookies will allow you to be followed around unless you delete then as soon as your browser is closed.
But then again all efforts to keep safe can be broken with updates, then you're back to square one.
The list is endless.

I don't think there is a law against selling users data unfortunately. Perhaps we are all being profiled in one way or another.
From shopping habits, what movies you watch, to who you know. Information that was scarce before the PC's were introduced into the home.

 

[juiseman]

Yes, of course your'e correct; Windows can be tamed, and Ad blocks can be installed. I should have stated that by defuult alot of programs
and OS's have to be tweaked. The user has to go out of his way to remove cookies, empty browser cache, turn off reletive ads in windows setting
(Of which seems to change all the time, and I still can't remember where stuff is!!!!) and install a good 3rd party adblocker/remover.

https://www.businessinsider.com/facebook-gets-top-fine-ico-cambridge-analytica-data-breach-2018-10

lol...this is good. I have never liked Facebook anyways.

But its probably only a spank on the hand; they have DEEEP pockets; I have always thought that have ties to GOV.

I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them.

 

[SamirD]

I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them.

Yep, and at a resume and job seminar the head of HR of a company said to make sure you don't post anything you don't want anyone to see, even if it's private because ALL companies HR have back doors to see EVERYTHING. And this is just HR depts--your friendly gov will have much more ability to see stuff.

But it's funny because I don't think anyone could have developed such a brilliant system to spy on their citizens down to every minute detail--it's deviously genius.

 

[juiseman]

I know right??...Does anyone remember Myspace? was myspace first? or facebook first? I dont remember....that was like 14 years ago...lol.
I always liked Myspace better. It was more of like and ad for yourself to hook up with girls and such.
Good ol' times.....I remember my flip phone back then...
people make fun of those phones but the fact that they we not connected to the internet 5 different ways was sweet. simple 2 band phone 900Mhz/1900Mhz that
was it. you could get data on your black and white screen; but it was worse than dial up speeds..lol. but you could disable it.
The only way they could trace you was the good old "keep em on the phone for 45 sec so we can triangulate him by pinging off of 3 cell towers"

I was thinking about this; every new smart phone has Wi-Fi, Bluetooth, 4GLTE, Built-in GPS, and the regular Talk bands (CDMA or GSM)
That is 5 ways for anyone to track you down or find out what your doing. All of those protocols can be hacked!
We are all walking transmitters....

 

[SamirD]

Friendster and Myspace were the leaders in the time before fb, and once someone figures out that all they need is to be able to change the front end dynamically for any ui, there will only be one network that can look like any of the others--fb, yt, ig, blah, blah. All the data is in a database, and a lot of times it's the same data across different networks. If one network could look and function like any network--existing or not even made yet--it would be the only social network. If I knew how to program I would have already built this and killed fb and all the others with my site that looks like any one you want it to, all at a click. You'd never leave my site but basically would have your fb, yt, myspace, everything in one site, one place, one owner of ALL the data...mwahahahaha!

The early days of cell phones were definitely simpler, and they also worked better as phones. You didn't have to tap, press, swipe 10 different times just to dial a single number.

 

[OutThereSomewhere]

Yes, of course your'e correct; Windows can be tamed, and Ad blocks can be installed. I should have stated that by defuult alot of programs
and OS's have to be tweaked. The user has to go out of his way to remove cookies, empty browser cache, turn off reletive ads in windows setting
(Of which seems to change all the time, and I still can't remember where stuff is!!!!) and install a good 3rd party adblocker/remover.

I do the same. Lesson learned from using a PC in the early days of the internet.

https://www.businessinsider.com/facebook-gets-top-fine-ico-cambridge-analytica-data-breach-2018-10
lol...this is good. I have never liked Facebook anyways.

I'm surprised people were shocked by this. Didn't Snowden tell the world about this type of activity a few years ago?
Yep, I think he did. But then some have short memories and don't really care.

But its probably only a spank on the hand; they have DEEEP pockets; I have always thought that have ties to GOV.
I mean, think about it; what a concept. Millions of people voluntarily post everything about their lives with 100's of pictures and locations for almost everyone
to see. then share who thier family members are, where they live, where their from, who they hang around currently (and previously)where they go to school, where they hang out...ect...
As far as the "average Joe"; I doubt the NSA has to collect anything on us. We submit it for them

Agreed.
I've seen people air dirty laundry on Facebook many times as if others outside their circle aren't watching. Must make great entertainment for those who do.

 

[R-T-B]

I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.

 

[hat]

I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.

Thanks, let us know any updates when/if you hear...

 

[robot zombie]

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Honestly, given his situation... ...that's just a generally prudent way to operate. When this all started he had to know something was distinctly unusual, but he probably didn't anticipate the FBI investigation and everything else that has followed. I know if I had crap like that to deal with, I wouldn't even be talking to too many people I actually know about it, let alone strangers on the internet. Why expose yourself if you can avoid it? I mean... ...blabbing to people you don't know about a big problem with an unknown source is just... ...for me it wouldn't be a matter of paranoia or necessarily trust, just principle. It's not about whether anyone here even could have anything to do with anything. That would be a little silly. It's the idea of it. Not the best time to go putting yourself out there for no reason... ...not when you're already in a vulnerable position.

Seems like he's in good hands, and they seem to have given him good advice. I'm sure they'll get it figured out. And what a story that would be. Or maybe it wouldn't, hah. Crazy stuff. Here's hoping they've collected something good.

 

[RootnBoot/dev/null]

Sorry, if something really that sophisticated has attacked your computer, you'll just have to buy everything new again...

I have been dealing with a similar malware infection for several months... While i can actually flash the vbios and mb bios, or atleast i can go through the process which reports success.. But it does zero good. Ultimately what we are seeeing is not a piece of malware but a framework like metasploit for kali linux, only this is pieced together using many legitimate tools and files that have been repurposed. My extensive reading of logs, config files as well as plain text data located in many of the corrupt .dlls indicate something that is actively being developed, i wont go into the entire craziness that i have witnessed as this basically ate a brand new highend desktop and laptop as well as a handfull of old junk boxes i used to research and study. At the end of the day the reason it seems undefeatable is because it has corrupted the spi flash memory.. And therefore is god. The uefi bios is most likely being loaded from a repository thats been created in reported bad clusters on the hdds.. Which gives it space that isnt even looked at by anything, beyond that it runs a fuse file system on the hdds ensuring you will likely never access the real root directory... And in my case my os installs. are basically being virtualized... Turning my systwm into a vm ...

It was creating virtual raid array and utilizing gpu memory as a virtual hd in the array.

The motherboard will need to be rma'd and the spi reflashed along with the uefi bios, thwn fresh hd fresh install media and periphrials. The card SHOULD BE OK AT THAT POINT so says asus. Good luck.

 

[agent_x007]

Side question : Can this malware work on PC that doesn't support virtualisation or/and has non-UEFI MB (ie. Pentium 4 Prescott-1M [E0] or 1-st gen Core i7 with legacy BIOS) ?

 

[R-T-B]

Side question : Can this malware work on PC that doesn't support virtualisation or/and has non-UEFI MB (ie. Pentium 4 Prescott-1M [E0] or 1-st gen Core i7 with legacy BIOS) ?

Probably not this variant. But there are probably variants that can, if I were to guess.

 

[juiseman]

I have been dealing with a similar malware infection for several months... While i can actually flash the vbios and mb bios, or atleast i can go through the process which reports success.. But it does zero good. Ultimately what we are seeeing is not a piece of malware but a framework like metasploit for kali linux, only this is pieced together using many legitimate tools and files that have been repurposed. My extensive reading of logs, config files as well as plain text data located in many of the corrupt .dlls indicate something that is actively being developed, i wont go into the entire craziness that i have witnessed as this basically ate a brand new highend desktop and laptop as well as a handfull of old junk boxes i used to research and study. At the end of the day the reason it seems undefeatable is because it has corrupted the spi flash memory.. And therefore is god. The uefi bios is most likely being loaded from a repository thats been created in reported bad clusters on the hdds.. Which gives it space that isnt even looked at by anything, beyond that it runs a fuse file system on the hdds ensuring you will likely never access the real root directory... And in my case my os installs. are basically being virtualized... Turning my systwm into a vm ...

It was creating virtual raid array and utilizing gpu memory as a virtual hd in the array.

The motherboard will need to be rma'd and the spi reflashed along with the uefi bios, thwn fresh hd fresh install media and periphrials. The card SHOULD BE OK AT THAT POINT so says asus. Good luck.

WTF?? This is insane.

If what you are saying is true; this is some high level stuff.
I'm only saying that becuse of the time involved in making that type of "super" malware. Sounds like years too me.
And how would somwone get all the needed "spoof" firmwares? thats beyond my understanding.
It dosn't strike me as being created by a guy in his basement. It sounds pretty well thought out to me....

crazy stuff,

 

[R0H1T]

I would love to expand. All I can say without his permission is that the second attack was a sophisticated network based attack, using his modem as the bridge. And no matter what modem we replaced it with, it would happen again. It would then proceed to infect home devices. (We know this from a firewall netlog showing them contacting malware ips).

He basically shoveled money at this problem with no end in site. I don't think he'd disagree with that statement. It's part of why I couldn't work for him anymore: I couldn't take his money and gurantee success; he needed someone better skilled at network issues and able to "do the job right." I'm a firmware guy, it left that turf.

It was almost as if his home was cursed. I could remove devices from the premise, cure them via a hardware flash, and they'd remain fine. Put them back in his home and they'd not last 2 nights. Of course it wasn't cursed, it was just a repeatedly infected modem/router. I almost wonder if the cable end was compromised at the ISP's side... that's basically why I told him "call the FBI."

I haven't heard from him in over a month, which sucks because I want to send things of his to Symantec/other AV groups/the FBI but don't know if I have his permission. Some of the evidence consists of complete, untampered with drives, so I don't feel comfortable sending them without client permission since they contain a lot of his personal stuff surely.

Advice there appreciated, actually.

Plus, it's odd having a box of SSDs and thumb drives on the mantle labeled "INFECTED - DO NOT USE." It's not a good conversation piece when you can't say much: I'd be glad to be rid of it.

Alright, not to sound alarmist but do these guys also know about you ~ identity or existence? Was this a life threatening situation? I know you may not be in a situation to judge that but if it is, shouldn't you contact law enforcement or at least someone who can get closer to the truth?

Again, from the outside it seems a fair bit OTT for an avg Joe (your client) to deal with, but if it's indeed that deep down the rabbit hole it (the events) & you could be a part of our invaluable history.

edit ~ saw your last few comments, glad the situation's controlled atm.

 

[Atreides]

I'm just glad I was stoned when I started reading.

 

[FreedomEclipse]

I'm not really following this thread right now but I thought everyone would like to know my client is alive and well. He got in touch with me just tonight after setting up a honeypot of sorts with a wireshark monitor. He's hoping the net capture trafic will help his case with the FBI. I'm probably going to be sending him his things soon for said case. But at any rate, he wasn't eliminated or anything horrible, he just was taking some time letting his system do a "userfree run" for which to capture a lot of what this malware is doing.

As for him not logging in since whenever May, he told me that a few of you here scare him frankly and he doesn't trust the place as a whole. I'd hope he's humorously referring to mailman with that comment, but keep in mind he's understandably a little paranoid given his situation.

Hopefully it works out for him, but I'm largely uninvolved now. Thank you for everyones advice and lets hope something good comes of this whole saga.

I thought he might of found himself a Will Smith and become an Enemy Of The State.

In a few years time after this has cleared im sure he could write a book or a movie about it