Digitalis Posted November 16, 2014 Share Posted November 16, 2014 I have found 2 other people with the same type of persistent infection: https://forum.truecrypt.ch/t/truecrypt-helped-me-catch-nsa-firmware-backdoor/421/8 As the infection is at the firmware level, below the os layer, it works with all os'es, and is not necessarily detectable by file scanning. Also if the malware code resides in both in the cd-rom firmware, hard disk firmware, and the Bios, its difficult to flash without reinfection from the still infected parts. Those who believe this is not possible, should jump straight to the reference section and read those. I believe this can soon be a huge problem, thus we should seek to solve it. These are the main symptoms of this infection: Booting the pc now takes 3 to 10x longer time, probably caused by malware in bios. Windows 7 disc install on wiped hard-disk: acts weird and hangs for a long time during install, and ends up giving the disk is not bootable and that Windows can't be installed on this disc (even though it is recognized by Windows and in the BIOS). When trying to a fresh install of linux mint, the disk is reported as faulty by linux. The disk is reported to be healthy when scanning the disk for errors and using the SMART. Here is what I believe happened to my system: My win 7 64 install became infected by a game trainer that used an exploit to gain root/adm privileges, it rewrote the bootloader code, and or hard disk firmware, so that it at next boot could infect the bios by reflashing it with hostile code. So far neither flashing the bios with a fresh image from msi, nor wiping the disk including the mbr, has had any effect, the infection still persist. I also ran a full memory test on the ram and its healty. Anyone have ideas on how to fix this ? Anyone else with this problem ? Here is what I will try: Bios: Test if the bios is comprimized with Copernicus. Computerzz helper: Copernicus MITRE BIOS Security Se if repeated bios flashing from a CD can clean it. If it gets clean and then gets infected after booting a ram boot os, then some other device firmware is infected, like the cd-rom, if not then its clean. Hardisk: Use hitachis disk erase tool on mbr and disk. The "Secure erase", a function built into modern ATA hard drive. https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase Send disc back to hitachi for firmware flashing. This is the only known solution I've heard of: "The only way to get rid of the malware is to shut down the computer and manually reflash every peripheral, a method that is impractical for most users because it requires specialized equipment and advanced knowledge." Researcher creates proof-of-concept malware that infects BIOS, network cards | Computerworld References ; Persistent infections; Hardisk firmware malware: http://s3.eurecom.fr/~zaddach/docs/Recon14_HDD.pdf Usb firmware malware: Ironkey | Blog : Standing Room Only: BadUSB at Black Hat Bios firmware malware: http://www.coresecurity.com/files/attachments/Persistent_BIOS_Infection_CanSecWest09.pdf Meet incident response - Malware that can survive BIOS re-flashing - Information Security Stack Exchange #badBIOS | Security Art Work Pci firmware: Proof-of-concept BIOS malware can hide in PCI firmware - FierceCIO:TechWatch http://www.toucan-system.com/research/blackhat2012_brossard_hardware_backdooring.pdf Quote Link to comment Share on other sites More sharing options...
svl7 Posted November 16, 2014 Share Posted November 16, 2014 While persistent BIOS malware is technically possible it is for many reasons highly unlikely that is what happened to your system.(E.g. the attack would have to be written especially for your hardware).A slow boot is much more likely to be caus d by hardware failure, or messed up firmware settings, e.g. if you previously used an UEFI installation combined with optimized fast boot settings vs a legacy installation now, a 3 - 10x longer boot time would be perfectly normal.What's your hardware setup at the moment? Quote Link to comment Share on other sites More sharing options...
Digitalis Posted November 17, 2014 Author Share Posted November 17, 2014 Thank you for taking an interest in this case svl7, I know you are one one of the brightest minds around, thats comforting, my setup is:Win:MSI Global B85-G41 PC MateCpu Intel i5-4670 3.7ghz16gb ramcd-romTitan gpuI was finally able to install windows on one of the infected" drives after wiping it(both mbr and disk) with the manufacturer's (HGST) special software, I thought everything might be back to normal, but I soon discovered that it was still infected, as the windows install took ages, and the reboot time into win 7 professional takes 15 minutes (thats probably 12 minutes extra) and when the windows finaly has started up, the virus has cleverly disabled the services needed to run as administrator, this is on a totally clean install on a thoroughly wiped disc, so I conclude that these symptoms suggest a persistent infection, most likely in the bios, but also possibly in the hard-disk firmware, or cd-rom firmware. I have a PhD in AI programming on the Gpu, so I'm not a total novice, but this case makes me feel like a noob, thus I realy appreciate anny ideas / help.I know that a persistant firmware infection is highly unlikely and very rare, but it is the only explanation I have for my brand new hardware, that used to work great, now is slow as hell with strange bugs and behaviour, the newly installed win 7 professional 64 is to slow and buggy to use, it barely boots up. Quote Link to comment Share on other sites More sharing options...
svl7 Posted November 22, 2014 Share Posted November 22, 2014 A slow windows installation does not hint at infected firmware, neither does a slow boot time. I don't know why, but for some reason you seem to be convinced that your system is infected by one of the most complex malware type that could possibly exist, even though other explanations exist and are much more likely. Before I can continue discussing about your system being infected by such kind of malware you need to deliver some proof, else it's all a big waste of time. Just stating or assuming things as one likes is simply not constructive, keyword here is also Russell's teapot. 1 Quote Link to comment Share on other sites More sharing options...
cancerman Posted December 2, 2014 Share Posted December 2, 2014 Sounds more like a rootkit infecting the 100MB Sys Reserved partition. Those will try to get in under a new OS install. You should run Diskpart from your Windows 7 CD. Figure out which disk your HD is and clean it:list diskselect disk #cleanThen you can reboot from the dvd and reinstall. If you're still infected after that, tell us what adult sites that you visit so we can all stay away from them. 2 Quote Link to comment Share on other sites More sharing options...
mw86 Posted December 4, 2014 Share Posted December 4, 2014 as Cancerman statesTo Clean a partition while booted to windows (not the boot drive)(for a boot drive you will need the Windows 7 install disk or Windows disk etc for your edition of Windows and after cleaning will need a clean installation of Windows)open Command Prompt as Admintype "diskpart" hit entertype "list disk" hit enterread the disks and numbers and based on capacity and how they show in computer management you should know which the target disk is note the #type "select disk X" and hit enter where X is the numeral of the disktype"clean" hit enter and accept if promptedtype "exit" and hit enter after it said cleaning was succesfulclose command prompt with the X or type "exit" hit enter Quote Link to comment Share on other sites More sharing options...
Helios747 Posted February 25, 2015 Share Posted February 25, 2015 I can probably tell you right now, you don't have BIOS malware. BIOS malware is such a PITA to write and only affects ONE board with probably ONE BIOS revision, it's not worth it for any hacker to do unless they're targeting somebody specifically. If they were, they're probably not targeting Joe Smith's home PC. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.