Recent Posts

Pages: [1] 2 3 ... 10
1
Hi linuxc128,

You are welcome.
Good luck with the investigations.

Regards.
2
Hi linuxc128,

KernelMode and Windows Sysinternals forums are more technical but less populated than BleepingComputer.
You can give them a chance.

Regards.

Thanks, this might be an advisable try indeed. I analyzed that the ACPI code's execution also compromises any Linux system, but I'd need to spend a considerable amount of time on doing kernel debugging to analyze how it does so in detail.

Actually I think that this technology / 'spyware' would be interesting for blackhat.com as well.


Kind regards
3
Hi linuxc128,

KernelMode and Windows Sysinternals forums are more technical but less populated than BleepingComputer.
You can give them a chance.

Regards.
4
Hi linuxc128,
Quote
As you stated, RogueKiller is not designed to take care of such threads as firmware rootkits.
If you think Microsoft Community Forum won't help you, you can give BleepingComputer Security forum a try : https://www.bleepingcomputer.com/forums/f/79/security/

Regards.

I doubt that the people at BleepingComputer Security have the knowledge/skill to analyze or even give advice on how to remove or prevent the system's manipulation performed through an internet connection in this case.


Anyway, kind regards
5
Hi linuxc128,
Quote
As you stated, RogueKiller is not designed to take care of such threads as firmware rootkits.
If you think Microsoft Community Forum won't help you, you can give BleepingComputer Security forum a try : https://www.bleepingcomputer.com/forums/f/79/security/

Regards.
6
What would be a good place to ask about this kind of (obviously quite sophisticated) 'malware' then?

Since you referrered to the support ticket (which I won't quote without permission of course), I will just quote my reply on it as a reference:

Quote
Hello,

the GMER report does not include false positives (I know how GMER works, by the way). I analyzed all the files found by GMER using IDA Pro (you can find the according files in my shared Dropbox folder) to verify this by looking up the suspicious thread start addresses shown by GMER.

An alteration of firmware can be easily (and in a more difficult way, if you spend more time on doing so) detected: 1) The results of FirmwareTestSuiteLive (s. attachment) should speak for themselve. 2) I extracted and disassembled the ACPI code of different systems I am / was using (based on totally different hardware), and the execution of this ACPI code on a Cuckoo Sandbox running a Windows guest always led to the exactly same result which it shows for the system I'm currently using, and which also speak for themselves:
https://malwr.com/analysis/ZTQ4YjNmZDVlZWY0NGQ1YmEzZjZlYmFmMjk3MjljZjY/

By "speaking for themselves" I mean e. g. (only mentioning one example for each section, other entries could be used as examples demonstrating this as well):
1) Deployment of "C:\WINDOWS\system32\xpsp3res.dll" (you may Google for this entry, which you will find on various malware and on some Russian hacker sites)
2) Creation of registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESPECT_OBJECTSAFETY_POLICY_KB905547" (Google finds only malware entries for this)
3) Creation of the mutex "Global\Groove.Mutex.SystemServices.GlobalLock" (Google finds two links reffering to malwr.com and one link referring to https://github.com/cryptostorm-dev/cstorm_httpeeek.vuln.party/blob/master/agorahighway/malwr_scan/mutex.txt)

Yes, I don't think that RogueKiller would be able to remove this firmware-based rootkit. I don't think that opening a thread on the Microsoft Community Forum would lead to anything, also since I already verified (e. g. by using the Volatility Framework) that the exection of this ACPI code compromises any Linux system as well (e. g. showing Kernel hooks and a manipulation of the internal networking structure).
7
Hi linuxc128,

Welcome to Adlice.com Forum.
It's not really the right place for this kind of malware, please follow the instruction on your support ticket.

Regards.
8
[Update]
Extracted and disassembled ACPI code of my system:
https://www.dropbox.com/sh/qlhft889t6qek35/AAB7yVwNRY4p3sAeVlNDZxrAa?dl=0

Result of FirmwareTestSuiteLive: 154 firmware-related error, including numberous ACPI code errors
https://pastebin.com/5yKTnepL

ACPI code errors also visible in dmesg output:
Code: [Select]
[   10.195355] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20160831/dsopcode-236)
[   10.195496] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8b77768baeb0), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.195703] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8b77768bc050), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.195944] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20160831/dsopcode-236)
[   10.196243] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8b77768baeb0), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.200280] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8b77768bc050), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.200591] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20160831/dsopcode-236)
[   10.200723] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8b77768baeb0), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.200932] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8b77768bc050), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.201253] input: HP WMI hotkeys as /devices/virtual/input/input7
[   10.201467] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20160831/dsopcode-236)
[   10.201588] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8b77768baeb0), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.201769] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8b77768bc050), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.201981] ACPI Error: Field [D128] at 1152 exceeds Buffer [NULL] size 160 (bits) (20160831/dsopcode-236)
[   10.202108] ACPI Error: Method parse/execution failed [\HWMC] (Node ffff8b77768baeb0), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
[   10.202302] ACPI Error: Method parse/execution failed [\_SB.WMID.WMAA] (Node ffff8b77768bc050), AE_AML_BUFFER_LIMIT (20160831/psparse-543)
https://pastebin.com/uhhPU31v


... hopefully this will help to analyze this rootkit, since the ACPI code's execution is obviously the start of it all.
9
Hello,

I bought a license for RogueKiller premium, so I contacted the Adlice support (who quickly answered me, thanks for this) regarding the spyware / rootkit on my system, which can't be removed by any software due to its design / implementation (s. below) - I already spend a considerable amount of time on explaining this issue and reporting about the analysis I performed by myself so far within this correspondence, I will just paste it (slightly modified) here, as it contains all relevant information.

As I wrote in my mail, any help with analyzing this obviously highly-advanced spyware / rootkit would be very appreciated.


Thanks in advance and kinds regards

David


-----------------

Hello,

RougeKiller (Premium) found the attached rootkit activities, but it's unable to remove this rootkit. This quite sophisticated rootkit (I performed a lot of analysis by myself so far) also infected my system's ACPI code: I extracted the ACPI code and submitted it to malwr.com, where it gets executed on a Cuckoo Sandbox and then display self-explaining results regarding the files, registry keys and mutexes which are created through this code's execution:
https://malwr.com/analysis/ZTQ4YjNmZDVlZWY0NGQ1YmEzZjZlYmFmMjk3MjljZjY/

Moreover GMER found specific compromised processes and self-explaining registry entries (which are not visible when using regedit).

I have already spent months of performing analysis work on this rootkit, which already compromised / manipulated five systems used by myself in the exactly way - Also referring to the fact that the ACPI code exctracted from these other systems used by me previously (which totally differ from each other, e. g. one of those systems is a Lenovo notebook, another one is an MSI PCI Mate Z97 mainboard, and the system I'm currently using is an HP dekstop computer) led to the same results when executing in in a Cuckoo Sandbox (a virtualized environment).

This technology also compromised every Linux system I installed so far (which I was able to notice by various facts: analyzing the traffic, performing an analysis using the Volatility Framework, running FirmwareTestSuiteLive, simply watching which files are being created after having installed the system and the next start before establishing any online connection, etc.), and I could honestly imagine that this is the most sophisticated rootkit / spyware you may have seen so far.

Please feel free to take a look at some excerpts of the analysis I performed on Windows (including GMER results and disassemblings you can import using IDA Pro - maybe it would be particularly interesting to perform a further analysis of the files deployed by the execution of the ACPI code (s. my last mail), since this is the starting point of it all):
https://www.dropbox.com/sh/rt1jghrvsbchqxd/AAAOjLeMEQrCldYlogWZZoJea?dl=0

I did an analysis using the Volatility Framework for Windows before as well, which also showed numberous kernel hooks etc.


Of course I tried to get rid of this by flashing the BIOS, but this can't work for at least three reasons: 1) It would be ridiculous to assume that a sophisticated rootkit like this one won't prevent its own removal by infecting other firmware components as well (e. g., I found out that the graphic card's firmware is corrupted as well - FirmwareTestSuiteLive found almost 150 firmware errors, which is pretty amazing 2) For the same reason it will at least try to prevent that the part of the BIOS where the ACPI code is store gets overwritten, which is trival if the BIOS update can only be started from Windows 3) [I talked about this topic with a developer working on the LibreBoot project, before that I was not aware of this fact] Certain regions of the BIOS won't get overwritten when flashing it anyway, depending on the BIOS.

Therefore, since this technology ensures its persistance through its multi-redundant firmware-based approach, it will be absolutely impossible to remove it.


Another interesting aspect is the fact that any new system I bought so far immediately got compromised / manipulated as soon as I established an online connection, so I guess that my systems immediately gets compromising software / software updates via spoofing. Assuming that only my router would be compromised, I might be able to solve this by finding a place where I could ensure that I could get non-compromised OpenWrt firmware, and then hoping that it would be possible to configure an absolutely secured OpenWrt router (which would be pretty difficult considering the fact that the same happens when using Linux systems, where software updates are GPG-signed) - But if it's not my router but the upstreaming device, then only going only via TOR might (I once discusses this issue with another IT security expert and we both came to the conclusion that even VPN connections can get spoofed, but TOR connections 'probably' not due to the design of the network structure) prevent spoofing.


I would really appreciate it, if you could support me analyzing this technology. I assume that I'm not the only individual being affected by this, and I must admit that despite my deep frustration about not being able to get rid of this, I'm - being an IT guy since my early youth - quite amazed by the professionalism of this technology. And although many disassembled symbol names etc. speak for themselves (despite the traffic I see when running wireshark or tcpdump), I wonder how the interaction of all this works in detail.
10
Hi lairdof,

Welcome to Adlice.com Forum.
Could you please attach RogueKiller full report with your next reply ?

Regards.
Pages: [1] 2 3 ... 10