Author Topic: Persisent malware, survives disk/ssd wipes  (Read 587 times)

0 Members and 1 Guest are viewing this topic.

June 13, 2017, 01:08:14 pm

monisteren

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Persisent malware, survives disk/ssd wipes
« on: June 13, 2017, 01:08:14 pm »
Hey guys!

I have for a while been struggling with some persistent malware. I have been getting weird entries in the Rootkit/Malware tab in Gmer.

My Windows update is affected and I'm limited in updates and are not able to fully update.
A lot of processes is hidden and it seems like the PC is giving false results regarding system usage, especially disk and memory usage.

I'm getting a lot of hard pagefaults and DPC spikes, especially if my mouse and keyboard have input(movement) simultaneously.

I have been using DBAN to wipe all disks, formatted them and reinstalled but I keep getting infected. I have also used a live linux CD, to boot and use the dd command in the terminal, to remove all mbr data.
My installation media is 100% legit. I have been testing on Windows 8.1 and Windows 10. All above mentioned returns.

I have used any security tool out there without any luck!

If you look further into the system with tools like Autoruns, Process Hacker, Process Explorer, Process Monitor, you can see that something is wrong.

It seems like legitimate Windows services have been injected and I have used x64dbg to debug some executables. I tried to attach Explorer.exe and it seems to be hacked. But I dont know what to do from here.

At the moment I'm trying to study Windows internals and USB protocol so I can dig deeper.

I have been thinking about either my keyboard or mouse is hiding a bootkit/rootkit with BadUSB exploit.

If anyone wants to help me debug I can provide all information and I don't care if I lose any data or have to reformat, since I'm becoming quite desperate!

Any feedback would be awesome!
« Last Edit: June 13, 2017, 01:14:19 pm by monisteren »

Reply #1June 13, 2017, 03:29:34 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1863
  • Reputation:
    68
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #1 on: June 13, 2017, 03:29:34 pm »
Hi monisteren,

Welcome to Adlice.com Forum.
Quote
My Windows update is affected and I'm limited in updates and are not able to fully update.
What do you mean by "affected" ? Could you please provide the error code displayed when you try to update your system ?

Quote
I'm getting a lot of hard pagefaults and DPC spikes, especially if my mouse and keyboard have input(movement) simultaneously.
This may be caused by a misbehaving driver. Which operating system are you currently running ?

Quote
I have been thinking about either my keyboard or mouse is hiding a bootkit/rootkit with BadUSB exploit.
BadUSB is quite hard to detect but is not spreading in the wild. Did you try another keyboard device ?

Quote
I have been using DBAN to wipe all disks[...]
Any infection will be cleansed using these methods.

Please attach Gmer and RogueKiller full reports with your next reply.

Regards.

Reply #2June 13, 2017, 10:02:42 pm

monisteren

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #2 on: June 13, 2017, 10:02:42 pm »
Quote
What do you mean by "affected" ? Could you please provide the error code displayed when you try to update your system ?
I don't get any exact error codes. But when I search for updates it doesn't show all. I can recall this from formatting a lot before, with this CD and exact build and I'm supposed to get a lot more updates. Is there any way we can look more into this?

Quote
This may be caused by a misbehaving driver. Which operating system are you currently running ?
I'm running Windows 8.1 at the moment. Could we assume that the malware is running as a driver then?

Quote
BadUSB is quite hard to detect but is not spreading in the wild. Did you try another keyboard device ?
I haven't tried with a clean combo of new mouse and new keyboard yet. But I have tried with a different keyboard but the same mouse and it seemed like both devices got messed with in the end.

I have attached logs from Gmer and RogueKiller.


Reply #3June 14, 2017, 01:17:36 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1863
  • Reputation:
    68
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #3 on: June 14, 2017, 01:17:36 pm »
Hi monisteren,

Quote
I don't get any exact error codes. But when I search for updates it doesn't show all. I can recall this from formatting a lot before, with this CD and exact build and I'm supposed to get a lot more updates. Is there any way we can look more into this?
Without error codes, it won't be possible.

Quote
I'm running Windows 8.1 at the moment. Could we assume that the malware is running as a driver then?
Gmer and RogueKiller haven't detected anything malicious.

  • Please download TDSSKiller and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



  • Check Loaded Modules and Detect TDLFS file system
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.



  • Click Start Scan and allow the scan process to run.
    If threats are detected select Skip for all of them unless I instruct you otherwise.
  • Click Continue



  • Click Reboot computer
Please attach the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Reply #4June 14, 2017, 01:59:12 pm

monisteren

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #4 on: June 14, 2017, 01:59:12 pm »
I'm 100% certain that if we have two PC's. My PC and another one which is 100% clean and install and use the exact same Windows DVD my PC will be limited in updates and the clean one will get a lot of updates.

Regarding Gmer and RogueKiller I believe that the Windows is rooted so much that we can't believe any security tool.

If we search for stuff with things like Autoruns, Process Explorer, Process Hacker etc. we will see changes to Windows services.

I have attached the log from tdsskiller.


Reply #5June 14, 2017, 02:20:11 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1863
  • Reputation:
    68
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #5 on: June 14, 2017, 02:20:11 pm »
Hi monisteren,

The two files TDSSKiller reported are false positives.
Did you install Windows 10 SDK ?

Regards.

Reply #6June 14, 2017, 03:26:03 pm

monisteren

  • Newbie

  • Offline
  • *

  • 4
  • Reputation:
    0
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #6 on: June 14, 2017, 03:26:03 pm »
Yes but we can't see any other abnormalities, right?
Yes I have installed Windows 10 SDK and WDK to debug with Windbg.
What to do from here?

Reply #7June 14, 2017, 04:03:45 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1863
  • Reputation:
    68
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #7 on: June 14, 2017, 04:03:45 pm »
Hi monisteren,

Since even advanced kernel-mode tools cannot detect anything, I don't think your issues are malware-related.
If you want to continue the investigation, the next step is to make a dump of the system state and analyze it with the Volatility Framework or WinDbg. However, we don't have time for this.

So, I advice you to open a new thread on the Microsoft Community Forum, they may be able to help you.

Regards.

Reply #8June 30, 2017, 11:57:58 am

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Persisent malware, survives disk/ssd wipes
« Reply #8 on: June 30, 2017, 11:57:58 am »
Try wiping with all zeros, then fix the mbr with the cmd prompt. I would also try updating the BIOS. When you do this make sure that no USB is plugged in and use a P/S Mouse and Keyboard and see if you have any luck. It sounds like your being infected via badusb. When you reinstall the PC, is the malware already present, or does it wait until you connect online to call home. If the malware is already present then the video card may be infected with a hypervisor rootkit.