19 replies to this topic

[joakim]

More fuel to the fire for the tin foil hat guys; http://forum.sysinte...6706_page1.html

Anyone here experienced this?

[Brito]

I wouldn't be so quick with the tin-foil protection.

We do lack a good library of reliable files to later know if they have been tampered with.

Still remember when Russinovich first spoke out about Sony's software and very few people believing on the resilience of a virus category that would later be called "rootkit". On the other hand, the guys might indeed be pulling a prank on everyone.

[Wonko the Sane]

More fuel to the fire for the tin foil hat guys; http://forum.sysinte...6706_page1.html

Nice find you have there

Anyone here experienced this?

Not personally, but I know a guy that had a friend who's cousin's boyfriend had a PC with that same malware and found a way to sterilize it successfully, using a common used technique in anti-forensics.
Check your local Laws before attempting doing the same.

Spoiler

http://www.youtube.com/watch?v=SnFcqS-W1T4

Since the malware was spread to the display too, another technique was used.

Spoiler

Wonko

[Sha0]

http://forum.sysinte...6706_page1.html

I found it very draining to try to read that poster's posts; they resembled the results of repeatedly mashing your knuckles into a keyboard. I especially cringed at

use older vercions and exploit bulneravilities

The poster appears to have a vivid imagination of a super-virus.

if is second install it upgrade recording data on the cd /dvd

Was there a particular post that caught your interest?

Also possibly relevant.

[Wonko the Sane]

.... they resembled the results of mashing your knuckles into a keyboard.

Please note however how the keyboard in question (see post #3) was an USB connected:

Microsoft Natural® Ergonomic Keyboard 4000

If it was a PS/2 one I would have no suspects, but a USB device, even connected at 1.1 speed, could be an excellent place to store malware.

Thank goodness it wasn't a wireless one, otherwise the malware could have spread on other devices too....


Wonko

[joakim]

There seems to be a slight mismatch in what is stated in beginning;

I am MS IT senior consultant and I found this profecional made blue pill variation

after 8 months of reverse engeniring I will like to share my research.

i already contact some av firms and they are afraid.

To how clever the virus is as it can take control over a clean OS install and make the process write back to the installation media

it record data on the os cds, I kow that, one even run out of space during intall....

And a bunch of statements my brain was unable to process properly, maybe because lots of technical terms was thrown into the mess at random.

And the portion of fuel for the tin foil hats that found the way to the thread:

Great work RFC Rudel!

In this mad,crazy world, but we are now the lucky ones. Sadly only us few. Yes, what you are describing is indeed very real! Even with your VERY well thought out synopses, and logs, it still doesn't cover all of its bag of tricks. I don't think this community is even ready for the entire scope of what “this” is really capable of. After many moons now, i've had my Colleagues, Friends & Family, ALL look at me like I'd lost my mind. Not anymore..

Yes, this all sounds "technically impossible". But this is where everything you knew gets flipped on its head.

There are a lot of talented & very well respected IT-Pro's that will shrug this off because 1) they've never seen it... and yeah yeah.. "they've seen everything!". 2) Most Network administrators don't develop their own firmware or drivers for their hardware, Nor do they program their own ROM's with JTAG(for example). This is what makes this "rootkit" the most impressive, yet dangerous software/hardware development Ive seen since..um.. sliced bread.

Painting a clear picture will be very difficult. it takes so many shapes. It adapts. It spreads. It can even improve the performance & stability of every machine OLD & NEW. Yes, even those machines you think don't have the hardware, or the right BIOS, or OS.. you will be surprised what it can do. Yes, there will be differences in how flexible/versatile it is based on its spec's. But it would be wise to NOT make any assumptions based on what you think you know.

I will do my best to prepare an outline of what i have personally experienced. This will be hard because its instructions are both obfuscated & encrypted. This adds confusion to the order of things. Even so, those interested will start to understand its complex progressions. I will also share some of what i have learned how to do. Reverse engineering this “project” has been as profound as “taking the blue pill”. For all those Professional “Know-It-All’s”,just keep taking that Red pill. Yeah.. Life was easier before knowing this was possible.

RFC Rudel gave warning about its obfuscated code! That is, Security through obscurity. This is how it best defends itself. It is changing, evolving, growing more complex, more capable as we speak. its been 7 months since this was posted and in that time i have watched it grow ever more powerful.

Probably the best advice for the OP is to take a strong sedative in addition to the milk as already recommended to him. Could be fun to add some confirmative bull**** to the story though.

[AceInfinity]

This thread seemingly existed since late 2011 too. And only a few others came along to confirm the existence of such a thing

[joakim]

A link to a rather interesting paper showed up all of a sudden; http://www.toucan-sy...backdooring.pdf

 

It is good reading!

[Tripredacus]

I find the notion of storing a rootkit on a video card sounds reasonable... however infecting finalized/pressed CDs and DVDs... I can't even think of how that would be possible.

[joakim]

I find the notion of storing a rootkit on a video card sounds reasonable... however infecting finalized/pressed CDs and DVDs... I can't even think of how that would be possible.

 

Not so sure about that one here either. The good reading part of last post was meant about the last link and not the originally linked thread (which is a big mess)

[RFC Rudel]

Hello

 

First sorry for the broken English, I am also dyslexic

 

The malware is real. And sorry, I apologize for malware lack of support for dvd recording standards…

 

I si son tan boludos para joder de esta manera, seguro son los mas grosos….

 

 

http://resources.inf...-expansion-rom/

RGDS

Edited by RFC Rudel, 04 February 2013 - 04:10 PM.

[Wonko the Sane]

The malware is real.
 

Sure , from the cited article:
http://resources.inf...-expansion-rom/
 

I have yet to see a real-world malicious PCI expansion ROM.

 
Sorry I gotta go, Dasher and Vixen are having a quarrel over some hay's quality and I have to settle it down before they flee leaving me without my sleigh:
http://en.wikipedia....laus's_reindeer

 

Wonko

[Tripredacus]

I read that other thread again... the users aren't credible who are researching because they don't seem to know what they are doing. First of all, they use the term "sysprep" in such a way that makes no sense to me.

 

The main issue for believability in this supposed "thing" is the lack of actual data, or the use of data appropriately. No credible walkthroughs to replicate or detect for possible infections on other systems. No screenshots or script examples. And the "non-existent process" thing is a joke. Even as far back as Windows 95 had that behaviour of the "double explorer" where you couldn't see anything on the OS that was in that layer that launched explorer.exe.

[RFC Rudel]

I read that other thread again... the users aren't credible who are researching because they don't seem to know what they are doing. First of all, they use the term "sysprep" in such a way that makes no sense to me.

 

The main issue for believability in this supposed "thing" is the lack of actual data, or the use of data appropriately. No credible walkthroughs to replicate or detect for possible infections on other systems. No screenshots or script examples. And the "non-existent process" thing is a joke. Even as far back as Windows 95 had that behaviour of the "double explorer" where you couldn't see anything on the OS that was in that layer that launched explorer.exe.

 

 

Hello

I think this is the forum to post about the malware, I use sysinternals before it was with Microsoft and I don't expect the forum to be so.....

have lost of years of IT consultant and have make many migration in conjunction with Microsoft Argentina Consulting services, I will not jump into this if I was to sure about it.

I make the designs, and migration many 1000+ users company’s, from nt4 to ad, and exchange migration, os deploys and custom windows os for specific banks.

I know the jokes and fake users on the other thread and I give the time that deserves.

 Lots of deploys of WS and servers using the tools that you are so familiar (Win pe and sysprep, etc). I am not a developer but I am well recognized consultant.
.

I understand  the lack of trust, the thing is that I don’t have the proper tools to prove it, BUT I AM NOT A FAKE, or a end users asking about some os install that was prebuild and share on torrents.

All my media came from msdn, yes I can have some false positives whit logs, but the thing is real, if you are not interest please there is no need to disrespect each other.

 

 

 

when you have a bug that reside at very low level using some old tricks to reside on memory (like bios shadow), modify hd geometry to hide data, acpi tables etc is very hard to get the smoking gun.

 

I can confirm the after wiping the drive, and  reinstall the os with clean media, some windows folder magicaly appers, one time I remove my hds from my lsi 9260 raid card and it the pc boot to windows setup from the data it that remains on the 512mb cache (no battery).

 

I have make lots of network sniffing on clean pc and malware traffic was detected.

 

If the os is compromised (low level file system filter) is hard to get the right data.( I already said that you cant use normal tools)

 

I can demonstrate the setup tampered files, but once the os is installed and compromised your are F.

 

Sorry for my broken English, but I have seen an entire network compromised and all have the same bug.

 

I defeat several malware before, but this one like to stay inside.

 

RGDS

 

MCSE security ID 1436312

 

 

 

 

 

[Wonko the Sane]

For the record, I had a couple of PM's with user RFC Rudel, where I suggested him that:

1. this thread is (evidently) a "fun" one
2. if he wanted to talk seriously about an issue he should really start a new thread for it, here: http://reboot.pro/fo...are-protection/
3. (at least for me personally) there is NO need whatsoever to cite previous achievements or cite MS credentials as I would have trusted him on his word
4. that his English unfortunately is very difficult to understand, so that the use of shorter, simpler sentences would have been needed
5. instead of "vague", "generic" references, he should post exact, specific ones

I guess that the loss in translation is too vast.

 

@RFC Rudel

Really , there are NO issues with "trusting" you, the issues are in "understanding" each other, if you provide actual, exact, detailed facts, they will be facts, which will speak by themselves.

 

 

Wonko

 

 

[Tripredacus]

I should have clarified better, not directed at RFC Rudel. My post was more directed at the other users in that thread such as dlux.

[Brito]

Hi @RFC Rudel, you might have noticed by now that the folks around here keep an open mentality and like to dive deep into facts.

 

If there exists a real-world exploit of this menace as you mention, these are the guys that will help you get down to the bottom of it.

 

In case you need help translating something from Spanish to English, just let me know. I'm not a native speaker but it is my second language as well.

 

Welcome to reboot!

[RFC Rudel]

For the record, I had a couple of PM's with user RFC Rudel, where I suggested him that:

1. this thread is (evidently) a "fun" one
2. if he wanted to talk seriously about an issue he should really start a new thread for it, here: http://reboot.pro/fo...are-protection/
3. (at least for me personally) there is NO need whatsoever to cite previous achievements or cite MS credentials as I would have trusted him on his word
4. that his English unfortunately is very difficult to understand, so that the use of shorter, simpler sentences would have been needed
5. instead of "vague", "generic" references, he should post exact, specific ones

I guess that the loss in translation is too vast.

 

@RFC Rudel

Really , there are NO issues with "trusting" you, the issues are in "understanding" each other, if you provide actual, exact, detailed facts, they will be facts, which will speak by themselves.

 

 

Wonko

 

 

point taken

 

But if I going to be accecped in this community they must know I more then capable to help on any they need, (Microsoft, guns, engines)  

I do take care of the ones that need a hand, like I need I, don't konw if can probe the bug but the things it do  will make the thread on the top

 

 

next setimana I can write Spanish if you prefer wonko, and I speak way better than my writing. ( and you don't read very well  )

 

RGDS community hope they take me in.

[RFC Rudel]

I apologize from my lack of response to the community invitation, my health is not the best and my family will get bigger this month.

 

This community invitation and professional courtesy will not be ignored and I will initiate a tread.

PD: I was advised not to post in this tread and start a new one, this is my last post here.

[Brito]

New post open at http://reboot.pro/topic/19111-badbios/ as requested.

 

Will now close this one to preserve historical reference points.