Pretty sure I've been hit with a nasty, nasty persistent UEFI rootkit -- Logs inside

[luckyrootkitrecepient]

It all started when I started trying to lock down my FW because of all the extra unexplained traffic I was seeing, and ended with me catching someone logged into my network who then began recklessly deleting files from many of my PCs, wrecked my QNAP nas … etc.  My MacBook then got infected … the bios on my main PC was re-flashed and won’t accept a stock flash anymore … my routers got themselves new, shitty (i’m guessing backdoor-ed firmware) -- and the best part is these folks seem to be able to get in even when I disconnect the network cable -- I purposely didn’t include WiFi or Bluetooth on this PC (Ryzen7 & Asus Prime x370 pro).

 

Pulled ALL the drives, re-installed everything on fresh drives -- it’s still there. I see SSH connections on any OS -- even live CDs -- all using UNIX ports and the “MIT Magic cookie” -- which I’m not sure what that even is, or how they’re doing it.  They always create weird files under /TMP/ -- always .ICE_UNIX and a few others.

 

Attached are the kaspersky KRD logs -- which has not been able to detect anything and I’d possibly go as far as to say is being controlled by the rootkit.

 

Can anyone lmk if they see anything?  This has been one hard mofo to track down, but I’m sure its there.

I’ll follow up w/ some pictures.

 

Thanks all!  This one has been crazy!

[Igor Kurzin]

Hi @luckyrootkitrecepient , 

Please submit a ticket to technical support. 

Regards,

Igor

[luckyrootkitrecepient]

I have an open case and am doing my darndest to find a way to get what I have onli ne.  This thing is so sophisticated it even takes out live cd operating systems.

 

this may well be the most advanced hack I've ever seen. It rebuilds router firmware and uploads it and has managed to break in and change settings to create tunnels for itself nearly effortlessly on three different model routers.  I'm beginning to think it is not only resident in the UEFI BIOS as it comes back w all removable hardware removed and only a live cd --- even right after flashing a fresh bios image.  I am beginning to suspect it may be utilizing video card firmware as well.

 

i really need some more help here as it also manages to block this website just abOUT every time I try to get on to update thus thread or my ticket.  

 

I don't think I have a single device in the whole house that isn't infected … only maybe this iPad. This is SO unbeleviabley frustrating …! 

 

 

Stand and by and thanks all … I'm working on it .

 

 

 

 

e

r 

[Igor Kurzin]

hi @luckyrootkitrecepient , 

your incident number is ending with 2796? We are on it, please expect a soon response. 

Regards,

Igor

[luckyrootkitrecepient]

My incdient ends in 45557

 

...uploaded the system scan results and I can’t find a reply.  Looks like my case was closed because I have been having so much toruble getting online.

 

 

[Igor Kurzin]

Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632

[luckyrootkitrecepient]

 Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632

How do I dump the boot sector? I’ve actually never done that before.

The rest in progress right now ​​​​​​​

[luckyrootkitrecepient]

First scan just double clicking; second via command line as instructed (it actually quarnantined two things) -- first time ever!

[luckyrootkitrecepient]

I think that was the wrong log. The one with detected info is very small.

 

...I don’t know why.

[luckyrootkitrecepient]

Sorry do not have utility to PW protect zip files … here is getsysteminfo log

[luckyrootkitrecepient]

I think this should be boot sector / MBR -- used “HDHACKER” tool

[luckyrootkitrecepient]

….and, somehow I got too excited and missed the part about the “Sectors” folder on the desktop. Here it is.  Don’t have tool to add password to archive, but it is zipped w/ built-in windows tool.

[Igor Kurzin]

Hi @luckyrootkitrecepient , 

Can you kindly submit a ticket to technical support, attach all the data you collected, and send me the incident number? 

Regards,

Igor

[luckyrootkitrecepient]

Igor,

 

I have an open ticket.

 

It is:INC000012109474

[Igor Kurzin]

hi @luckyrootkitrecepient , 

Thank you for the logs. All the data is now reviewed by VirusLab experts, please stand by. 

Regards,

Igor

[luckyrootkitrecepient]

Igor,

 

Thank you so much! I hope you find something.

This is the trickiest little bugger i’ve ever, ever seen -- in 20 years of dealing with these sorts of things, this is the first I’ve ever had to reach out for help with.

 

Appreciate everything,

 

 

Matt

 

PS -- re-scanned w/ TDS killer -- it put itself back (TDS killer found the same two rogue partitions again).  

Note that I have already replaced the motherboard and hard drive and it still somehow made it’s way over to the new PC.

 

This thing is crazy.