Jump to content
Kaspersky Support Forum

Pretty sure I've been hit with a nasty, nasty persistent UEFI rootkit -- Logs inside

luckyrootkitrecepient
 Share

Recommended Posts

luckyrootkitrecepient

luckyrootkitrecepient

Posted
  • Author
Posted

It all started when I started trying to lock down my FW because of all the extra unexplained traffic I was seeing, and ended with me catching someone logged into my network who then began recklessly deleting files from many of my PCs, wrecked my QNAP nas … etc.  My MacBook then got infected … the bios on my main PC was re-flashed and won’t accept a stock flash anymore … my routers got themselves new, shitty (i’m guessing backdoor-ed firmware) -- and the best part is these folks seem to be able to get in even when I disconnect the network cable -- I purposely didn’t include WiFi or Bluetooth on this PC (Ryzen7 & Asus Prime x370 pro).

 

Pulled ALL the drives, re-installed everything on fresh drives -- it’s still there. I see SSH connections on any OS -- even live CDs -- all using UNIX ports and the “MIT Magic cookie” -- which I’m not sure what that even is, or how they’re doing it.  They always create weird files under /TMP/ -- always .ICE_UNIX and a few others.

 

Attached are the kaspersky KRD logs -- which has not been able to detect anything and I’d possibly go as far as to say is being controlled by the rootkit.

 

Can anyone lmk if they see anything?  This has been one hard mofo to track down, but I’m sure its there.

I’ll follow up w/ some pictures.

 

Thanks all!  This one has been crazy!

Link to comment
Share on other sites
luckyrootkitrecepient

luckyrootkitrecepient

Posted
  • Author
Posted

I have an open case and am doing my darndest to find a way to get what I have onli ne.  This thing is so sophisticated it even takes out live cd operating systems.

 

this may well be the most advanced hack I've ever seen. It rebuilds router firmware and uploads it and has managed to break in and change settings to create tunnels for itself nearly effortlessly on three different model routers.  I'm beginning to think it is not only resident in the UEFI BIOS as it comes back w all removable hardware removed and only a live cd --- even right after flashing a fresh bios image.  I am beginning to suspect it may be utilizing video card firmware as well.

 

i really need some more help here as it also manages to block this website just abOUT every time I try to get on to update thus thread or my ticket.  

 

I don't think I have a single device in the whole house that isn't infected … only maybe this iPad. This is SO unbeleviabley frustrating …! 

 

 

Stand and by and thanks all … I'm working on it .

 

 

 

 

e

Link to comment
Share on other sites
  • 2 weeks later...
Igor Kurzin

Igor Kurzin

Posted
Posted

Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632

Link to comment
Share on other sites
luckyrootkitrecepient

luckyrootkitrecepient

Posted
  • Author
Posted

 Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632



How do I dump the boot sector? I’ve actually never done that before.

The rest in progress right now ​​​​​​​

Link to comment
Share on other sites
luckyrootkitrecepient

luckyrootkitrecepient

Posted
  • Author
Posted

Igor,

 

Thank you so much! I hope you find something.

This is the trickiest little bugger i’ve ever, ever seen -- in 20 years of dealing with these sorts of things, this is the first I’ve ever had to reach out for help with.

 

Appreciate everything,

 

 

Matt

 

PS -- re-scanned w/ TDS killer -- it put itself back (TDS killer found the same two rogue partitions again).  

Note that I have already replaced the motherboard and hard drive and it still somehow made it’s way over to the new PC.

 

This thing is crazy. 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing


×
×
  • Create New...