Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

New Malware Attack 1

Status
Not open for further replies.

little65

MIS
Apr 24, 2005
4
US
I have been able to fend off most malware attacks in the past, but one I received a few months ago completely took me by surprise. One evening I booted up my computer only to find a password request that appeared to have come from inside my BIOS. Not being able to suppy a password I was, in effect, locked out of my computer. I pressed the return key again and the same request appeared on the monitor screen. On the next attempt, I was greeted by a "blinking smiley" that stopped everything cold.

I was able to gain entry to the computer by re-setting two micro-switches on the motherboard: "Clear Password" and "Clear CMOS." Next, I thought would be able to zero fill the hard drive with a Seagate utillity and then reload my OS and that would be that. Not so.

On attempts to load Windows XP, I get blocked out early on with a screen msg. " File Setupdd Could Not Be Loaded. The error Code is 4." Sometimes the error code will vary the number, but the msg. is always the same.

On attempts to load a version of Windows 2000 Professional I have, I get a bit further along, Win2K loads setup files . Setup starts Win2K with "To Setup Windows Now Press Enter." The EULA comes on and F8 is
pressed to accept the terms and to proceed, A list of existing drive partitions appears and a request to select the drive item to load Win2K on( C:\ NTFS Disk1_Vol1) is highlighted and selcted. Next Windows shows different file systems to format. I select "The Current File System Left
Intact. " Setup then examines the disk and proclaims it cannot copy the" file 12520457.CPX. An option is presented to skip the file, but you are warned Win2K may not work properly. On an attempt to proceed, Setup proclaims
it cannot copy file 12520850.CPX. The same option to proceed by skipping this file comes on by pressing ESC.

Another window appears announcing Setup cannot copy AAMON.DLL. Subsequent files that appear as cannot be copied are: ACELPDEC.MX,ACLUL.DLL, ACSETUPC.DLL, ACTIVEDS.DLL, ACTMOVIE.EXE, ACTSAVER.SCR, DRIVER.CAB, DRIVEPROP.CHM, and finally, DRMCLIEN.DLL. On next attempt to bypass a file,
a BSOD appears and the system crashes.

My big questions are these:

(1) Are hackers now able to flash a BIOS leaving malicious code on it?


(2) Can these be legitimate files being called up, and are my OS discs totally corrupted?

(3) Are hackers now able to penetrate the BIOS rendering my antivirus totally useless?

(4) Can my OS discs be used on another system without corrupting that system?

(5) Can my BIOS chip be replaced, rendering my machine useable again?


Any help in answering these questions will be greatly appreciated.

Bill Martins
 
(1) Are hackers now able to flash a BIOS leaving malicious code on it?
**Not that I am aware of but code can corrupt your bios

(2) Can these be legitimate files being called up, and are my OS discs totally corrupted?
** Its not the OS discs that are corrupt, its your hard drive

(3) Are hackers now able to penetrate the BIOS rendering my antivirus totally useless?
** Not that I am aware of
(4) Can my OS discs be used on another system without corrupting that system?
** I dont think its the OS Disc

(5) Can my BIOS chip be replaced, rendering my machine useable again? ** I am sure that it can

Sounds like you did get some sort of malware that corrupted some files on your hard drive. I would google dericks nuke boot and make a disc for yourself and run it twice. that should get rid of any and all files on your hard drive. then try to reload the OS.
 
Virus/malicious programs can (and have in the past) written to the BIOS chips of motherboards. I'm not aware of any viruses that write meaningful/executable code to the chips, but there has been at least one which corrupted some BIOSs by writing 'gibberish'.

Working on the likely assumption that it's not virus related, you should be able to flash the BIOS with a new (or the same) version from a boot disk. BIOS chips can often be replaced, although I've only seen one instance where that was necessary.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Sounds like you are trying to reload and keep your data, not a good idea. Copy all "data" not programs or other executables off your drive. Then nuke the drive and reinstall the OS and applications and put your data back. By leaving the existing partitions on the drive you are not really getting a clean start.
 
Grenage (MIS) 17 Apr 09 7:29
Virus/malicious programs can (and have in the past) written to the BIOS chips of motherboards. I'm not aware of any viruses that write meaningful/executable code to the chips, but there has been at least one which corrupted some BIOSs by writing 'gibberish'.


Ran a google on this topic and came up with the following:

Researchers: Rootkits headed for BIOS
Robert Lemos, SecurityFocus 2006-01-26

ARLINGTON, Virginia -- Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard's flash memory, researchers said on Wednesday at the Black Hat Federal conference.


**********************************

North323 (TechnicalUser) 16 Apr 09 9:08
(1) Are hackers now able to flash a BIOS leaving malicious code on it?
**Not that I am aware of but code can corrupt your bios



3) Are hackers now able to penetrate the BIOS rendering my antivirus totally useless?
** Not that I am aware of


Researchers create BIOS malware
Author: Gareth Halfacree
Published: 24th March 2009 Comments (29)


If you thought that reformatting your hard drive and replacing the operating system was enough to clear out even the most stubborn virus, think again.
The oft-given advice of 'reformat the site from orbit, it's the only way to be sure' in the event of virus attack may soon be rendered obsolete by new malware capable of remaining resident in a system's BIOS.

Security researchers Alfredo Ortega and Anibal Sacco of Core Security Technologies – as reported over on ZDNet – have successfully demonstrated methods for injecting persistent code into the Basic Input Output System (BIOS) of a computer, with the result that the infection is capable of surviving a complete OS reinstall and even a BIOS flash


Bill Martins
 
Cheers! Good to know my memory hasn't failed me just yet then. :)

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Also this:


New BIOS Virus Withstands HDD WipesNext news 3:21 PM - March 27, 2009 by Marcus Yam X
Send link to this page by email :Your email address *

Your name *

Recipient address *

Send * The email addresses collected via this form are not recorded on our servers and are only used for the sending request Email | Print | Comments (40) | Share

Computer viruses are nasty things. But the nasty just got nastier.

ZoomIn many worst case scenarios, a hard drive wipe is the final solution to ridding a system of an infection. But the absolute worst case scenario is if a virus attacks the BIOS, making detection and cleaning an incredible challenge.

Viruses that target the BIOS aren’t new, but often they are specific to a type of hardware. Researchers have now demonstrated a new type of attack that could install a rootkit on the BIOS of common systems, making it very lethal and effective.

Anibal L. Sacco and Alfredo A. Ortego of Core Security Technologies released a presentation detailing the exploit of this “persistent BIOS infection.”? Through the use of a 100-line piece of code written in Python, a rootkit could be flashed into the BIOS and be run completely independent of the operating system.

"We tested the system on the most common types of Bios," said Ortega in a vunet story. "There is the possibility that newer types of Extensible Firmware Interface Bios may be resistant to the attack, but more testing is needed."

Flashing a system’s BIOS requires administrative control, but that could first be obtained through a more ‘innocent’ virus that could reside on the hard disk drive. Once an attacker has admin rights, the rootkit could be flashed onto the BIOS and would remain effective even if the original virus on the hard disk were removed. Even a complete format wouldn’t rid the system of the virus.

"You would need to reflash the Bios with a system that you know has not been tampered with," he said. "But if the rootkit is sophisticated enough it may be necessary to physically remove and replace the Bios chip."

There is defense against such an attack, however, as the researchers say that a password or physical lock against BIOS flashes could block the install of the rootkit.

"The best approach is preventing the virus from flashing onto the Bios," said Sacco. "You need to prevent flashing of the bios, even if it means pulling out jumper on motherboard."

Check out the original slideshow presentation by the researchers here (PDF).

Source : Tom's Hardware US
Related news
Rootkits coming to your motherboard
Backdoor trojans a "significant threat" to Windows users - Microsoft
Analysis: Sony BMG copy protection may be stealthy, but is it a...
Intel working on rootkit detection techniques
Sony incident leads government to consider rootkit ban
Related
 

North323 (TechnicalUser)

Sounds like you did get some sort of malware that corrupted some files on your hard drive. I would google dericks nuke boot and make a disc for yourself and run it twice. that should get rid of any and all files on your hard drive. then try to reload the OS.


Thanks for the input. I definitely will try derricks nuke boot and hope for the best. But some of the stuff I brought up on Google has me holding my breath.

Bill Martins
 
Avast has a ROOT KIT Remover that killed a few nasty infections. Boot Scan set to wipe everything it finds

-David
2006, 2007 & 2008 Microsoft Most Valuable Professional (VB)
2006 Dell Certified System Professional (CSP)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top