# Possible hardware persistent malware



## EntropicLocal (Jan 26, 2021)

Hi, roughly 2 years ago someone decided to get very very upset online with me, this person knew my exact hardware and what software I ran. Roughly a couple months ago I suspect a file I had received was a rootkit from them; however I have no real way of telling. However I am not comfortable with just formatting my drives, as I know this user would've thought about that already. I am thinking of the worst possible outcome where all infectable hardware is infected. 

How would I go about completely nuking every single piece of hardware I have to start fresh and make sure nothing is compromised?

Thank you.


----------



## StormLightningSL (Jan 26, 2021)

Usually most hardware will not be infected except for your data storage devices. You can run a free online rootkit remover such as MalwareBytes and others. Those should be able to clean out your connected storage devices including your boot drive. After these are cleaned up, you can run the installed version of a good anti-rootkit / anti-virus software for your USB drives, etc.


----------



## EntropicLocal (Jan 26, 2021)

StormLightningSL said:


> Usually most hardware will not be infected except for your data storage devices. You can run a free online rootkit remover such as MalwareBytes and others. Those should be able to clean out your connected storage devices including your boot drive. After these are cleaned up, you can run the installed version of a good anti-rootkit / anti-virus software for your USB drives, etc.


I want to just wipe my pc out entirely, just to be safe as there's nothing I dont have backed up regardless. I'm just concerned about bios malware persisting after I format these drives.


----------



## StormLightningSL (Jan 26, 2021)

From what limited knowledge I have, I don't think a virus or malware can get into your BIOS without specific hardware level access. It shouldn't be able to get into your BIOS under normal circumstances. Have you got any indication that it has corrupted your motherboard or graphics card BIOSes? Otherwise, I don't feel that that issue should be a concern.


----------



## killferd (Jan 26, 2021)

Up to my knowledge, hardware level infections need specific bypass/exploits and direct access to hardware itself (read in person). Unless you were running your PC without any security or antivirus it is pretty hard to do over file deployment. 
At most the MBR (masterboot record) and system volume information on each drive may be corrupted. Using scans by malwarebytes, Kaspersky free, and Sophos Home (which has same level protection as their corporate one damm good ransomware and antivirus protection) I believe you should be fine. Just in case keep Sophos home installed. Also, you can format and reinstall windows for that added peace.


----------



## P4-630 (Jan 26, 2021)

I do remember this thread though:








						GTX 1070 Firmware Overwritten by Malware - Unable to Reset
					

Hi,  Thanks in advance for any help...  Fresh Windows 10 1803 Home build w/ASUS STRIX Z270F MB, ASUS GTX 1070 8GB, i7-7700K, Samsung 850 Pro / Crucial M4   I have been fighting an infection with an extremely persistent malware that (after 8 weeks of analysis) is not detectable in user space by...




					www.techpowerup.com


----------



## EntropicLocal (Jan 26, 2021)

P4-630 said:


> I do remember this thread though:
> 
> 
> 
> ...


That is whats somewhat concerning me, I just want someone to help me on how I would flash my bios and format the drives to make sure everything is gone


----------



## Bones (Jan 26, 2021)

killferd said:


> Up to my knowledge, hardware level infections need specific bypass/exploits and direct access to hardware itself (read in person). Unless you were running your PC without any security or antivirus it is pretty hard to do over file deployment.
> At most the MBR (masterboot record) and system volume information on each drive may be corrupted. Using scans by malwarebytes, Kaspersky free, and Sophos Home (which has same level protection as their corporate one damm good ransomware and antivirus protection) I believe you should be fine. Just in case keep Sophos home installed. Also, you can format and reinstall windows for that added peace.





StormLightningSL said:


> From what limited knowledge I have, I don't think a virus or malware can get into your BIOS without specific hardware level access. It shouldn't be able to get into your BIOS under normal circumstances. Have you got any indication that it has corrupted your motherboard or graphics card BIOSes? Otherwise, I don't feel that that issue should be a concern.



The only thing that bothers me here is, for example Win 10 upon installation _will_ write a bit of code to the BIOS for checking to see if the board has been changed making the install "Invalid", requiring reactivation of the OS.
An exploit based on that could well manipulate the board's BIOS and I can promise you those that create malware have already thought of that along with other angles of access that's possible to use. I do agree, that would be a specific type of exploit but it's still possible and a real threat because of that. 

Malware really doesn't have to be based on hiding within the drive itself, it can be anywhere in the system inside of a piece (BIOS chip for example) that holds info for system operation. 
Remember other things like a GPU has these chips too and are a possible target and you can force a flash of these using the flashing software under normal circumstances too. 

With the right routine used they could also use that as an exploit and force the BIOS chip, where it's in the board, GPU or just anything else with a BIOS type chip to accept changes which would be the insertion of such malware code. 

I'm not saying this is the case here, only that the possibility exists and guys that write this crap aren't dumb and would have considered a good deal of angles to use before deploying the malware. 
Just ask our resident toad about such possibilities. 

Speaking of such: 
@R-T-B You wanna weigh in on this?


----------



## Bill_Bright (Jan 26, 2021)

EntropicLocal said:


> Hi, roughly 2 years ago someone decided to get very very upset online with me, this person knew my exact hardware and what software I ran.


Do you know this person personally? If not, then it is extremely unlikely they knew as much about your system as you fear. They probably just had a lucky guess based on some information you posted about your system before. 

And just because and even if someone knows which motherboard, CPU, RAM, graphics solution, operating system and other programs you run, that IN NO WAY means they can access first your network, then your computer and then plant malware on your computer. That would be very challenging, even for a pro who is specifically and personally targeting you. 

I am not saying it is impossible, but essentially, you would have to allow them access to your computer. This would have to be done by you clicking on an unsolicited link in an spam email they intentionally sent to you. Or they would have to be a next door neighbor or a stranger sitting in a car out front on your street pointing a directional antenna at your house AND you didn't change your wifi passphrase from the default. And note, that would only get them into your network, not your computer. Or they would need to physically connect via Ethernet cable to your network and hopefully you would notice a bad guy sitting in your house doing that. Or last, you left your computer unattended at a coffee shop and this person, who was following you around town, sat down at your computer when you went to the bathroom. 

The most likely scenario, if it happened at all, is you fell victim to a "socially engineered" con that tricked you into clicking on an unsolicited link, letting the malware in. This is commonly done by the bad guy sending spam that looks like it came from a legitimate source, like your bank or Walmart, etc. They send it to millions of people, hoping someone will take the bait. The email will claim your account was some how messed up and you need to click some link. That link then infects your computer or asks you to provide your log-in credentials, passwords, account numbers, etc. That information is then sent back to the bad guys.

Even if you were tricked to click on such an unsolicited link, fully updated operating systems and anti-malware programs, and even current browsers are pretty good at blocking the malicious activity. 

Sadly, you have not told us anything about this computer - such as the OS. Hopefully it is Windows 10 (or at least W7) and you keep it fully updated. And hopefully, you didn't disable Microsoft Defender (formally Windows Defender) and then didn't install a capable alternative security solution. And you keep your security solution fully updated AND you are not "click-happy" on unsolicited downloads, attachments, links and popups. And finally, you changed the default passwords and passphrases to your computer and network to something not obvious. If you did that, then I highly doubt a person you knew infected your computer. It is just not that simple. 

I recommend you make sure your operating system and security are fully updated. Change your wifi passphrase, computer passwords, and passwords to your banks and other important sites. Use a password manager so you only have to remember the password to the password manager. Don't write passwords down. 

Use a supplemental scanner to verify you (the user and ALWAYS weakest link in security), or your primary solution didn't let something slip by. I typically recommend Malwarebytes for that. 


EntropicLocal said:


> Roughly a couple months ago I suspect a file I had received was a rootkit from them;


Back to this. How did you receive it? Did you open and run it?


----------



## R-T-B (Jan 26, 2021)

Bones said:


> The only thing that bothers me here is, for example Win 10 upon installation _will_ write a bit of code to the BIOS for checking to see if the board has been changed making the install "Invalid", requiring reactivation of the OS.


No, it just composes a hash of your hardware and checks it against a database.  It does not write anything to uefi.



Bones said:


> @R-T-B You wanna weigh in on this?


Not to be rude, but OP has his answer in the following question:

"Am I a high value target?"

If no, you are probably safe with a reinstall.  If yes, burn it and start over, you probably have the money anyways and it'll be less stressful.


----------



## EntropicLocal (Jan 26, 2021)

R-T-B said:


> No, it just composes a hash of your hardware and checks it against a database.  It does not write anything to uefi.
> 
> 
> Not to be rude, but OP has his answer in the following question:
> ...


I will flash my bios and format all the drives (I am using Windows 10), thank you for the help.


----------



## Bones (Jan 26, 2021)

R-T-B said:


> No, it just composes a hash of your hardware and checks it against a database.  It does not write anything to uefi.
> 
> 
> Not to be rude, but OP has his answer in the following question:
> ...


And that's why I asked for your input. 
Good to know it doesn't actually write to the BIOS and that's a good thing.


----------



## EntropicLocal (Jan 26, 2021)

I do have one last question if you fellas don't mind, can a USB stick with Windows get infected by another pc or by the same pc? Thanks.


----------



## R-T-B (Jan 26, 2021)

In theory, yes.  It's best to make the install usb on a known clean machine.


----------



## StormLightningSL (Jan 27, 2021)

You can also make the install USB write protected, just to be sure it won't get the virus written onto it when you try to re-install the OS on the infected machine. There's a setting in the OS that does it, iirc. Please check for it on the clean machine after you make the install USB.


----------



## R-T-B (Jan 27, 2021)

StormLightningSL said:


> There's a setting in the OS that does it, iirc.


Not that I know of, and I would not trust a software write protect with a malware infested machine anyways.

Some sdcards and usb sticks have a hardware write protect switch though.


----------



## StormLightningSL (Jan 27, 2021)

Valid point about not relying on a software lock.

I had one instance where someone I knew had sent me a write protected USB stick, and when I had asked, I remembered being told there is some way to do it in the OS. But, I guess I'm wrong. I did check with a USB stick on my system and there does not seem to be any way to lock it. May be some additional software or app he used.

I didn't know that SDCards and USB sticks come with hardware locks! Useful info


----------



## micropage7 (Jan 27, 2021)

EntropicLocal said:


> I do have one last question if you fellas don't mind, can a USB stick with Windows get infected by another pc or by the same pc? Thanks.


yea, since most usb drive have no write protect lock to protect it from something like malware, that's one reason i still burn some in dvd


----------



## EntropicLocal (Jan 27, 2021)

Would wireshark or glasswire help me detect if the malware is still present?

Thanks


----------



## freeagent (Jan 27, 2021)

I know this might sound crazy but..

In 2002 I knew a guy, we drank together and took a sheet metal fabrication course together. He was hardcore. He hid stuff in university recycle bins, all kinds of stuff. He told me so much stuff I still have no clue what he was talking about. Like dark web shit before there even was a dark web. He got me a working copy of a really high end Cad/Cam software that was used to start a business (now the owner pays btw), anything I wanted. Anything. He was a member of some prominent groups. They supplied him with hardware.. he didn't have a job.. but ate good food and had nicer clothes. He showed me what he used to do but I wasn't into computers back then so I don't know what he was doing exactly. Anyways, one day he was freaking out saying the CIA wanted to talk to him and that they were coming, and he wanted me to hold on to a hard drive.. I said no way.. of course.. lol.. so it got hidden in a cubby somewhere in the rooming house he was in. I could have sworn he was full of shit, but the panic was genuine. We had a couple of beers that night, and that was the last time I saw him. We were supposed to go for a bike ride the next day. Looking back it is still some pretty crazy shit, I don't even know if I believe it even still.. But I haven't seen him since 2002, he just vanished. None of our mutual friends have heard from him either. He didn't complete the course with me. I do know his family owned some kind of computer business, and he had been around them since he was young.. he was a very smart guy. But you wouldn't know it to look at him..

Your panic reminded me of his panic..


----------



## EntropicLocal (Jan 27, 2021)

freeagent said:


> I know this might sound crazy but..
> 
> In 2002 I knew a guy, we drank together and took a sheet metal fabrication course together. He was hardcore. He hid stuff in university recycle bins, all kinds of stuff. He told me so much stuff I still have no clue what he was talking about. Like dark web shit before there even was a dark web. He got me a working copy of a really high end Cad/Cam software that was used to start a business (now the owner pays btw), anything I wanted. Anything. He was a member of some prominent groups. They supplied him with hardware.. he didn't have a job.. but ate good food and had nicer clothes. He showed me what he used to do but I wasn't into computers back then so I don't know what he was doing exactly. Anyways, one day he was freaking out saying the CIA wanted to talk to him and that they were coming, and he wanted me to hold on to a hard drive.. I said no way.. of course.. lol.. so it got hidden in a cubby somewhere in the rooming house he was in. I could have sworn he was full of shit, but the panic was genuine. We had a couple of beers that night, and that was the last time I saw him. We were supposed to go for a bike ride the next day. Looking back it is still some pretty crazy shit, I don't even know if I believe it even still.. But I haven't seen him since 2002, he just vanished. None of our mutual friends have heard from him either. He didn't complete the course with me. I do know his family owned some kind of computer business, and he had been around them since he was young.. he was a very smart guy. But you wouldn't know it to look at him..
> 
> Your panic reminded me of his panic..


Very sorry that had to happen to you


----------



## EntropicLocal (Jan 28, 2021)

EntropicLocal said:


> Would wireshark or glasswire help me detect if the malware is still present?
> 
> Thanks


Bump


----------



## blobster21 (Jan 28, 2021)

EntropicLocal said:


> Would wireshark or glasswire help me detect if the malware is still present?
> 
> Thanks



If you know what your are looking for (ie: unknow traffic, unknow ports, unknow services) then yes.

Otherwise, it's very unlikely that those tools will be of any help


----------



## EntropicLocal (Jan 28, 2021)

Would anyone here be able to analyse a wireshark or glasswire log to determine such a thing?


----------



## SenditMakine (Jan 28, 2021)

EntropicLocal said:


> That is whats somewhat concerning me, I just want someone to help me on how I would flash my bios and format the drives to make sure everything is gone


Only thing I can say to you is to be very very careful when you flash your mobo or gpu bios, any power loss or power spikes and your components are done.


----------

