Kaspersky
Products
Support go
Community
Personal Account go
Check a file or link
Kaspersky Club go
Beta Testing
back back
support
Home Support
Business Support
Virus Fighting
back back
kaspersky club
Россия и СНГ
Global
back back
Personal Account
My Kaspersky
KSOS Management Console
CompanyAccount
Question

Pretty sure I've been hit with a nasty, nasty persistent UEFI rootkit -- Logs inside

  • 29 October 2020
  • 15 replies
  • 275 views
L

It all started when I started trying to lock down my FW because of all the extra unexplained traffic I was seeing, and ended with me catching someone logged into my network who then began recklessly deleting files from many of my PCs, wrecked my QNAP nas … etc.  My MacBook then got infected … the bios on my main PC was re-flashed and won’t accept a stock flash anymore … my routers got themselves new, shitty (i’m guessing backdoor-ed firmware) -- and the best part is these folks seem to be able to get in even when I disconnect the network cable -- I purposely didn’t include WiFi or Bluetooth on this PC (Ryzen7 & Asus Prime x370 pro).

 

Pulled ALL the drives, re-installed everything on fresh drives -- it’s still there. I see SSH connections on any OS -- even live CDs -- all using UNIX ports and the “MIT Magic cookie” -- which I’m not sure what that even is, or how they’re doing it.  They always create weird files under /TMP/ -- always .ICE_UNIX and a few others.

 

Attached are the kaspersky KRD logs -- which has not been able to detect anything and I’d possibly go as far as to say is being controlled by the rootkit.

 

Can anyone lmk if they see anything?  This has been one hard mofo to track down, but I’m sure its there.

I’ll follow up w/ some pictures.

 

Thanks all!  This one has been crazy!

12 Attachments

15 replies

Igor Kurzin
Rank
Userlevel 7
Badge +3

Hi @luckyrootkitrecepient , 

Please submit a ticket to technical support. 

Regards,

Igor

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
L

I have an open case and am doing my darndest to find a way to get what I have onli ne.  This thing is so sophisticated it even takes out live cd operating systems.

 

this may well be the most advanced hack I've ever seen. It rebuilds router firmware and uploads it and has managed to break in and change settings to create tunnels for itself nearly effortlessly on three different model routers.  I'm beginning to think it is not only resident in the UEFI BIOS as it comes back w all removable hardware removed and only a live cd --- even right after flashing a fresh bios image.  I am beginning to suspect it may be utilizing video card firmware as well.

 

i really need some more help here as it also manages to block this website just abOUT every time I try to get on to update thus thread or my ticket.  

 

I don't think I have a single device in the whole house that isn't infected … only maybe this iPad. This is SO unbeleviabley frustrating …! 

 

 

Stand and by and thanks all … I'm working on it .

 

 

 

 

e

Igor Kurzin
Rank
Userlevel 7
Badge +3

hi @luckyrootkitrecepient , 

your incident number is ending with 2796? We are on it, please expect a soon response. 

Regards,

Igor

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
L

My incdient ends in 45557

 

...uploaded the system scan results and I can’t find a reply.  Looks like my case was closed because I have been having so much toruble getting online.

 

 

Igor Kurzin
Rank
Userlevel 7
Badge +3

Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
L

 Hi @luckyrootkitrecepient , 

Found your INC, it was autoclosed after 2 weeks.

Please submit a new INC and provide additional data: 

A. A log of TDSSKiller utility.
B. A dump of boot sectors of the hard drive.

1. Please download TDSSKiller utility: https://support.kaspersky.com/viruses/utility#TDSSKiller to Desktop
2. Open Command Prompt with Administartor rights.
3. Perform the following commands:
cd C:\Users\%username%\Desktop

tdsskiller.exe -qmbr -qpath C:\Users\%username%\Desktop\Sectors

4. Click Accept on all windows (until Start scan window appear) and after that there will be a folder Sectors on the Desktop. Please pack it to archive with password 'infected' (without ' ') and submit it to us.

5. Run a scan by TDSSKIller, save the report and send to us. 

C. A GSI report: https://support.kaspersky.com/us/common/diagnostics/3632



How do I dump the boot sector? I’ve actually never done that before.

The rest in progress right now ​​​​​​​

L

First scan just double clicking; second via command line as instructed (it actually quarnantined two things) -- first time ever!

2 Attachments
L

I think that was the wrong log. The one with detected info is very small.

 

...I don’t know why.

2 Attachments
L

Sorry do not have utility to PW protect zip files … here is getsysteminfo log

1 Attachment
L

I think this should be boot sector / MBR -- used “HDHACKER” tool

1 Attachment
L

….and, somehow I got too excited and missed the part about the “Sectors” folder on the desktop. Here it is.  Don’t have tool to add password to archive, but it is zipped w/ built-in windows tool.

1 Attachment
Igor Kurzin
Rank
Userlevel 7
Badge +3

Hi @luckyrootkitrecepient , 

Can you kindly submit a ticket to technical support, attach all the data you collected, and send me the incident number? 

Regards,

Igor

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
L

Igor,

 

I have an open ticket.

 

It is:INC000012109474

Igor Kurzin
Rank
Userlevel 7
Badge +3

hi @luckyrootkitrecepient , 

Thank you for the logs. All the data is now reviewed by VirusLab experts, please stand by. 

Regards,

Igor

Did a reply answer your question? Please mark it as Best answer, the Topic status will change to Solved, thank you!
L

Igor,

 

Thank you so much! I hope you find something.

This is the trickiest little bugger i’ve ever, ever seen -- in 20 years of dealing with these sorts of things, this is the first I’ve ever had to reach out for help with.

 

Appreciate everything,

 

 

Matt

 

PS -- re-scanned w/ TDS killer -- it put itself back (TDS killer found the same two rogue partitions again).  

Note that I have already replaced the motherboard and hard drive and it still somehow made it’s way over to the new PC.

 

This thing is crazy. 

Reply / Ответить


 Utilities