1

I got infected with this kind of malware:

https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf

It is able to reflash my bios with an infected one if I try to update the BIOS to a safe distribution. Anyone have advice on how to remove something like this? I have tried reflashing via external spi flasher and it still reboots twice to reflash malicious BIOS, I checked checksums of safe bios, vs the one after reboot to verify it was reflashed with a malicious image.

The code is hooked from the bios image parser, since that section of the bios code is unsigned you can run whatever you want there. As posted in this article on page 54 https://www.blackhat.com/presentations/bh-usa-09/WOJTCZUK/BHUSA09-Wojtczuk-AtkIntelBios-SLIDES.pdf. In the BMP Image parser section of code you can hook your bios comparison and reflasher code, meaning that before the flashing locks and everything are applied to bios it can continue to reflash itself and bypass all these security protections. Its a vulnerability in the way the executable bios flashers you run from Windows, how else would the executable flashers work from Windows if they didn't have to reboot and utilize this vulnerability? I took a video showing that it reboots 3 times to reflash the bios, the first reboot is with the safe bios code, then it reboots again to reflash it, then reboots again to confirm the malware is in place. Here is the video: https://youtu.be/CdpAXuSkI9o

AndroidAcolyteFX
  • 63
  • 6
  • Here is the malicious image : https://drive.google.com/open?id=15NiH1LhcrI4b_KPPdzURwvh-XHnS4JTD and the image that is clean is this one: https://drive.google.com/open?id=1JEQbNjPvi9nnjIFqYGiHtPFkjQ1O_g6T – AndroidAcolyteFX Apr 28 '19 at 22:26
  • Every time the computer is flashed with a new bios it reboots itself twice, I'm guessing its because of this. Every time I install a new operating system every time the MBR is saying its infected using microsoft sysinternals – AndroidAcolyteFX Apr 28 '19 at 22:55
  • I cannot pull the current bios image from my current laptop either because of the EC and SecureFlash will not allow me to pull the bios image, Those images were from my Dekstop. – AndroidAcolyteFX Apr 28 '19 at 22:59
  • 4
    Possible duplicate of [How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?](https://superuser.com/questions/100360/how-can-i-remove-malicious-spyware-malware-adware-viruses-trojans-or-rootkit) – Ramhound Apr 29 '19 at 11:43
  • Possible duplicate of [BIOS root kit? Or, how do I fresh install a clean BIOS?](https://superuser.com/questions/42344/bios-root-kit-or-how-do-i-fresh-install-a-clean-bios) – alecxs Apr 29 '19 at 12:27
  • Not a duplicate, those solutions are old and out dated. This is a more narrow intricate thread of a persistent infection and how that persistent infection is maintaining its hold between flashes. – AndroidAcolyteFX Apr 29 '19 at 18:23
  • Hi, maybe I'm missing some info but I need to ask, Does it have a dual BIOS? Are the BIOS chip removable? – dmb Apr 29 '19 at 18:30
  • No it is a single bios chip. This machine is a laptop so the chip is not removable. – AndroidAcolyteFX Apr 29 '19 at 18:32
  • As you can see from the video, the bios only reflashes a certain portion (1024kb) of the chip, meaning that the residual sections of bios remain unscathed. My guess is that the BMP image parser section of code remains through updates correct me if I'm wrong. – AndroidAcolyteFX May 15 '19 at 08:20
  • I've tried reflashing it externally but the chip won't even read using an alligator clip. ( https://www.digikey.com/product-detail/en/pomona-electronics/5250/501-1311-ND/745102&?gclid=CjwKCAjwiZnnBRBQEiwAcWKfYmVrpHeHSIrMSonXK4_u9mhp3FT49BIBbAtNEM0QqzuHrd_MUAK_XRoCoRAQAvD_BwE ) My guess is it's a perma-brick since there is not other way to reflash it. – AndroidAcolyteFX May 24 '19 at 05:24

0 Answers0