New
#11
and do you think that this paticular rootkit is not expecting the BIOs to be flashed, once its in thats all it must protect against. I doubt it will allow that.
BIOS virus and custom format from Windows 7.
-
-
New #12
Good point, he really needs a way of identifying whether or not the BIOS has been infected, as if it has there seems little point re-installing as with it's foot in the BIOS it will surely re-manifest pretty soon.
-
New #13
I do not know the particulars of the disassembled BIOS, as my system was lucky enough to not have that capability. But I am implying that when the code infiltrates the chip, it has no way of being removed (unless you happen to have a pull-able eeprom for bios, and it will have permanent reinfection control if it can stay in the BIOS, so it's basically going to devote every bit of it's virulence to not being removed. So I know that a hacker would want to protect against flashing the bios, therefore if it is possible, that would be their primary objective at that point in the game.
Can it be prevented from being flashed, or "resist" the flash, or crash the flash midstream to wreck the BIOS as you warned of earlier by not stopping in the middle of a BIOS flash...I don't know, but I don't see why not. Considering BIOS (therefore the root-kit code) executes prior to any drive INCLUDING optic, etc. I'm guessing it would place some sort of TSR code, or simulate the actual BIOS loading the CD but with the additional malicious software present to evade being destroyed.
Mike
-
New #14
feel free to see the second half of my infection (first half was iding it, and getting into windows) together took around 1-2 weeks of tearing dlls out of every where, altering the binaries line by line at the boot sector, and probing every patched process including the kernel itself and the debugger , altoghter over a hndred files im sure It hijacks your DNS and flushes the cashe, bypasses patchprotectioon sn 64-bit driver signiature verification with ease. It's basically the devil (3.4 MILLION infections currently)
Require (Rootkit.TDSS.TDL4) Rootkit Removal & Cleanup walkthrough
mike
-
New #15
Yeah hopefully it's just in the MBR, I suppose all he can do it try the re-install and hope it's not infected. If the infection does come back after following drive cleaning instructions previously posted, then try a flash, if possible from a bootable CD or USB drive (thats known to be clean i.e. made on another non networked system and not connected while his OS is live).
Of course we dont know if the OP is using a laptop or desktop, as I have a fairly low end redundant gigabyte motherboard on my desk that does have a removable BIOS chip. So i'd say for a desktop it would be woth having a look to see if it's replacable, I very much doubt a laptop would have a removable BIOS chip as it's not even common on desktop boards.
-
New #16
thats probibly his best chance I would agree. BUT the problem with rootkits specifically, is you will NEVER know if you still have the infection (this RK in it's earlier days was called "the virus that you'll never know you have" although it's technically not a virus, Just a dropper and a loader started preMBR) the point is, as I was continually told by every sec tech on these forums and more, you'll NEVER KNOW if it might be there or pop up, both due to its firm anchoring, fast evolution/mutation and esp. its stealthy ways of not being seen.
just please as heart-breaking as it might be, don't try to save any files, or this might happen next year and you end up loosing the file you saved, as well as all your files again!
sorry to be so bleak
As long as BIOS is clean, which i suspect it is, youve just got a bit of cleaning etc to do wiping the drive (not just format, you need to actually write over the drive with new meaningless 1's)
good luck and contact me if you need something
Mike
-
New #17
Thank for the response rubyrubyroo.
So did you delete all of your data? Even music, pictures, word, excel, and other files? I just backed up everything on a external drive to be ready for format. How do you test other drives? I caught it once using AVG but it said 'it deleted it'. Since then nothing on that or the other two computers that have shared a usb with the infected computer.
Thanks
-
New #18
caught it once on the backup drive or on the system drive (with AVG)?
EDIT: and your backup is infected, or at least needs to be regarded as such, since you have no way of knowing the date of infection, it may be asymptomatic for 10 min or 6 months.
My story is much more complex, as im a computer tech and the drive was a VIP client of mine a lawer with the ONLY copy of ALL his clients files on that drive. I did (PROBIBLY) remove it, but it took a very extensive knowledge of assembly language, windows processes and ntoskrnl.exe's actions and protections, it took me almost 2 weeks of noting else and it is impossible to be sure i did get it. If you could talk a rootkit/botkit expert into doing it, it would certianly cost many thousands of dollars. This man would have paid any price to have it fixed, as it was 25years of his carrier and with atty-client-confidenciality laws, he would surely be disbarred for neglogence in protection his clients sensitive info, potentially be placed in jail. so you can see one reason they can charge so much, added to the complexity and length of time spent, it is difficult for the best trained - and Thats not me, I owed the man a favor, and I repay other's good deeds when they are addressed towards me.
theres a tid-bit for ya!:)
-
New #19
On the system drive. Since then, the data files were backed up and the system drive and the backed up drive have been tested. AVG, MSE and Avast. Nothing. Only the tdsskiller have another "minor" tdss system file on the system drive and removed it. Nothing on the other drive, or any of the other 2 computers that have shared at least a flash drive with the system drive for the past few months.
-
New #20
when was the rootkit inserted into your system? There is no valid answer! your backup is nolonger sterile and there is not such thing as semisterile, it is considered sterile or contaminated "potentially", but is treated as definately infected. a virus scanner is almost ineffective against a rootkit, it takes over windows so when you click on a folder with a file lets say called "Hi-Im-A-Root-Kit.exe" in it, since the root kit is pulling the strings of windows, it wisely returns a folder that does not appear in any way to have that file present.
"only reliable way to remove them is to re-install the operating system from trusted media.[78][79] This is because antivirus and malware removal tools running on an untrusted system may be ineffective against well-written kernel-mode rootkits" - wikipedia
but your backup is untrusted media, and this is a very well-written kernel-mode rootkit/botkit, arguablly the "best" to date.
PLEASE read this: it's actually kinda technical for wikipedia but see if you can understaned a good bit of what is going on.
Rootkit - Wikipedia, the free encyclopedia
Please take the time to try to read it as you need to realize rootkits are the worst, but this one (maybe in the artical specificaly? not sure) is the worst of the worst!
don't trust me, talk to some of the higher level security forum experts, they'll tell you what I am telling you almost straight across the board.
the only truely savable thing is a rootkit free -fresh installed windows, by not keeping anything else you save the future of your comp.
sorry dude
I encourage more higher level conversations with others on these boards.
Mike
Quote
Related Discussions