UEFI malware

brentpeters · Apr 21, 2023

Hello, I am suffering from a UEFI malware infestation. I notice performance degradation and other annoyances. The malware itself is undetected, but it spreads via hidden UEFI partition. I am wondering what remediation steps should be. Flashing the BIOS is pointless because the other drives I need to restore backups will re-infect the machine.

I need to diagnose what malware it is so virus definitions can be made, then I can go about flashing the BIOS. Would running Intel CHIPSEC be useful?

I ran oshi unhooker and there were tons of results. I couldn't narrow down a malware name, though. I can post here if it would be useful. At one point I recalled seeing "Bleh-D" as the malware name but I haven't been able to find any info since.

What I really need is Kaspersky KUEFI (av for UEFI) probably, but I can't access. (paid; corporate)

brentpeters · Apr 21, 2023

machine is definitely compromised.

DigitalGoat · Apr 21, 2023

I suggest you contact the people at bleepingcomputer.com, they can advise you on the steps to take and point you in the right direction. UEFI malware is particularly nasty and needs to be handled correctly, it is also possible one or more firmware devices on the system have also been compromised, if possible isolate the system from any home network and do not plug any external devices into it until you know what you are doing.

glasskuter · Apr 21, 2023

I would be concerned about using the Oshi scanner. Look at the message it gave you. It refers to Rootkit Unhooker which was sold in 2007. At first reports were it was sold to Microsoft for use in the Sysinternals Suite but that never happened because SysInternals developed Rootkit Revealer instead(only works in server 2003). Whether true or not, an old article dated 2007 indicated it ended up in the hands of some guys in Russia. Has it been rebranded as Oshi now? I don't know. If so why does the Oshi message not say Oshi.

You might try the Eset UEFI Rootkit Scanner, but you would have to sign up for their 30 day free trial to get it. It is only a scanner and will not get rid of rootkit. According to Eset the only possible way to get rid of a UEFI rootkit is to reflash the UEFI bios. See what they say here. UEFI Rootkit cyber attack - first-ever discovered | ESET

Quad9FE · Apr 28, 2023

you need endpoint detection - half the rk scanners work but are limited, and if you have a rk, you can be sure someone put something to keep it in place, if someones into your uefi, nuke it and pray they didn't mess with your firmware.

csun · Apr 28, 2023

brentpeters said:
Hello, I am suffering from a UEFI malware infestation. I notice performance degradation and other annoyances. The malware itself is undetected,

Pardon the question as I am very naive on the subject (UEFI malware) ? You mention a performance degradation as a sign of infection. Is there an AV that will detect and remove this type of malware. Flash bios best ? Any idea of how you became infected with a seemingly unique malware ?
(would like others opinons as well for my education on the subject).

Good advice above about contacting Bleeping Computer. We also have a forum member @flashh4 who is very knowledgeable.

DigitalGoat · Apr 28, 2023

csun said:
Pardon the question as I am very naive on the subject (UEFI malware) ? You mention a performance degradation as a sign of infection. Is there an AV that will detect and remove this type of malware. Flash bios best ? Any idea of how you became infected with a seemingly unique malware ?
(would like others opinons as well for my education on the subject).

Good advice above about contacting Bleeping Computer. We also have a forum member @flashh4 who is very knowledgeable.

The trouble is that computer malware is often several steps ahead of the solutions to infections, it is a constant case of trying to keep up for the most part.
Researchers who specialise in malware variants and precautions/ cures can often spot trends and be a little bit more pro active at times, but some malware is very good at hiding itself, detecting if attempting to run in a VM( used for testing infections), detecting monitoring software and only running when it is not be actively sought out, hiding in areas of the PC's architecture that are not normally accessable to common detection & removal methods and switching off defenses without alerting the system.

There are more firmware areas in a typical PC that can be modified by malware beyond just the BIOS, so a re flash may not help at all in some cases or even be necessary as it will not remove the infection.

As scary as all this sounds there are some basic steps to take to protect your data, these include safe browsing, disconnected backups, not saving critical passwords and login details on the PC, tablet, phone etc.

Educating yourself as to the most commonly exploited attack vectors and trends, so tech sites, especially sites like bleepingcomputer and user forums like ten & elevenforums, there are many, many others.

Some malware goes undetected for a significantly long time other types are picked up almost as soon as they are out in the wild, the lack of consistency in the ever evolving war between security providers and bad actors means no one should under estimate the chances of becoming a victim, but as I said earlier you can minimise the impact should it ever happen to you.

Slowdown in performance & odd intermittent behaviour can be a sign of infection but can just as easily be due to OS updates, utilities or hardware issues. Most malware tries not to show any impact that would alert users to it's presence, unlike ransomware which is designed to have as big an impact as possible.

TairikuOkami · Apr 29, 2023

brentpeters said:
machine is definitely compromised.

That utility is 16 years old, it is not designed for 10/11, it detects Windows itself.

Dedicated rootkit scanners like TDSSKiller are abandonware, because most AV can detect them.

Try3 · Apr 29, 2023

Brent,

TairikuOkami said:
it detects Windows itself.

That post takes things back to the beginning.
Your computer is a bit slow from which symptom you have diagnosed malware.

Best of luck,
Denis

brentpeters · Apr 29, 2023

I've tried numerous other anti-rootkit software, most of which fail to start or are unable to complete a scan. For all intents and purposes, I know this machine is hacked at the UEFI level.

The malware spreads by creating a hidden partition on any USB device, could I create one and then have someone do forensics on it? I don't really want to do a reformat if that means we lose ability to track the malware down. I want to have signatures made for it. Then nobody else will have to deal with this bs.

glasskuter · Apr 29, 2023

IMO from reading threads from major companies like Eset and Kapersky, rootkit infections are in the wild and are actively being investigated already. Thousands of infections have been reported in Europe, Asia and Russia.
This article below show a map and explains (in very technical language)their research. In reading their responses to customer questions in the remarks section of this article, thus far their only solution is reflashing the bios. IMO to recover a system this would indicate drives would need to be disconnected, attacking the infection at the bios level, installing new drives and reinstalling windows. Also IMO, I read this article to say this is a backwards/forward kind of infection. It would be irresponsible for a user to attempt to reformat the infected drives with a low level format as the infections could pass in reverse and reinfect a newly flashed bios or a bios on another machine. Therefore, IMO, the need for installing new drives. Others here may disagree with my opinion, but I'm a "better safe than sorry" gal.

If you are interested in pursuing having the infected drives analyzed, Bleeping Computer would be a the best place to start for info of who you should contact to have the infected drives analyzed or you could attempt to contact Eset, Kapersky, Or malwarebytes. Bleeping Computer would know more about that.

CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit

In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor.

securelist.com

Virus, Trojan, Spyware, and Malware Removal Help Forum

Virus, Trojan, Spyware, and Malware Removal Help: One of the last bastions of computer security warriors and healers. Bring your troubled PC here for top-of-the-line help with Malware Analysis and Removal by our trained professionals. This forum is only for those seeking aide with Malware...

www.bleepingcomputer.com

brentpeters · Apr 29, 2023

Thanks kindly

flashh4 · Apr 29, 2023

UEFI malware or rootkit infection cleaning is a long drawled out process ! There are many programs that needs to be run which produce long logs/reports that you better know what you are doing or your computer could be a door stop ! I have cleaned quiet a few when i was actively doing them ! If you want me to help you send me a message & we can hook up by email. The logs are to long for this forum i was told ! But they could be zipped ! Or do you have the problem under control ?