7 Replies Latest reply on Nov 13, 2012 11:38 AM by Peter M

    Firmware Malware?

      On the 26th of August my PC was infected by malware. Ever since I've been trying to get my PC to perform as it did prior to the infection, with little success.


      The infection occurred following McAfee's bad update. I downloaded Instaquotes (an iPad app) using iTunes when windows 7 action centre popped up reporting that several storage device controllers drivers were incompatible -- drivers that were issued by my motherboards manufacturer and had worked fine for the previous 18 months without any problems. Meanwhile McAfee firewall indicated that my NAS was launching a DDOS Smurf attack on my PC, odd considering that my NAS is behind two NAT routers and could not be reached from the internet.


      Sophos later publicised that the ”Instaquotes-Quotes Cards for Instagram” app was infected with Win32/VB.CB.


      I decided that I might as well nuke and pave. I did this by completely powering my PC down (at the mains) then, keeping the PC off, switch mains power back on and flash the PC's BIOS with a known-good BIOS image using my Rampage III Extreme's flash while off feature. I then booted the PC and set the BIOS settings identical to the previous settings (using photos taken months previously as reference). Next, I booted from CDROM and zero formatted the HDD completely. Powered off. Powered on, booted from Windows 7 Ult 64bit CD, built new partitions, installed Windows etc.


      I then attempted to install McAfee Total Protection 2012, but the installations failed mid way. After several abortive attempts I eventually got McAfee to install. However windows action center started to report that no antivirus product was active. The system tray icon appeared tp show McAfee Total Protection was working fine.. I installed and used MVT to check. It found problems, which it then fixed. However, McAfee continued to fail to start up properly. MVT repeatedly found the same problem and fixed it.


      I then noticed that "Checking NVRAM" appears just before Windows starts to load (i.e. after RAID blurb appears) while booting up. I'm using the same 1502 BIOS with the same settings as those prior to the infection. The "Checking NVRAM" message never used to appear prior to the infection.


      Windows action centre then started to identify various storage device controllers (Marvell 9128, USB 3.0, SATA II) drivers as incompatible. More recently the power management drivers are beinfg shown as incompatible. The drivers are those issued by Asus for the Rampage III  Extreme motherboard. Reinstalling them seems to fix the compatibility issues for a while.


      I've tried scanning my PC for viruses using McAfee Total Protection 2012 and a variety of other well known commercial products, both from within Windows, and via bootable CDROMs. All show that the system is virus free.


      I now suspect that Win32/VB.CB was used to deliver firmware malware. Unfortunately there appears to be no way to check firmware integrity at the moment.


      Is there any method or utility that I can use to check my PC's firmware. Does McAfee have plans to provide a DeepSAFE product for home users?


      At this point any advice would be useful.

        • 1. Re: Firmware Malware?
          Peter M

          Moved this provisionally to Malware Discussions > Home User Assistance.


          Am I glad I decided not to download that particular App.


          Is there any method or utility that I can use to check my PC's firmware. Does McAfee have plans to provide a DeepSAFE product for home users?

          There is a component in the 2013 software that checks for up to date software, but it's mainly browser add-ons and suchlike, so the answer to that is no, not that I know of.   However there is a trial of Deep Defender available, which has that technology.

          http://www.mcafee.com/ca/products/deep-defender.aspx  now if course I have no idea how it works and support for it is in its own community area and I can't guarantee it wont clash with anything in your consumer software.


          I will ask about that product on our next conference call with McAfee staff on Monday 19th.


          The last link in my signature below has some tools that may help.  Might I suggest you follow the Hijackthis routine near the bottom and post a log on of those specialist forums for assistance as we have only basic malware removal knowledge here.  At least that way it's free as McAfee, like other major A/V vendors, charges for personal malware removal.







          Message was edited by: Ex_Brit on 13/11/12 7:48:06 EST AM
          • 2. Re: Firmware Malware?

            Thanks for your rapid response.


            I've already tried the all of anti-malware tools you mention (I'm even using malwarebytes pro now), except for HijackThis. I'll try it later and see what, if anything, the forums reveal from it's logs.


            I suspect that it'll come up clean as, if my suspicions are correct, any firmware malware present will have altered the kernel enough to conceal anything else from anything running in Windows. Nothing I've used to check my PC has found anything, but the odd behaviour with drivers persists.


            I did look at the DeepSAFE demo, but fall short of the McAfee ePO requirement. See

            http://downloadcenter.mcafee.com/products/evaluation/Deep_Defender/v1.0.1/readme .html


            McAfee  / Intel really need to provide some DeepSAFE solutions for the home market, especially given the severity of the problem demonstrated by proofs of concept, such as Rakshasa. By that, I mean if there's a working proof of concept (there are several) then you can be assured that malware authors will be seeking to create / deploy malware that uses similar approaches to infect firmware (Router, Network card, Optical drives, HDD controllers, gfxcard etc). The lack of detection software must surely be a spur to those seeking to steal confidential data, run botnets etc


            I'd be only too happy to buy a DeepSAFE product if one were available for home users. Hopefully it would be able to identify which components are infected too.

            • 3. Re: Firmware Malware?
              Peter M

              I'm wondering if there is a similar product out there for consumers from another maker, but not having too much knowledge about such things, I'm afraid I can't really help you there. I did hear back from my contact at McAfee regarding a similar product for Home Users and this is the verdict:


              All I can tell you is that

              • a)    It doesn’t currently exist
              • b)    It is being considered. 
              1 of 1 people found this helpful
              • 4. Re: Firmware Malware?

                I know there are several companies working on the fimware malware problem. Symantec have registered a patent but have yet to announce any products. Carnegie Mellon University's Cylab are working on a firmware integrity checker (interesting presentation: http://www.youtube.com/watch?v=hj0s-hxy24A ) but, as far as I know, are yet to release a product.


                McAfee currently appear to be the only company with a solution on the market, AFAIK. It's just a shame a home product isn't in development right now. It really can't come soon enough.

                • 5. Re: Firmware Malware?
                  Peter M

                  Agreed but I find wheels turn slowly in major corporations.   In other news I see that John McAfee who founded the company but left in 1994 is wanted for an alleged murder but is claiming a frame-up.  

                  Of course that has nothing to do with anything at all, but thought it interesting.


                  http://www.huffingtonpost.com/2012/11/13/john-mcafe-police-murder-belize_n_21219 17.html

                  • 6. Re: Firmware Malware?

                    Not entirely unrelated, the ordeal of Kitamura who was arrested after a hacker used his computer to make threats:


                    http://www.dailymail.co.uk/news/article-2218995/Horrifying-ordeal-man-falsely-ar rested-zombie-hacker-seized-control-used-post-death-threats.html

                    • 7. Re: Firmware Malware?
                      Peter M

                      It makes one tread very carefully around the Internet.