0

I have a standard Dell or Asus-motherboard based computer. it is a hard-disk or RAM. it was hacked remotely. I suspect that they were sophisticated.

I am happy to reformat the disk and/or throw it away altogether.

alas, because the computer was hacked, I wonder where else attackers could have hidden rootkits that will run even after I got myself a new disk---motherboard BIOS, video BIOS, perhaps even a variety of other devices in my system. I don't even know whether an Intel CPU has some internal storage that could have been corrupted. I am worried about a lower layer attack that starts up before it can ever be detected.

advice appreciated.

/iaw

RoraΖ
  • 12,317
  • 4
  • 51
  • 83
ivo Welch
  • 111
  • 2
  • 3
    How sophisticated are you talking about? "Smarter than script kiddie"-sophisticated, or "three-letter agency"-sophisticated? – Mark Oct 04 '14 at 02:19
  • the first, not the latter. the problem is that three-letter agencies today could be hackers in a few years. I am less worried about the NSA than I am about anonymous black-hat identity thieves over the internet. ymmv. – ivo Welch Oct 04 '14 at 15:10

4 Answers4

2

Just an interjection from someone who has been living with this type of attack for quite a while now. Don't forget computers aren't the only devices with ROM/firmware! My prior generation Netgear firewall/router had it's firmware overwritten. Expensive mistake after a couple of new builds. Also the kit I was attacked with immediately disallowed BIOS reflash by floppy etc. I believe it encrypts the base code fs and then mounts everything as a VM, based on numerous tests. Also had an early Vizio DVD player featuring "updateable firmware" bricked while connected to a projector/pc chain. Suggest reading BIOS Disassembly Ninjutsu Uncovered ISBN-13: 978-1-931769-60-0 or ISBN-10: 1-931769-60-5 if you can find a copy. It convinced me I wasn't going crazy despite what others said. Funny thing is by all of my tests/observations it appears to be a EFI based root/bootkit and the timeline kind of follows the EFI development timeline. The attacks began a few days after I was falsely accused of commercially using counterfeit m$ software, but never charged. I'm not in IT but taught myself Linux just so I could get back onto the internet after fresh installs of fully licensed winders failed to boot. The locked firmware forces the use of older drivers for general use, ie SCSI drivers replacing the NV sata drivers while rewriting the HD geometry just as a brief example. Also, bare metal formats are blocked. Luckily lean versions of Linux allow me to keep running my old AMD socket 939 machines until I feel I can build a new machine and configure it and a dedicated router sufficient to withstand this kind of attack. Verizon FIOS is of no help whatsoever, since they don't support Linux and probably couldn't deal with this anyway. I just turned 60 and wrote my first code in BASIC in 1972, but I'm getting too old for this kind of BS. mustermark

mustermark
  • 31
  • 2
1

A format will generally be enough to get rid of most malware/virus' and other bad things.

However if you believe that for some reason you've been hacked to the extent that it could of inflitrated your system down to the bios then the only fix would be to ditch the entire system - While there is speculation that the NSA has this sort of tool, I have no knowledge of them ever being seen 'in the wild' and so it could be seen as pure speculation.

Obviously if you want to restore any of your own data you should take steps to ensure that too isn't infected and then reinfects your system.

djsmiley2kStaysInside
  • 220
  • 1
  • 11
0

As the other answer says, a complete system re-installation gets rid of common malware that's located in boot sectors or on-disk file systems.

It is possible to install malware in device firmware, so that it will reinfect the OS even after re-installation. You would need to restore the original firmware or remove/replace the device (and re-install the OS) to get rid of the malware. There are very rare reported cases of malware placed in device ROMs from the factory. Those cannot be rewritten and need to be removed/replaced obviously.

David Foerster
  • 580
  • 4
  • 10
  • not worried about factory ROMs. so, there is changeable firmware on the motherboard and the video card. anywhere else? intel CPUs now have can have the GPU embedded. does the CPU have firmware? – ivo Welch Oct 04 '14 at 15:12
  • 1
    Intel CPUs have interchangeable firmware. There's a Linux kernel module that provides an interface to it. – David Foerster Oct 04 '14 at 19:05
  • uggh...I presume this means that a sophisticated one-time attacker could even alter the CPU to the point where it cannot be trusted to diagnose its own corruption. once touched by evil, it can no longer be assumed clean and no program that runs on the CPU can be assumed capable of detecting this. – ivo Welch Oct 04 '14 at 23:39
  • That may be possible, but since CPU firmware is rather sophisticated, I wouldn't expect [“smarter than script-kiddie” attackers](https://security.stackexchange.com/questions/68931/post-disk-wipe-computer-security/68954?noredirect=1#comment112922_68931) to tamper with it. To my (limited) knowledge Intel CPU firmware just contains diagnostics and microcode for commands that aren't executed directly in hardware like many non-elementary floating point operations (sqrt, pow, exp, log, …). – David Foerster Oct 05 '14 at 09:34
  • looks like the equation group was doing exactly that. – ivo Welch Feb 25 '15 at 18:35
0

I am neither prone to conspiracy theories nor particularly fearful of the NSA. However, I believe that the last three months have demonstrated that previous answers to this question were naive. Rootkits on computer controllers and/or BIOS/EFI boot code either already are or are about to become common. The most recent http://it.slashdot.org/story/15/03/19/1319244/persistent-bios-rootkit-implant-to-debut-at-cansecwest suggests that much. Once a hacker has root access on a machine---and the NSA [or clever and determined hackers, with or without the consent of the manufacturer] may obtain this access even before the computer even ships---all bets are off. The hard disk, the BIOS, and multiple chip controllers are all compromisable.

Such exploits are not just theoretical, and it will not just be the NSA, the Equation Group, or any number of foreign services that have them.

Instead, such rootkits will be panaceas for common criminals. The potential for extortion is there--at least the NSA is not primarily in the extortion or commercial spying business. This will get far worse very quickly.

If anyone knows of computers, motherboards, and/or hard drives, whose controllers are based on old-fashioned ROMs instead of reprogrammable EEPROMs updatable in the field, I would love to learn about it. It would be a prudent security feature, and couldn't come soon enough.

ivo Welch
  • 111
  • 2