When The Motherboard Comes With a Virus
HTML-код
- Опубликовано: 11 сен 2024
- A UEFI rootkit by the name of cosmicstrand has been detected on several motherboards (images analyzed in the security writeup came from Asus and Gigabyte H81 motherboards) that has the capability to tamper with Windows operating systems installed to any disk, and is persistent upon os resets or hard drive changes.
link to writeup:
securelist.com...
₿💰💵💲Help Support the Channel by Donating Crypto💲💵💰₿
Monero
45F2bNHVcRzXVBsvZ5giyvKGAgm6LFhMsjUUVPTEtdgJJ5SNyxzSNUmFSBR5qCCWLpjiUjYMkmZoX9b3cChNjvxR7kvh436
Bitcoin
3MMKHXPQrGHEsmdHaAGD59FWhKFGeUsAxV
Ethereum
0xeA4DA3F9BAb091Eb86921CA6E41712438f4E5079
Litecoin
MBfrxLJMuw26hbVi2MjCVDFkkExz8rYvUF
Dash
Xh9PXPEy5RoLJgFDGYCDjrbXdjshMaYerz
Zcash
t1aWtU5SBpxuUWBSwDKy4gTkT2T1ZwtFvrr
Chainlink
0x0f7f21D267d2C9dbae17fd8c20012eFEA3678F14
Bitcoin Cash
qz2st00dtu9e79zrq5wshsgaxsjw299n7c69th8ryp
Etherum Classic
0xeA641e59913960f578ad39A6B4d02051A5556BfC
USD Coin
0x0B045f743A693b225630862a3464B52fefE79FdB
Subscribe to my RUclips channel goo.gl/9U10Wz
and be sure to click that notification bell so you know when new videos are released.
me when I buy a malwareboard
@Tinder in real life 🅥 said fuck it and clicked on the link, was not disappointed
@@zander07 botnet'd
@@Seeks__ oof
@@mr.serious707 very important to stay warm in these times
@@mr.serious707 🤣🤣
Man, Welcome back to the 90s... When we had viruses like Anti-CMOS-A that would infect your BIOS.
Also the CIH.exe virus that deleted your BIOS and bricked your board.
The fashion always keeps returning after two or three decades ;- )
Or the CIH virus for example.
Edit: Just now noticed someone else already mentioned it, that's my bad for not checking first lmao
@Ops Blac Money and enterprise level data.
@@mayravixx25 🤓🤓🤓🤓
If this UEFI malware is really sophisticated, I imagine it’s theoretically possible it could reinsert itself into the image when you update, or just fake the update. Now that would be neat / horrifying.
Well if that happens, then it goes to the computer junk.
@@SaitoShepherd Not really, there are hw programmers for bioses, they are like 20$ You can also swap the bios chip (in the last decade it was easy, nowadays they are soldered iirc)
@@SviatoslavDamaschin BIOS chips aren't BGA though, so while they still take some soldering skill, it's nothing close to the level necessary to solder BGA components.
Thanks mate. We worked really hard to make it happen.
Well, if you update with a non wr-cd or dvd, then it can't do shit
3:16 To terminate the UEFI services, the bootloader/kernel calls ExitBootServices, which is helpfully provided by the UEFI firmware itself - so the kernel cannot in fact shut down a malicious UEFI implementation, it can just ask it nicely to shut itself down
But then the UEFI says no
But then the UEFI pretends to shut down while residing in memory
@@amogus7 not how it works
@@amogus7 it would just use the reserved chips for it instead of the system-wide ram
@@pacomatic9833 Then the OS DMA writes over the interrupt handler to unhook it.
Windows: _We're gonna improve security by throwing a ton of weird stuff into microchips!_
**Microchip security gets bypassed anyway.*
Lol
"a to of"
See where your shitty outsourcing got you M$! Maybe next time try actually fixing the fucking problem.
ME/PSP and CPu microcode runs at a lower level than "hardware/firmware". In fact, higher levels cannot detect their activity.
*a to of*
Thinking about it, computer distribution in general is in a very barbaric state. When you are buying a PC, you are literally buying a cat in a bag, no manufacturer seals, no holographic stamps from the factory. Security of the computer supply chain is very important, it needs to be treated like we do with alcohol or medicine - no tampering with from the factory conveyor belt, period. I live in Asia and I just recently bought ASUS motherboard that falls directly under the criteria. The problem is - reflasing is done by the motherboard itself, where is the guarantee that reflasing mechanism is also not compromised to reject/modify new flashes?
You can remove the UEFI chip itself, and use an external flasher to update the UEFI without even booting up the infected machine if you want to be sure that it's updating
That is, if you can get a 100% authentic UEFI FILE from ASUS themselves, since ASUS seems to like the idea of updating the UEFI from Windows, and not from the UEFI itself
Quick note: the difference between a UEFI updater and a UEFI file is that an updater has all the stuff to write the update to the chip from Windows, and the UEFI file is only the software on the chip itself
If you think alcohol and medication distribution is tamper proof or even tamper evident then sweet sweet dreams to you
no , you get warranties and assurances and if those fail , your item can be returned at little to no additional cost. if you buy a used board with an embedded virus , there 's not to much you can do right now . wait a few months and they will have a solution.
All computers have flaws regardless if they are tampered or not. Regulation leads to confiscation
@@Auditing102 regulating sale/installation of bios chips doesn't hurt anyone . it ensures greater security coming and going from the factory. regulation of booze led to confiscation 80 years ago and thats where that backwards statement comes from .
A couple months ago, I ordered an Asus board from Newegg and I didn't notice it wasn't shipped by Newegg until right after I bought it. It arrived in a white box. I emailed the seller to inform them that I ordered a new motherboard, but they sent me a used one that wasn't even the correct model (didn't have WiFi). The seller told me that it was okay because I could trust their quality and they made sure to test it and they would also send me cash in the mail. They also told me not to send it back as the item wasn't eligible for a refund and they would charge me $25 if I sent it back. After over a month of going back and forth with Newegg, I managed to get a refund. I wonder if they were sending me an infected board?
I wonder yes because they had no reason to pull out the wifi module . Or it can be a stock issue
@@Clone_osu1 didnt have wifi = uefi malware
@@balllord3546 That's a minor detail which serves as a quick explanation for why the shipped motherboard was not useful to OP
OP, do you still have the MB?
After the Gamers Nexus fiasco, the only thing I use NE for is checking HW to buy elsewhere. )NE even gives me a hard time over my vpn.) And with Amazon being goofy with their delivery times (at least here), I just get what I can from microcenter.
"never trust the maid" _shows image of astolfo in maid outfit_
Dear Mental Outlaw,
The scariest thing about this - when you described how it must be a man-in-the-middle attack performed after the manufacturing and before the end user receives it,
The scary part is if any of the alphabet boys were suspicious of someone and wanted to get easy info on them, they could see that they're trying to order a motherboard or other computer part and legally intercept it before shipping in order to install infected firmware. This is a terrifying idea that renders online purchases insecure unlike in a store where the motherboards are already there.
It's not a stretch to imagine that some Asian country like the PRC created and/or installed this malware with or without ASUS's knowledge. (as you said this mainly occurred in Asia)
Online shippings are safe, no one can open the package before it reaches the user or the company would loose reputation, more likely someone must've to brake into the storage room and manually insert the malware into the PC if the product has a waiting time before delivery like days or weeks, a company would have the worst security to let someone do that regardless of waiting time, they cant steal the package when it's being sent to the client as any delay is noticeable and they can't possibly be employees of the same company doing it.
It bust be a shady criminal business doing it.
@@RoastCDuck Google and Twitter and Facebook collaborate with the feds all the time. Why wouldn't Amazon or UPS?
This is why when embassies, etc, want to buy hardware (or printer cartridges for example) they send someone to a physical store some distance away to pick one off the shelf at random.
@@RoastCDuck wrong. You're either hopelessly naive or compromised or a b0t.
Alphabet boys and thier "legal methods"😭
9:16
And this is why I'm glad you informed everyone about the Intel Management Engine and the AMD Platform Security Processor, Windows 11 requiring a TPM (and generally being Spyware already) as those two things alone have already reduced our trust in the hardware our computer has, and the software they (either the government or the tech companies) want us to use.
You are performing a wonderful public service by informing the public, thank you.
"At that point, the mitigation's are pretty straight-forward." 💀
The ending of the video took a wild fkn turn
( ͡° ͜ʖ ͡°)
i literally can't
😭😆
ya this is a very informative video but did he really just make a joke likely about rape???
PSA: In some brands of Notebooks you can NOT reset the BIOS password by removing a battery or with a jumper.
The password is stored in a exclusive partition of the UEFI nand/nor chip itself with is non volatile memory. Updating/flashing the BIOS true normal means will not remove the password either since the manufacture makes so that updating the firmware will only write over the UEFI partition leaving a partition made exclusively to keep the password alone.
The only way to remove the password is by using a EEPROM programmer and having a backup of the whole UEFI chip content that doesn't have a password (Some people know how to patch the rom to remove the password so you may not need the password free backup).
A brand that I'm aware that is like this is LENOVO.
In short be sure to not forget your Notebook BIOS password and remember to remove it before selling it.
That sounds like such a pain in the ass
@@arandomguy4478 It is lol.
This actually explains why my BIOS settings weren't resetting when I removed the CMOS battery on my Ideapad
HP does this on some models as well
@@TheExileFox Hacking = flashing rom... no enviromental trap
This is not what the original definition of the “Evil Maid Attack” was (as presented at DEFCON).
Instead it’s about any sort of reliable access a attacker or agent of an attacker has to the physical premises such as the groundskeeping or cleaning employees of a large company that has sensitive hardware.
MOST IMPORTANTLY the timeframe is completely different! The original concept is that the attack can be installed (especially for stuff like EMF Capturing or leaving malicious hardware) then removed at a later date, like a month later. This way the infiltration of the attack and exfiltration of stolen data/etc doesn’t have to go over the network at all!
IAmVerySmart
@@randomgaminginfullhd7347 ok.
@@randomgaminginfullhd7347 no, you're not.
Shhhh, let maid Astolfo put malware on your pc
0:22 I could hear the painful resistance in his voice from saying “when the malware is sus”.
This potential type of problem was one reason for the Libreboot project and the use of the older IBM/Lenovo laptops as they represented one of the last environments with publicly available chipset descriptions etc. and the ability to have an open source bios. Of course as time passes these machines become less usable. We just don't know what we're buying nowadays.
Intel Management Engine is a suspect thing. Imagine a compromised version of that rolling out of the factory.
Framework also has public descriptions (and schematics!) but it's still Intel only
antirootkits doesnt help...
@@TheExileFoxIME itself is one of the attack vectors in these persistent exploits, and had even been the cause of multiple UEFI/CPU level persistence incidents already by the time this video was posted.
Which old Lenovos? T420 for example or older?
I wouldn’t be surprised a bit if we find out later there is already a back door in hardware from the manufacturer, and they’ll claim it’s for “National Security” and we’ll just say oh you silly geese that’s ok, lol.
Remember the supermicro scandal?
Ofc they do,how else do you think the FBI finds ppl?
I seem to remember a certain armband-wearing party justifying industrialised genocide using the "muh national securitah" excuse
mfw I order hardware from China so the chinese government has access to my data but the US government won't (as the Chinese would have incentive to block anybody else from accessing their juicy juicy data)
what the frack do you think windows 10/11 is? All it has become is one GIANT back door for big daddy government - and YEAH - the hardware manufactuers are ALSO IN ON IT!!!! (keep wondering why the older computers are becoming more and more coveted - created back before all this crap started to really go down). Edward Snowden wasn't just talking out of his butt. The US Gov hates him for a very good reason - he blew the whistle on their blatant privacy violations they take against us EVERY DANG SECOND!!!!!!!!! The same thing with all these smart phones people use. It's a microphone that reports right back to big daddy G along with GPS to track your every damn movement.
Oh boy, so many inaccuracies.
1. You're missing a few layers between ring 0 and UEFI. Namely system management mode is a particularly enticing place to keep your backdoor.
2. Extra chip on the MB is not really viable backdoor as there is no good way for it to boss the CPU around. You'd have to modify RAM content to inject code, but x86 uses several levels of indirection to access RAM and those tables are hardly ever flushed from cache because they're being used *all* the time, so you won't find them in RAM and without them, you're looking at a random scrambling of 4k blocks of memory with no idea what's where.
A better example would be a backdoor baked into the CPU's silicon itself. I'm not aware of any in Intel or AMD CPUs, but there have been multiple documented cases with smaller manufacturers.
3. Almost all anti-malware solutions use kernel mode hooks. But also kinda not. When Microsoft introduced PatchGuard (which you mention in the video), they took that ability away. They provided kernel mode scanning APIs for anti-malware products to use instead, but they are limiting and introduce a single point of failure which _has_ been exploited. Now, AV companies _could_ disable PatchGuard, but we choose not to, because fighting a behemoth like Microsoft head-on is not fun.
4. What you're describing is a supply chain attack, not an evil maid attack. Perplexingly, you later describe an evil maid attack correctly, but don't realize it's completely different from what you talked about before.
5. I haven't seen a laptop with a CMOS battery or a clear CMOS jumper in probably two decades. Laptops use flash for storing BIOS/UEFI settings and have no direct way to reset them precisely because by their very nature they are more susceptible to physical tampering. To reset settings on a laptop, you have to hook up a flasher and erase the chip that way.
Thanks for the info. Can you say anything more about the CPU indirectly accessing RAM?
I of course know about multi level page tables but I was under the impression that when the CPU views "physical memory", the pages are contiguous in the same way they are on the actual physical hardware.
Damn how did you even get this knowledge? 15 years of experience in anti-virus software?
I think he just wanted to use the Evil maid attack in an example for a while now, it's more visually interesting than a supply chain attack :3
Though far less terrifying IRL tbh. That fucking hit on solarwinds caused my client a lot of fucking heartburn
Re. #2, why would a malicious chip be designed to need the CPU? China pulled it off on Cisco(?) network hardware in the last couple years. US intel also but on other hw, if I remember correctly. But those would only be examples of when it was both discovered and disclosed
He's showing a simplified version of access layers
Great video, really made me think. I recently bought a used router. When I hooked it up to my laptop (offline!) I found that it had an unofficial firmware, remote login was enabled and it had a DynDNS configured 😟 The passwords and SSIDs matched the ones on the sticker so Average Joe would have no idea that the person who sold him the router could have full access to his LAN. I suspect this was done maliciously but have no proof. It's crazy how many ways there are to compromise people's security if they don't know what to look for!
Probably someone who needs a proxy to do dodgy stuff from.
Ah good, a reminder not to buy used routers or probably networking hardware in general, lord only knows I would not catch something like that until it was too late.
@@jannikheidemann3805 My thoughts exactly, I'd hate to know what they might have used my connection for.
@@plasmaoctopus1728 So long as you check things out and do a pinhole factory reset before going online it should be alright but I know what you mean. Use an amnesic OS when you first connect just in case there's malware that can spread via the network. Used stuff is more risky, for sure, but you should do this for new items too if possible. It only takes a few minutes. Remember, even big corporations like Sony install rootkits when they feel like it! 😬
The most elaborate set up to getting free wifi.
love my pre rooted motherboard! =DDD
@Breakfast nice pfp from a good game unfortunately that comment was not based
Beyond setting a BIOS password, put your laptop in a lockbox with at least two types of locks. Place that inside a wooden puzzlebox. The evil maid can't just smash it to get at the lockbox, because that would be an obvious sign of tampering.
What if the wooden box comes with malware??
@ZaHandle wouldnt matter if she's a disciple of LPL's wife (joke based on the ice cream video)
I'd watch a show about an 1337 haxxor disguised as Consuella.
I appreciate these security vids that have a healthy dose of dark/black comedy to them (the ending was priceless)
rape jokes aren’t funny and you’re really scary for thinking that they are. you calling this “dark humor” is literally the problem with actual dark humor. humor is supposed to be funny too, you can’t just be edgy. hope you’ve done some soul searching bro
@@slghtmediait's done in self defense dw
Thank God I'm a BIOS updater. So many people in the tech space are like "NEVER UPDATE YOUR FIRMARE REEE". I always update my BIOS/UEFI. On old computers that's easy, once and done. On my main desktop, I only do it every couple of months. But I do have an ASUS motherboard. Though if I remember right this was Intel only, right? And you said it was primarily in Asia, so I'm probably okay.
after a few years my motherboard doesnt get bios update anymore
@@PenguinCrayon269 I assume you're on intel? AM4 has been getting updates for a long while to support all the CPU's.
In most cases You could also replace bricked firmware with ch341a without soldering
Theoretically at least, if your firmware is already compromised it could reinsert its malware into the update or just pretend to update.
@@t0asta especially if the firmware in question comes preinfected from the manufacturer himself.
1:19 Image says less than Ring 0, which would be Ring -1 and Ring -2.
Video says Ring 0.
SMM is said to be running in Ring -2,
and that's setup as part of the firmware.
Although in my opinion, there really isn't much sense in splitting that.
And protection wise, you can usually infect Ring -1 and Ring -2 from Ring 0, which should make clear, that there really isn't any special protection going on here.
It's just that Ring -1 and Ring -2 are running transparently for the rest of the firmware, so anything there can be hidden away completely from the OS Kernel that's running in Ring 0.
Intel ME would also likely be considered a lower ring than Ring 0, considering it's running before any OS.
“When your legally purchased a music disc has a virus”
When your a grammar has a virus
Looking at sony drm
@Breakfast That whole thread is hilarious, idk which of the responses is best lol.
Pov: drm
"It's a Sony" was a warning.
11:44 The last part is literally a TRAP.
Lmfao I can't believe you actually used Verge's build guide for that segment 🤣
i borderline believe that was intentional
At first I thought you said "evil made"...
Iirc.
There are retailers who can re seal factory sealed boxes, or at least claim they do. When I returned a 8350 (worse performance than my x6), I got an exemption on the restock fee, since they could seal it up themselves.
Got myself a 4770K that has been running at 4.3 GHz since that day (it was 1 or 2 months after it's release).
It's funny because any of my friends when they buy second hand phones don't factory reset them. They think that's it's a great idea to accumulate the residues of the last owner
That is such a horrible idea
Buying second hand is actuslly great because it has an aged IMEI, so while your IMSI will change its not a brand new phone so I think that grants at least a little bit more anonymity for your device. Especially if you register the new prepaid plan in the name of the previous device's owner lol
@@WitchMedusa thats called fraud
@@killertigergaming6762 Don't act like you know what you're talking about when you don't. Counts around the western world have upheld the legality of using alias information.
You don't even know the definition of fraud because no one is being defrauded here, you are registering for service with an alias name matching the previous owner & are paying for said service with your own money. Please explain what party in this transaction is exactly being defrauded & how?
@@WitchMedusa like when you hear about career criminals in court with aka said 5x during saying their name
Someone call Japan and tell them we need a romantic comedy anime about a tsundere maid who keeps trying to hack the protag's computer.
Some old Chromebooks have a screw shorting the WP# pin of the BIOS chip to ground. The chip is forced in read-only mode until you remove the screw. Solves the problem and is easy enough to undo.
ME/PSP and CPu microcode runs at a lower level than "hardware/firmware". In fact, higher levels cannot detect their activity.
@@doyouwantsli9680 But that's read-only, right?
@@GhostSamaritan Not sure what you mean. It can read and write to anything in your system, it even runs a full OS.
If you meant that the microcode and intel ME itself is read only, as in "can't be updated", that's also incorrect. It can be written to.
Just when you thought malware couldn't be worse, it is found on motherboards. It wouldn't be a big deal if you could just flash a clean firmware to the board but you need to know for sure which ones are clean.
I don't even trust those firmware updates from Windows, but I don't mind but proceed anyway.
Ultimately, the best defense is you don't cling your PC with anything of value, and you are ready to ditch internet if need be.
I got a standby motherboard in any case... ... and got it from another source. Hee hee hee... ...
Also, the system linking to sensitive operations is totally secured, and not even in my home. It cannot be infected with motherboard malware, and have 3 layers of security that any compromise will be easily detected and removed and system recorrect itself, cos there is a burn in physical chip with burn in program that cannot be altered by any programming at the final layer. Any attempt triggers alert and system realigns itself keeping everything safe and work resumes.
Super max security. Too bad I don't know the technology behind. But alien technology to most... ...
I hate when that happens!
I love how this went from a very dangerous malware that's next to impossible to get rid of to hotel maids completely deconstructing my computer so they can put malware on it
Clicked for astolfo stayed for cybersecurity
this seems like a HUGE lawsuit waiting to happen. imagine shipping a motherboard with a virus on it.
"Reflash your board with a known working firmware version" wouldn't work on boards with firmware downgrade protection via eFuses on the chipset, and actually downgrading would brick your board. Just like on Samsung phones, if the malware knows how to toggle the board eFuses, it would instruct them to make it appear as a legit update has occurred, and up the eFuse array counter. Now your board is locked to the malware modified bios binary... And eFuses are one-way road, them can't be reverted.
stuff like this is why i buy motherboards with socketed rom chips, so i can dump them in my programmer in the event of _any_ issues. it's... difficult at times, since there's cycles where no manufacturers make any, and i have to wait a bit, but its saved my bacon more times than i care to name. this just adds another bullet point to the list of reasons why.
I'm a noob but how can you check it's socketed before purchase?
That's why I never liked UEFI in the first place. Why you want more complicated software layers between the hardware and the Operating System? Firmware used to be little, simple and with essential configurations in the needed cases. Now it's almost other mini operating system that do things that should be hardware operations or things that only are for the benefit of corporations and not the users. So, you now have an onion of complicated software levels that each one is a security risk. Microprocessor, disk firmware, BIOS, drivers, and all that replicated in smartphones and IOT appliances, the last ones with low level quality software and security... So yeah, welcome to hackersland dystopia, where if you are not a programmer yourself, good luck dealing with the paranoia.
it's not almost another OS, it is another OS and most modern computers have so many of them it's just one big kludge
the way to escape dystopia is build your own hw and os, i guess
The main problem is the hardware itself is becoming much more complex. At this point some of it are just too much for the OS and main CPU to handle alone. SSD for example have their own CPU and RAM, without this the OS and main CPU would waste their time maintaining it.
"Why you want more complicated software layers between the hardware and the Operating System? " Because of the decades of legacy the standard PC has to abide by and the Operating System REQUIRING THEM to function, even though we modernized the hardware we still need to emulate the ancient PIC and PIT chips in the IBM PC, the ISA bus and even the Intel's MP standard despite the processors themselves no longer abiding to that and dumping the responsibility on the firmware to configure the processors to emulate that, and of course let's not forget the abominations Intel created like SMM(why the fuck a computer needs to run its firmware completely transparent from the running OS) and ACPI(why didn't device trees suffice, every other ISA works fine with them but for some reason PCs not cuz we're special for some reason).
UEFI was supposed to fix some of the issues but of course in true Intel fashion made every single problem the BIOS had worse.
Anything that connects to the internet usually is not private, windows 10 makes you sign an agreement that says no privacy if using their services
You could do exactly the same with BIOS, and most probably you can do with coreboot or libreboot if you don't build your own image and flash a manufacturer made infected one. Everyone have already forgotten Computrace BIOS trojan installed in every Dell and IBM computer from 2000's? It could do COMPLETELY fine all what this shiny new UEFI trojan can all the way from WinXP to Win7.
Then UEFI isn't the problem. The problem is MANUFACTURERS DON'T GIVE US THE ABILITY TO SIGN OUR OWN MOTHERBOARD with OUR OWN keys. Secureboot (or TEE/verity on coreboot, libreboot and uboot) signed with our own crypto locks and keys would be secure even to 3letters... And that's why they don't want to.
Flashing bios doesn't work for competently written smm and lower attacks. There's persistent Flash ram that isn't over written and can be used as a scratch pad. This was used in the wild a little over 5 years ago to gain persistence in AMZN cloud hardware... it was easy to replicate in the lab if you didn't mind risking a few bricked mother boards or processors. But it was difficult to red team. They only got caught because they were sloppy and used the ram scratch pad as Storage for other malware they were developing. Needless to say, the attack and vulnerability were not disclosed however you could find guides and use them to test the attack on a few security forums that were purged... some of the breadcrumbs for this attack likely still exists. This is a more sophisticated version of the technique in the video but doesn't require physical access... you can do it following successful privilege escalation attack from user space on an instance you rent then use the backplane to migrate through the data center. The escalation and attack just require you to run an infected binary that is successful 10% of the time and crashes the server about 60% of the time. This is one of the advanced persistent threats that's basically a zero day since it doesn't require the attacker to gain authorization... after all, it's their instance... repeat this a few times and you're guaranteed persistence in a lot of data centers. Needless to say the story was buried, given AMZN's business relationship with the alphabet Boyz.
this guys knows
He is the real deal
I want that sus loading screen
11:39 lmao, straightforward mitigations ( ͡° ͜ʖ ͡°)
I love the way you entice your viewers with funni maemaez to deliver raw information into their veins
This is slightly incorrect, KPP or patch guard hashes the changes when patch guard is initialized. This malware does not need to attack patch guard directly, because it doesn't need to as the malware patches the kernel before anything is hashed, and the entry point is even called.
A better solution for that would be something some motherboards did in the past: put the BIOS firmware in a socketed chip. That way, if the thing gets corrupted, you take that chip out and either reflash it or replace it.
They called it Evil Maid Attack when they could call it a Maid-in-the-middle attack. A huge missed opportunity here.
9:54 - Hmm, if EUFI is compromised -- couldn't the new flashed firmware become compromised when a bios flash is attempted? Couldn't the flash program be "updated" with compromised code to inject a similar rootkit?
Yes, correct!
About two years ago we had a customer where the whole network was infected by a crypto trojan (probably locky) via an E-Mail. The trojan managed to get into everything, PCs, Servers Printers,... When we restored a offsite backup (thats a backup which is not connected to the Server / Network) from several days ago the malware back on the first boot. Even though we knew that the backup hadn't been connected for several days befor the E-Mail came in, we tried a clean install from DVD onto new SSDs. Same story after the first boot Windows Defender instantly started to detect malicious files. So the only possible explanation was, that the trojan was in the BIOS/UEFI or in the integrated remote management module of the server or on both.
We then tried to reset the management module from the BIOS and flashed the BIOS from within the BIOS itself because we suspected exactly the problem you mentioned above would happen if we flash it from Windows.
But after low level formatting the DISKs and reinstalling Windows from DVD again, after the first boot Windows Defender instantly started to detect malicious files, again... Luckily the Server has two of those management modules, the main one and a backup one which can be switched by a jumper on the MB. That was our last hope as we were already two days in without even getting the server up and running again so the next step would have been a new server (two days down is a lot of money, even for a smaller company). So we tried our Luck, turned off the Server (the management modules still runs, its always on as long as theres power to the server) unplugged it, switched the jumper and plugged back in. Then we had to make sure to NOT start the server, so the BIOS doesn't initialize and maybe compromise the backup management module as well. Then from the backup Management module we were able to Flash the whole BIOS/UEFI (not only the updated areas) and the main management module.
After that the trojan/rootkit/malware was finally gone, so we could procced.
Well this got quite long, tool me almost 15min typing this but maby it's interesting for someone ;)
@@luckylars32
I found it interesting. Thanks for explaining :) Is there any way to reflash a new management firmware while the bios isn't loaded?
You missed an opportunity to play a clip from the movie Hackers, where Penn says, "They're in the kernel!"
0:20 When Asus forgot the first letter of the alphabet:
When the company's name is Aඞ
Now I wonder what this Cosmic Strand does when it expects a Windows, but gets Linux instead.
It recommends Arch to the user.
Jokes aside, I'd like to know that too
Since it connects to the internet, everything running under it is theoretically compromised. It could just receive new instructions on how to compromise a new system, given that the attacker spends enough effort to do so. This would probably be unlikely without something to make the effort seem viable, such as many victims seemingly using the same kernel build.
But to actually give an answer, probably initially either nothing (if it checks what's there before overwriting), or corrupting some memory (if it doesn't). If you know what it does you could mitigate this corruption by relocating or rewriting the affected parts of the boot process, if any.
It can never be managed from the system's point of view, unless it (the firmware) has a serious vulnerability, but boy, wouldn't that be funny.
@@lollllloro it would fail the initial intrusion into kernelspace if it doesnt have a method designed for a linux kernel
@@Interpause The way I see it, it's the hypervisor and anything that boots on the machine is merely its "guest OS". It could utilize all the privileges that come with that, like pausing guest execution and reading and altering any memory. (While being able to receive any such instructions through the internet.)
What about this, in order to protect motherboard against such attacks :
The motherboard has a dedicated chip that verify current firmware. It check firmware has a valid signature from motherboard manufacturer (eg: ASUS).
That chip is independent from the rest (cannot be updated trough firmware) and the public key it use to validate signature can only be updated at factory (not by software). If chip detect improper firmware (because signature is not valid) system won't boot. Only way to fix it is to install a proper firmware (eg: boot system with an USB key and a valid firmware on it).
Someone will probably say that it can be defeated (eg: replace chip by another one similar to console mods) but that will make deployment of such attacks much more difficult than a simple software update.
TPM.
Oh shit! Unfortunately, my motherboard is infected with a rootkit! Looks like I'm going to have to suffer with it!
Ending this with a trap was hilarious.
🍻 saved me reading time.
thanks for the tldr
"Evil Maid" *Uses image of Mysterious Maid*
This guy gets it.
I think that PC assembly companies can be ruled out as suspects, since here in Russia (and most of Asia) few people use the services of such companies, as it is too expensive
You can also rule them out becuase I said.
You can always take in your shirt Russian government, Russia should perish.
If you buy chips in bulk, the manufacturer can ship your chip with your code on it. Thus saving your factory time flashing it.
Makes sense if your code never changes (ie bios). I suspect it's in that process, as no one is going to diff the hex
It seems the issue is not very widespread, so OEM/SI involvement is not completely off the table
I read the article and it only affects Intel MBs. If you're on AMD, you're presumably not affected, at least as far as it is currently known.
barely anyone is affected lol
If the evil maid is that last one at the end then there will definitely be some "mitigation" 😏
I lost it at "at that point the mitigations are pretty obvious" plus the graphic you chose.
Who here remembers when PC games was bought in CD form. I remember owning this one game on CD and kept getting a virus could not figure it out at first. In the end it turned out the virus was on the CD it self.
Good summary. A few attack vectors are not considered, that could be even worse (if it isn't already).
- If the OS is pre-installed (as for the assumption that it comes from a PC assembly company), the payload could already be present, and thus could interrupt the BIOS flasher and insert it's own EFI backdoor into the new firmware during patching or even after patching.
- If you connect the PC to the internet to download the BIOS update, it will have the chance to download it's payload.
- If the BIOS is updated, but you keep the windows installation it still has the payload, probably in ring 0, so it is still there and could do whatever (update payload, patch the current BIOS, etc)
(edit) - As mentioned by @unforseen consequencer, the kernel or UEFI part could just report a successful flash and not do anything (maybe just patch the shown version number). If you're lucky you could maybe detect this if a new visible feature in the BIOS is not present, but otherwise not.
So the only surefire way to protect yourself would be either to
- rip out the EEPROM chip (which used to be possible, but probably not anymore) and flash it using an EEPROM flasher, then boot and nuke the hard drive.
- Disconnect the machine from the network, update EFI using a flash drive , reinstall windows/whatever using a CD/flash drive, update EFI again with a newly downloaded copy of the BIOS to the flash drive, and reinstall windows/whatever again 😅
Or just use Linux.
Why update the BIOS and OS twice?
What happens if you install a differe OS? Can it no longer pivot properly? (Ex. Linux, Android, temple OS, ReactOS?)
Dear Mental Outlaw, I have a video suggestion:
I would be interested in a video about Discord and alternatives (I heard about Matrix being an option) and what voice/video chat program is best for general use.
I use GNU/Linux but I never liked using Discord as it uses electron & screen capture on wayland as well as recording desktop audio don't work right for me.
Also, thank you for putting in such effort into your videos, keep it up!
One pretty good one is Guilded. It functions more or less almost exactly like Discord, and it's run by people who don't totally suck donkey balls.
I would also like a video about Discord Alternatives, especially for more privacy.
Discord stores all your Chats unencrypted, readable by any workers there all the time. (I've also heard, that they are able to record and log Voice Chat -Conversations, but I'm not sure about that one). Also deleting your Discord Account will not delete your Chat Messages.
@@howtomundane3109 ....holy shit, are you serious....?
@@TrouvatkiDePercusion I might not be 100% correct, but I am serious about it.
@@howtomundane3109 that is terrifying
What is more dangerous? A compromised bios or astolfo?
Astolfo
Astolfo is very dangerous, A master of social engineering. Making all the men gay.
The thumbnail is a masterpiece
When the mofoboard is aSUS
never trust the maid (puts a image of HIM), pure comedy
2:50 Uefi can be programmed to do anything (just search for the uefi spec..). For example if the file system is not encrypted Uefi malware could definetly read your passwords (easily).
Hi, I’ve recently bought a laptop from one of the specified manufacturers and the chipset is in fact a H81. Though I did boot up windows, I did not log into it nor did I create an account on it, as I immediately proceeded to install a distro on it. Can I still be affected by this malware, even if it didn’t have any time or connection on windows? If so, is there a way to know if I’m infected in the first place?
I'm no expert but assuming the malware is calling windows specific APIs I'd say you're safe. Probably could reflash your bios just in case though
Probably not compromised, linux is a lower priority target. Backup to a USB and reflash your Bios just to be safe.
ME/PSP and CPu microcode runs at a lower level than "hardware/firmware". In fact, higher levels cannot detect their activity.
this particular rootkit looks for the windows kernel when booting according to the reporting on it - but there is no reason a different rootkit that works for any and or all operating systems can't exist
None of the articles present a theory on how the initial infection begins. If the factory was compromised and it was sold with the rootkit then we are basically screwed. I highly doubt this is the case though. If this happened all of the devices would be infected, and it would be detected rather quickly. Because these sites have significant amounts of security its almost certain the person who propagated the malware would be caught, and this would produce leads on the authors of the malware.
Therefore, I believe the two most likely routs of infection are 1: The user unknowingly acquired a malicious bios update and flashed their bios with it. or 2: A malicious actor acquired these devices, infected them, and the sold them on the used market.
verifying the entire chain of ownership for this device and if any of the past owners modified the bios is the only real way to verify whether its clean or not if you lack the skills to probe the hardware and software to discover if its infected yourself
Side note - infections were mostly in SEA so if your device has never been there than your more likely than not fine
You're safe if you use Linux. Another mitigation is using legacy BIOS / CSM boot.
oh god, that "the verge" clip 😂
This kind of thing can likely affect firmware on daughterboards too, if there's insufficient security involved in flashing them. (If malware can identify things like specific network, audio, or graphics cards, etc., it's a potential vulnerability if those too are targeted.) To be honest, there should be some kind of manual interface that has to be set (such as a physical switch or jumper) before enabling the ability to put flashed updates onto hardware. (Doesn't solve the issue of hardware coming from the factory with a problem, but could prevent any drive-by type malware attacks that could piggy-back on some other things like software installers.)
Memory and such is tight and limited, and it likely needs hooks into OS specific functions or libraries to be really compact, but some chips used for that kind of thing may have a surplus memory and other quirks and that would allow for an opening for possible exploits.
0:11 My siblings and I used Limewire religiously!! So many viruses it makes Covid look like post-nasal drip 😂
sneed
@Tinder in real life 🅥 Oh no! I thought it would be another Mental Outlaw video made in 31 minutes, unfrotunately it's
FieRcE.
omg the Verge clip for PC builders was perfect man haha
You had me when I saw Astolfo in the thumbnail
same lmfaoooo
I'm starting to think I need to put together my own motherboard. There are a number of open source designs, might be a fun project.
Have fun soldering. ^^
You need to go even further and build your own CPU from raw transistors. That's seriously the only way you can be sure it's safe.
@@renakunisaki what about building your own kernel?
honestly, people care so little about security these days.
Astolfo loving man of culture I see.
Michael Bazzell just released an episode (number 272) about this for his podcast with a guest who works in the firmware security space/industry - worth checking out
Are there also good maids that will optimize your system and remove malware if you leave it out?
this has legitimately been a phobia of mine for like a decade
If you buy an "enterprise grade" laptop the UEFI password usually cannot be reset at all, without a special manufacturer key specific to your device.
you mean manufacturer keys that get leaked? this is not secure at all.
Had something running under the similar methodology on a P55 board years ago, I presume i could have fixed it with a good replacement Bios chip. this modification was deployed remotely as a chained privilege escalation attack that started inside a fully patched OS from a remote source , almost 100% sure there was no physical access.
I found various fragments in the registry referencing Sentinel which appeared to be part of the entire kit (post compromised 'installation' ), reflashing bios could not / did not fix.
Multiple OS and HDD changes were unsuccessful, didnt matter if it was windows or linux or hypervisors running whatever.
The compromise was pretty obvious to me at least I could see it doing things I had not requested occur including copying data / attempting to recover data .
When someone with excessive capability wants to own you hard enough , they always find a way. I was a fool and although i had my FW locked down I bypassed it intentionally , after all whats the worst someone could do ? probably just sped things up rather than made the difference between safety or not.
Note this scared the shit out of me; I have a feeling that was partially the intention, I got rid of ALL of that hardware and tried to lead a more blameless less questioning life. the worst part was checking my logging and doing the lookups to ascertain the source.
At first i thought the logging of it all in debug mode and seeing all of these things had great value to me and somehow thought I was clever to have been running in debug mode in the first place and had all the detail on what had occurred.
Later I began to feel uncomfortable with the possession of the information that listed line by line what had occurred in the logs esp. once the ' from whom '' in the reverse lookups became apparent, this was around the time when the post lulsec / anon et al hacker 'threat' was escalating to high levels of political posturing and essentially threats were being thrown around with regards physical responses to cyber.
1/10 Would not recommend this experience.
Reject UEFI, embrace BIOS boot
(This post has been made by the Luke Smith gang)
Thats even less secure
When most things are manufactured in Asia anyways, I wouldn’t be surprised of endless possibilities in hardware supply chain attacks.
Modern ASUS motherboards come with malware by default.
It's called Armoury Crate, and defaults to enabled, and automatically installs when you boot into Windows.
I'd love for them to be hit with a class action for this.
its kinda useful actually, and i did not find any malware on it so,, idk
@@laifyalif Yeah, it's not _literally_ malware, but it's completely unwanted software that automatically installs without your consent. Very few people actually use it and I just see it running in task manager when I work on some PC's.
Thanks for reminding me Asus is spelled with Sus I will now always call it ‘A-sus’
1:00 I mean since they flash the malicious image onto the mobo, it pretty much is turning your BIOS-chip as such a spying chip
I know uefi is supposed to have unique keys for each section of the uefi. For example: this is how LoJack could not be removed from laptops that were stollen. But the key was stolen and used to install malware.
To be honest there needs to be 3 factor authentication. 1 by user, 1 by key, and 1 by checksum verification. Basically if the last checksum which is unique to every code section does not match, it is rejected. Why the first and third are not implemented is beyond me. The third checksum alg is hard coded into non rewritable firmware for each model motherboard. Mfg lab firmware in raw state goes into an air gapped encoder which tags the checksum on the end. Transfer is done via tape. (No chance of stuxnet corruption with non USB or autorun.inf)
As I don't believe in coincidence, I urge you to look at the victim countries: Russia. China. Iran. They are considered the highest priority targets by the US and other western states. And there I said it: I think this is a govt OP. There is a possibility these attacks are carried out from the manufacturer level. It would be way too difficult to modify such an amount of motherboards from the physical level to get this done unnoticed. This attack must've taken place remotely or in mass scales, which is only possible right after manufacturing. And checking region should be easy when you know what you're shipping and who you're shipping it to. This might be the scariest stuff indeed witnessed in cyber security, scarier than Stuxnet.
>doesn't believe in coincidence
my birthday is 4/20, I must be Hitler's reincarnation!
Jokes aside, I agree. Extremely suspicious
I've seen some weird files coming off of the Gigabyte website of late. Weird observation, I got different file checksums when using a Hong Kong VPN exit node. The files downloaded using a US IP address were flagged by VirusTotal as containing malware. When using the VPN connection in Hong Kong, VirusTotal did not flag anything.
the true, burning question in everyone's minds:
can it compromise templeos?
i just found this channel but i like it already
You have forgotten to say that it could have even come from regular malware, which writes itself into the bios.
Modern motherboard uefi chips support OS level updates, meaning that an executable in e.g windows can overwrite the content of the uefi chip as long as there is no password in the uefi.
What a dumb idea
@@cat-.- yea. Tho even before uefi in the 90s and early 00s we had bios firmware update thru Windows/OS..
@@cat-.- What do you mean? Dumb idea to implement the update function this way or dumb idea to write malware this way?
Because I do think that it is genius to create malware like this. It is basically persistent as long as you don't update the bios
I heard theories about this but I didn't know it was actually done I'm fairly impressed. And I'm guessing the only way to fix it is to pop the BIOS chip out and install a known clean one??? I would think flashing the chip would help but I don't know.
Well. Now I regret my choices in life. I used to think those companies were deserving of trust at a consumer level.
I swear the politicians, particularly those aligned to the hammer and sickle, have made computer related issues much worse.
Well that's just like your opinion man
@@Cocog232
>literally states a fact about how totalitarian governments influence hardware in ways bad for all the consumers
>"that's just your opinion"
It's more likely a criminal business selling cheap PCs
@@RoastCDuck Or the US alphabet soup spying on Russia and China.
also, love that astolfo pic at 11:44
This is apparently only in Intel H81 chipsets so it's been around since 2013.
Not necessarily true. It could've been developed much later for these older motherboards, for example because the developers would have already had access to such boards, they were widespread in the area they were primarily targeting, or they were just easy to modify and mess with the firmware on. It *could* also have been around for way longer and just have been discovered recently, but we don't know for sure.
What is interesting me is what was the motivation and target for this. This takes a lot of work and risk, so I assume the saboteur probably knew the person or company who would be using the device and that they had some data worth taking or spying on. Unless it was just a proof of concept test of some sort. But to find out who did this, I would start with looking at who knew who the end users are and wanted something from them, while also being in a position to do the work on the hardware. This should narrow it down a lot.
"Never trust a maid."
That's why... You're maidenless.
*Put sunglasses on*
I wish those evil maids would attack me instead of my hardware 😔