- Joined
- Jul 15, 2018
- Messages
- 5
- Reaction score
- 1
So... I've recently learned about certain malware possessing capabilities I never thought were possible. Unfortunately, I was taught this the hard way... and about 5 years too late, according to the info I've read online. After losing the fight against this ... 'super virus' ... I feel compelled to share the experience in hopes that it may serve to inform, warn, and/or prevent others from learning this lesson the same way I have.
In reflection, I'm left with a sense of disbelief, still unsure about what, in all the details, astonishes me the most. Is it the fact that I was infected while innocently searching for a legitimate app by the name of PCHunter? Could it be that I was foolish and careless enough to download multiple copies of the aforementioned app from several different websites, the last of which had to be translated to English from Chinese? Personally, I would have to say ... verifying the origin of such ruthless code to be a team of hackers employed and funded by the NSA would be the coup de gras for me.
Here's a run-down, from what I understand:
Some extremely skilled guy going by the name of spritesmods accomplished what no one outside computer engineering has been able to do... something no one conceived possible, for that matter. A step-by-step process is laid out and explained on his website, but ultimately, by targeting the cache on hard drive controller chips, this one guy... the ONLY guy in history... inserted code through JTAG and basically discovered 'hardware' viruses.
I'm uncertain about the transition from spritesmods' proof of concept to it being picked up and evolved by government agencies, but the source has apparently been verified as the NSA. With teams of programmers and a budget that could spare millions of dollars without batting an eye, a hard drive rootkit was developed, presumably for use in surveillance, allowing limitless and ceaseless access to compromised systems through back-doors.
Obviously, I don't believe I've been targeted by the NSA, but I assume it wasn't hard for other hackers, groups, or organizations to obtain the code once it had been exposed... at which point, it could be modified or tweaked as they saw fit, and released back into the wild, spreading across systems, creating back-doors, and collecting sensitive/personal data at lightening speed to transmit back to the "hacker's" remote host.
As scripts ran and code executed on my computer at a SYSTEM level privilege, I was able to monitor some activity, though fractional in amount, I'm sure...
From what I did see... this is undoubtedly the meanest, nastiest, most intrusive and devastating infection I've ever seen, hands down. Queries collect every shred of data available to a SYSTEM privilege service running on the system (which is everything) from net users, accounts, browser cookies, and installed games to attached devices, connections via bluetooth, and detailed information about every piece of hardware used along with their drivers.
What confuses me... is the code was originally written to act as a rootkit... suggesting a stealthy behavior, attempting to avoid detection. This variant seems to have been modified without regard for this. Once it completes scouring a system, it proceeds to create registry keys altering the CurrentControlSet, replaces every driver file you can imagine, creates system services that run in the background, cripples Administrative privileges to the point that no application or program will run, then it REALLY goes to work.
I may not be accurate about this, but speculating from what I saw, even though Windows 10 Home edition does not support drive encryption, the malware enables BitLocker, locks the drive partitions, creates an entirely separate and nearly invisible partition, and ... I'm not sure. Possibly sets up its own master boot record... judging by an eventual inability to boot up anymore.
System restore doesn't work... formatting and reinstalling doesn't work... accessing the command prompt through recovery will do you no good. Check bcdedit, it won't matter. Find the hidden partition using diskpart and delete it, format it... doesn't matter. The only thing I haven't tried is installing an unaffected hard drive, marking it 'master' and then connecting the infected drive as slave... but honestly, I'm afraid that will result in two destroyed hard drives.
Did I mention this monster checks for connected devices? Yeah... if you happen to have a USB flash drive inserted, you might as well throw it out your window. Should you stick it into the port of a different system, you can say goodbye to that computer as well. Need a good reason to remember to turn off BlueTooth when its not being used? I found queries initiated by this code, checking for such devices... and should your BlueTooth be on, I'd be willing to bet it's going straight for any saved passwords, usernames, contacts (and all their info), browser history & cookies, pictures in your gallery, videos, documents... everything.
After infecting 3 USB drives (16GB, 64GB, and a 128GB) I noticed something... a 64GB flash drive was reported by the system to only be 14 GB total. This exhibits the behavior typical of a worm designed to allocate space until none is left, but are there any variants of this type of worm that perform all the other actions I've described? Does anybody have any insight into this? Perhaps I'm wrong in concluding this is the 'invincible' super virus? At any rate, it's the first time I've had to admit defeat in close to 30 years... beaten by some code typed out on a plastic keyboard...
This isn't even ALL of the details! I'm leaving out the ... 'less alarming' aspects by comparison... considering the size of this post already. For instance, the programming behind this 'demon' bug appears to target Windows Servers (2002? Latest version?) and since I'd turned some of the optional features available under the Programs and Features applet in the control panel (IIS, Web Development, etc.) it exhibited some characteristics of a Domain Controller. This may not be the case... the code may just start there, working its way down to workstations. Among several other things, checking for any and all users and sessions was the big clue leading me to this conclusion.
Being a college graduate in computer systems, obsessed with computers since 1985, and considering myself above average when it comes to the Windows OS... I feel incredibly ignorant admitting this, but I got caught slippin... I was nice and relaxed, sunk into my chair... at home in front of my comp where 90% of my spare time is spent, fiddling around like I do. Usually, at least a subconscious lil red flag pops up back there somewhere tryin to scream to me... "don't do it! wth are you doing?!" but this time... nothing. Careless, no regard, just... click, click, clickin away. DERRRRRR
At any rate, I've rambled on long enough. I just want to spread this info as much as I can. I was stunned, to say the least, and for an individual, home user to be hit with something like this seems extremely unlikely. If you are having a hard time accepting some random poster's word in a thread on some site's forum, here are some references I've looked into while researching this.. and that you may find interesting:
http://spritesmods.com/?art=hddhack
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring
https://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/#gref
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring
Those are just a few... and by all means... if you are having trouble believing me... I will gladly send you a flash drive... to a P.O. Box, to a street address... whatever. Let me know... or it might be possible to pull up the same site with the PCHunter download which contains this rootkit. I strongly suggest not flirting with disaster using any system you can't afford to lose.
In reflection, I'm left with a sense of disbelief, still unsure about what, in all the details, astonishes me the most. Is it the fact that I was infected while innocently searching for a legitimate app by the name of PCHunter? Could it be that I was foolish and careless enough to download multiple copies of the aforementioned app from several different websites, the last of which had to be translated to English from Chinese? Personally, I would have to say ... verifying the origin of such ruthless code to be a team of hackers employed and funded by the NSA would be the coup de gras for me.
Here's a run-down, from what I understand:
Some extremely skilled guy going by the name of spritesmods accomplished what no one outside computer engineering has been able to do... something no one conceived possible, for that matter. A step-by-step process is laid out and explained on his website, but ultimately, by targeting the cache on hard drive controller chips, this one guy... the ONLY guy in history... inserted code through JTAG and basically discovered 'hardware' viruses.
I'm uncertain about the transition from spritesmods' proof of concept to it being picked up and evolved by government agencies, but the source has apparently been verified as the NSA. With teams of programmers and a budget that could spare millions of dollars without batting an eye, a hard drive rootkit was developed, presumably for use in surveillance, allowing limitless and ceaseless access to compromised systems through back-doors.
Obviously, I don't believe I've been targeted by the NSA, but I assume it wasn't hard for other hackers, groups, or organizations to obtain the code once it had been exposed... at which point, it could be modified or tweaked as they saw fit, and released back into the wild, spreading across systems, creating back-doors, and collecting sensitive/personal data at lightening speed to transmit back to the "hacker's" remote host.
As scripts ran and code executed on my computer at a SYSTEM level privilege, I was able to monitor some activity, though fractional in amount, I'm sure...
From what I did see... this is undoubtedly the meanest, nastiest, most intrusive and devastating infection I've ever seen, hands down. Queries collect every shred of data available to a SYSTEM privilege service running on the system (which is everything) from net users, accounts, browser cookies, and installed games to attached devices, connections via bluetooth, and detailed information about every piece of hardware used along with their drivers.
What confuses me... is the code was originally written to act as a rootkit... suggesting a stealthy behavior, attempting to avoid detection. This variant seems to have been modified without regard for this. Once it completes scouring a system, it proceeds to create registry keys altering the CurrentControlSet, replaces every driver file you can imagine, creates system services that run in the background, cripples Administrative privileges to the point that no application or program will run, then it REALLY goes to work.
I may not be accurate about this, but speculating from what I saw, even though Windows 10 Home edition does not support drive encryption, the malware enables BitLocker, locks the drive partitions, creates an entirely separate and nearly invisible partition, and ... I'm not sure. Possibly sets up its own master boot record... judging by an eventual inability to boot up anymore.
System restore doesn't work... formatting and reinstalling doesn't work... accessing the command prompt through recovery will do you no good. Check bcdedit, it won't matter. Find the hidden partition using diskpart and delete it, format it... doesn't matter. The only thing I haven't tried is installing an unaffected hard drive, marking it 'master' and then connecting the infected drive as slave... but honestly, I'm afraid that will result in two destroyed hard drives.
Did I mention this monster checks for connected devices? Yeah... if you happen to have a USB flash drive inserted, you might as well throw it out your window. Should you stick it into the port of a different system, you can say goodbye to that computer as well. Need a good reason to remember to turn off BlueTooth when its not being used? I found queries initiated by this code, checking for such devices... and should your BlueTooth be on, I'd be willing to bet it's going straight for any saved passwords, usernames, contacts (and all their info), browser history & cookies, pictures in your gallery, videos, documents... everything.
After infecting 3 USB drives (16GB, 64GB, and a 128GB) I noticed something... a 64GB flash drive was reported by the system to only be 14 GB total. This exhibits the behavior typical of a worm designed to allocate space until none is left, but are there any variants of this type of worm that perform all the other actions I've described? Does anybody have any insight into this? Perhaps I'm wrong in concluding this is the 'invincible' super virus? At any rate, it's the first time I've had to admit defeat in close to 30 years... beaten by some code typed out on a plastic keyboard...
This isn't even ALL of the details! I'm leaving out the ... 'less alarming' aspects by comparison... considering the size of this post already. For instance, the programming behind this 'demon' bug appears to target Windows Servers (2002? Latest version?) and since I'd turned some of the optional features available under the Programs and Features applet in the control panel (IIS, Web Development, etc.) it exhibited some characteristics of a Domain Controller. This may not be the case... the code may just start there, working its way down to workstations. Among several other things, checking for any and all users and sessions was the big clue leading me to this conclusion.
Being a college graduate in computer systems, obsessed with computers since 1985, and considering myself above average when it comes to the Windows OS... I feel incredibly ignorant admitting this, but I got caught slippin... I was nice and relaxed, sunk into my chair... at home in front of my comp where 90% of my spare time is spent, fiddling around like I do. Usually, at least a subconscious lil red flag pops up back there somewhere tryin to scream to me... "don't do it! wth are you doing?!" but this time... nothing. Careless, no regard, just... click, click, clickin away. DERRRRRR
At any rate, I've rambled on long enough. I just want to spread this info as much as I can. I was stunned, to say the least, and for an individual, home user to be hit with something like this seems extremely unlikely. If you are having a hard time accepting some random poster's word in a thread on some site's forum, here are some references I've looked into while researching this.. and that you may find interesting:
http://spritesmods.com/?art=hddhack
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring
https://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/#gref
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring
Those are just a few... and by all means... if you are having trouble believing me... I will gladly send you a flash drive... to a P.O. Box, to a street address... whatever. Let me know... or it might be possible to pull up the same site with the PCHunter download which contains this rootkit. I strongly suggest not flirting with disaster using any system you can't afford to lose.
