Rootkit scanning and removal

[Blue House Computer Help]

A few questions about modern rootkits. As I understand they can be both hard drive based, or firmware/BIOS based. I know Malwarebytes has a rootkit scan, and there's Windows defender offline scanner.... Do they cover firmware based rootkits, or just hard drive?


In scenario 1, I have a machine that's obviously doing strange things.
In scenario 2, I have a computer that has had anything from an accidental malicious website visit, to one showing no hard evidence, but just making my Spidey-sense tingle. In cases like these I need something relatively straightforward and quick, as this becomes a little bit harder to justify as spending billable time on.

Along with replacing the SSD/HDD where warranted, how can i fairly efficiently detect whether the bios is compromised. All this talk of running three separate tools to detect a rootkit makes me feel less confident about their effectiveness, not more. I'm just looking an efficient way to be completely sure.

 

[nlinecomputers]

Nuke and pave.

I don’t bother trying to diagnose and repair anymore. If I really think the system is compromised then it gets sanitized by fire.

Back up the data, Scan it on another PC, nuke the system, flash latest BIOS, erase the TPM and reinstall everything.

 

[nlinecomputers]

And the nuke is a one pass zero overwrite.

 

[Blue House Computer Help]

I generally agree with that, but what about in scenario 2 where I can't say if it's a virus, but I want to be sure. What about something that could be done as a routine just to be sure, even if you haven't found a virus. I mean, a well written written virus might not show any signs at all until you dig really deeply. And if I'm going to justify the cost to a customer, I need more evidence than just a gut feeling.

Is there not some kind of bootable tool I can scan the checksum of the BIOS firmware or something to see if it's bad?

 

[nlinecomputers]

Not really. Every BIOS is different. Every manufacturer is different. I’m been doing this for 35 years. Never seen a BIOS based virus. Most people are not running the latest BIOS so updating it is of benefit anyway.

 

[phaZed]

Generally only Hard drive based Rootkits will be found. Firmware isn't usually/generally exposed to the OS, in order for the OS to peruse the firmware to check if there is a Rootkit or not. There are some basic checks that anti-rootkit software can check that can sometimes find out if the UEFI is compromised or not (Checksum, BIOS version, etc).

While I believe @nlinecomputers is correct - that a BIOS virus is extremely rare and usually unlikely - be aware that many of the BIOS viruses don't necessarily infect the BIOS itself, but they infect the Intel Management Engine/AMT firmware, which is also firmware, but not the UEFI BIOS.

In such cases, you would want to apply the newest BIOS update that not only re-writes the UEFI BIOS chip, but also those separate components. Depending on which BIOS updates are available, you may have to back-flash an older BIOS update to cover those components as they are not necessarily updated every time there is a BIOS release, if that makes sense. Another option could be to disable Intel ME or AMT in BIOS, if you're paranoid.

 

[Markverhyden]

I've never heard of a successful BIOS rootkit. When in doubt nuke and pave. And, as @nlinecomputers said, scan the backup on a different computer

 

[Sky-Knight]

Beware, two of our major remediation efforts this year found malware buried in SSD firmware.

As far as I know we haven't seen main board infections yet... But we've hit the point where N&P isn't good enough because the drive is a problem. But at least you can swap the SSD and get the machine back. Once things move to the main board we'll be down to replacing the rig, because there are zero trustable ways to correct a main board BIOS without a direct eeprom flasher.

Note, you cannot, and will never be able to, reliably detect a root kit from within the infected system. And pulling the drive and putting it on something else runs the risk of damaging the test equipment.

 

[nlinecomputers]

Beware, two of our major remediation efforts this year found malware buried in SSD firmware

Interesting. Care to elaborate on that?

 

[Sky-Knight]

Interesting. Care to elaborate on that?

Elaborate on what? It's malware in an SSD. You move the SSD to a new system, it's infected. You format the platform and reinstall windows... it's infected. In theory a flash will fix it, but in our cases... nope. Had to replace the SSDs, actually... we just replaced the entire unit. Insurance companies don't mess around!

The root kit is persistent because the SSD's firmware boots, it waits for specific processes and latches on... which is how root kits work. These are theoretically possible for EFIs as well, and no... contrary to what was said before you can't just "turn off" Intel Management engine or whatever AMD's equivalent is and mitigate the risk. These risks are part of the nature of how hardware functions.

The point is, if you yank the SSD and put it in another system THAT version of Windows is now sick. The variant we saw only hit Windows though, so there is that. In theory if you booted to Linux you'd be safe, but that drive's firmware can never be trusted again.

This is why firmware updates are now part of monthly patching cycles, if they are not... bad things.

 

[NviGate Systems]

What brand SSD and controller was it? Where was it sourced? I'd have many questions.

 

[Sky-Knight]

Hynix, one Dell, one HP sourced.

Just like the rest of the fleet in the building. This isn't a source issue, we'd have had MANY MORE incidents if that was the case. The malware appeared on scans after a confirmed breach. Fortunately these two machines got isolated quickly.

 

[NviGate Systems]

So more than likely a threat actor found an opening in a server/client and put the backdoor in the SSD to ensure the door always stayed open even if the system was reloaded or patched.

There exists many tools dealing with firmware on various SSD controllers, sadly not all vendors patch or disable access to such things. It was only a matter of time before they are used like this.

I'd say for typical home users they would not be the focus of this style of attack, unless they are on some sort of list or have ties somewhere. Many corporate attacks are specific. While it's possible a home user could be subject to this, that's allot of effort when most groups can just spam emails or othermethods of getting things.

Based on that incident I would be doing more research on firmware used in drives and looking to minimize attack surface.

 

[Sky-Knight]

@NviGate, and that's where you're wrong.

This attack was fully automated. You're right, it's hitting businesses sooner, in this case a university.

But we'll see it hit homes soon, because again... it was fully automated.

For the rest, it's patch your stuff as usual. It's about the only thing we can do.