Firmware Malware and Questions

brent

https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/ dated a couple months ago
"Millions of PC Motherboards Were Sold With a Firmware Backdoor"

In a thread from a couple days ago a guy wondered about a hardware infection and I thought a hardware infection? wth? so I did some reading and..........bios, bios chip, mobo, etc.........the nasties are now hiding in the hardware. This 2023 article is about ^^ an exlusive UEFI backdoor (manufacturer-caused).
I read some articles about hardware nasties, depressing. I didn't know bad guys were devoting their evil to firmware.
I trust people here more than 25 articles so just some questions:
is this stuff detectable (scan?) in Win or Linux?
is this business like other PC viruses: almost exclusively windows? which is a stupid question since hardware nasties have to be Platform-agnostic?
what's the long game? same as software? info/passwords/bank/etc?
Actually not paranoid at all. Just curious about this phenomena. My whole life the bad guys were devoted to software sabotage and extravagant exploits...the shift to firmware is interesting.
Thanks for any thoughts and have a good weekend.

[deleted]

brent A while ago some Lenovo laptops had UEFI capability of installing bundled software even onto a fresh install of Windows.

https://arstechnica.com/civis/threads/lenovo-g50-80-dialog-box.1286817/

brent

[deleted] great article/thread:
"What concerned me was that after installing Windows 8.1 using an ISO downloaded from MSDN onto a brand new blank hard drive, I got a popup in Windows. Not just any popup. A prompt to install Lenovo OneKey Optimizer.

Before I'd installed anything (drivers or software) from Lenovo.

The first line in the popup said something to the effect of "This message is coming from your product, not your operating system."

tuxlover4

brent sad to say that in this day and age cyber crime is rapid such as identity theft , ransomware etc. Most until recently has indeed been aimed at software especially Windows . Htowever with the growing awareness of the common every day user as to the nature of these attacks and the increasing use of non- Windows OS i.e. Linux and Mac by users the bad guys had to find another avenue of attack, Hence hardware
As far as detection and prevention goes , this is more difficult. Various methods have been developed to detect viruses, trojons, rootkits, etc. in software . Heck just look at such companies as McAfee or Norton over the past thirty years . Unfortunately , it cannot be said the same for hardware or firmware .. We , the consumer, must become more aware of this situation and keep a constant visual until a method of combating hardware malware and viruses can be found. I am glad you are taking an interest . . Thanks for posting the article . It is indeed a eye opener.

brent

tuxlover4 Unfortunately , it cannot be said the same for hardware or firmware .. We , the consumer, must become more aware of this situation and keep a constant visual until a method of combating hardware malware and viruses can be found. I am glad you are taking an interest . . Thanks for posting the article . It is indeed a eye opener.

you are welcome and thank you for the thoughtful reply. hardware to me is Platform-agnostic, so by my reasoning that makes firmware malware the same way. we can't say "oh we're on Linux" anymore to hardware infections. I have no doubt as this increases someone will have some kind of hardware rootkit scan coming down the inventor's pipe. I ain't real worried about it but it's an interesting trend.

Axios

You can take a program like wireshark set it up on another computer and sniff your internet traffic
(simple example) then analyze the traffic but it takes a machine with alot of storage and of course the time
to analyze the logs.
There are alot of network appliances I think that could be setup to help detect something like that but nothing simple and cheap
If a person knew the addy of things like that you just block them.

https://www.tomshardware.com/news/gigabyte-firmware-update-backdoor

brent

Axios ou can take a program like wireshark set it up on another computer and sniff your internet traffic
(simple example) then analyze the traffic but it takes a machine with alot of storage and of course the time
to analyze the logs.
There are alot of network appliances I think that could be setup to help detect something like that but nothing simple and cheap
If a person knew the addy of things like that you just block them.

Not worried I'm infected so no need. I did try wireshark and other sniffers out of curiosity some time ago. I am way too stupid to operate these programs and interpret the results. you need a Phd to understand the output. UF W output is all I can handle🙂. Blocking is a strategy, I just hope the time never comes.
Good Tom's article. I knew gigabyte got on it quickly to their credit.

tomscharbach

Hardware vulnerabilities are reasonably common, as are firmware updates to patch the vulnerabilities.

Most hardware vulnerabilities can be patched, but some (e.g. the vulnerabilities related to the Meltdown and Spectre exploits) cannot be patched 100% successfully. Microsoft elected to limit Windows 11 upgrades to 8th Gen and newer processors because Meltdown and Spectre vulnerabilities in earlier processor generations could not be patched 100%.

I don't know of any anti-virus or anti-malware software that effectively detect/resolve hardware vulnerabilities. The vulnerabilities are found by security specialists who look for hardware vulnerabilities, and the major hardware suppliers (e.g. Intel and AMD) are usually quick with firmware patches. That's about the best we can do.

It helps to use OEM manufacturers who provide Linux firmware updates. I use Dell Latitude and Optiplex computers in part because Dell supports firmware updates through Ubuntu, which makes patching firmware relatively easy.

brent

tomscharbach I don't know of any anti-virus or anti-malware software that effectively detect/resolve hardware vulnerabilities. The vulnerabilities are found by security specialists who look for hardware vulnerabilities, and the major hardware suppliers (e.g. Intel and AMD) are usually quick with firmware patches. That's about the best we can do.

It helps to use OEM manufacturers who provide Linux firmware updates.

Yes, I'm reading this is nothing new, but still kinda novel. thanks for sharing the info that it is hard to find.
as to your last sentence I quoted, I am up to date in the bios (flashed) firmware. I wonder if I need to do anything for the 4-core intel on the board?

Axios

I have a question along these lines since been using linux been kind of lax on keeping up.
Ok I read awhile back that everyone should be using Vms as there operating platform ,That being said
does it protect you from say eufi rootkits.
I guess since you are using a vm and all your information would be there is it proteced?
(I guess kinda like sandboxing)
Kinda out in left field abit but just started studing the subject

Brucehankins

The Kingfisher SSDs were notorious for coming with a modified version of JackTheRipper loaded on to them. It was mostly undetectable and would instantly infect your machine. This is a risk you run with buying inexpensive hardware from questionable countries of origin. Did it stop be from buying one? Nope! Just put it in an external case, ripped and shredded it before ever trying to use it, and then installed Linux since the virus only affected Windows.

Axios

Brucehankins Ya I bought a digital picture frame once that had crap on it but
I caught it before any harm.

brent

Brucehankins This is a risk you run with buying inexpensive hardware from questionable countries of origin. Did it stop be from buying one? Nope! Just put it in an external case, ripped and shredded it before ever trying to use it, and then installed Linux since the virus only affected Windows.

Wow. I have been tempted to buy new hardware cheap but have been happy buying used and frankensteining high-end reliable stuff that people feel have got up there in years and thus must be, in the mind of the person parting with it, devalued because of age, and to end this run-on sentence, cheap. This has served me well.
It's nice to hear someone say it out loud what I've suspected: new and cheap and no-name might often come bundled with trojans.

nolan

Brucehankins Sadly not only on cheap things though, I have read, not so long ago, about intel Management Engine, and things doesn't look good in my opinion.

Intel Chip Flaws Leave Millions of Devices Exposed:
https://www.wired.com/story/intel-management-engine-vulnerabilities-pcs-servers-iot
(from 2017, old news by now)

Conti spotted working on exploits for Intel Management Engine flaws:
https://www.theregister.com/2022/06/02/conti_rasomware_intel_firmware/
(just last year 2022)

Disable Intel’s Backdoor On Modern Hardware:
https://hackaday.com/2020/06/16/disable-intels-backdoor-on-modern-hardware/

There's a lot to do and to take care, hardware flaws are hard to deal with, take nintendo switch for example, imagine that in a server sector...

WetGeek

brent I have been tempted to buy new hardware cheap but have been happy buying used

That's what I've done for years now. I get DELL laptps and desktops from Amazon, where their refurbished computers are restored back to as-new condition, and guaranteed. You can get a Latitude laptop with pretty impressive features for around the price of a decent chromebook. It's well worth the time to take a look there.

brent

nolan the Register is the most eye-opening article simply because I had not envision that your Intel is "targeted the Intel Management Engine (ME), a tiny hidden computer – with its own CPU, OS and software – within a processor chipset that runs independently from the main cores and provides various features including out-of-band management. The ME has total control over the box, so if you manage to compromise the ME, you'll be able to persistently infect and affect the machine below the operating system and its defenses."

they are writing code for ^^. yikes.
they conclude: "This type of firmware attack could lead to all kinds of damage, from bricking the system to wiping high-value files. It would also allow Conti, for instance, to maintain persistence on a system to access and steal sensitive data and deploy ransomware or other payloads at a later date. And because the crooks' access sits below the OS, security tools such as antivirus or EDR don't provide much protection."
The IME is a computer inside your (intel) computer that is independent of your computer....

nolan

It's a really interesting topic for sure.

tuxlover4

brent you are welcome .