how to protect firmware from malicious persistent firmware/BIOS cracker

Asked by tikky1234 on 2013-06-10

for over 2 months a malicious persistent cracker has laucnhed automated attacks against my computers.

1) for new desktop computes - then i have soldered togethber leg 3 and leg 4 together which should in theory protect teh BIOS from being flashed. But , will that also protect firmwaer VGA, ACPI, SATA, PXE and more from "Micro updates" of teh Biois code where cracker only replaces smaller parts of teh BIOS....or?

2) In my laptop computers (acer aspire 4755G and V3-471G) then there appears to be multiple "minor" fimwares that also hold firmware info for each specific part (like netcard or ACPI or USB or VGA card) - should i solder teh legs physically on each of those also to be protected from "micro code updating" of each indvidual firmware?

3) what tols can be used to check the individual firmwares for teh SATA, VGA, ACPI, PXE and so on so i can visually see/compare and confirm that the info stored is correct?

3) What software exist that can regualrly monitor against any scuh changes in firmware? Or, at least download manually the firmware codes so I can manually check it when manually laucnhed?

thank you for your kind help.

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu flashrom Edit question
Assignee:
No assignee Edit question
Last query:
2013-06-18
Last reply:
2013-06-18
Savio (abhijeet) said : #1

first thing don't install any update or even applications / packages from untrusted source. even using PPA is sometimes not good. in short use trusted source.

for detecting root kit infection use rkhunter and chkrootkit .

cheers

tikky1234 (jakobneubert) said : #2

1. have used Live CD's from among these companies: Norton, Kaspersky IS, Kaspersky TDSSkiller, Avast, Comodo, AVG, trendmicro, Macafee, Dr web, Avira. Bitdefender, Mbam, superAntispyware, Clamav, Knoppix, Ubuntu Malware live CD.

      I assume that these should have solved it if they could.

2. Would LOVE to use rootkithunter and chkrootkit - but, after instlalation I cant find any button to click at - maybe its just terminal and no GUI - not sure. And, they dont make a Live Cd so am out of luck.

3) The problem is that hacker did this:
A) re-mapped memory
B) Uploaded different kernels for the 2 VGA cards so they are now seen as "keyboards"
C) Keeps coming back in any time I go on the internet by terminal, Dbus, SystemD, HAL
D) keeps re-infecting by hacking modem and re-upload rootkit there also so i get re-infected all the time.

Also uses activex and javaapplets to kick the door in before unleashing the rootkit, it seems.

I dont know how to solve 3A, 3B, 3C, 3D. Asked around and no one seems to have any answer.

What suggestions do you have?

Seems like solution must be hardware protection of the hardware - and not software.

tikky1234 (jakobneubert) said : #3

So, situation is this:

1. Can see stuff happening in the machine by using various analyzer programs - where trusted programs with trusted credenticla and trusted certificates starts uploadign or downloading stuff - like, Kaspersky opened up 1146 ports for Bluetooth and MS IE happily sends and receive info - and so does even Avast...
    Also hacker keeps deletign in evenviewer so that is not much help.

Am looking for some monitor tools that shows not just "which app did what" - but also what app instructed that app to do so...that is the missing link today.

Whar do you suggest?

2. Am also un-sure which files are legitimate in Ubuntu and which ones are remnants from the hacker...it easily gets difficult to see since hack er is able to make it look like that they are residdent on even live CDs....\
    What do you suggest so I can see exactly which processes and which services really have to be there as a absolutely minimum?
    I see 240 drivers loaded and 150 services....

3. Which way can I really see what things are due to malicious scheduled tasks in taskscheduler? (most if not all will have status "dis-abled" except for a moment when theyh get activated.

4. Which way can I "reset"/remove the bad kernels he has uplaoded? It doesnt get corrected autoamtically by trying to update kernels...at all.

5. Which way can I un-do the memory-mapping and track where it comes from?

kind regards,
jack

tikky1234 (jakobneubert) said : #4

Though I appreciate the 2 answers so far - then none seems to read my questions at all - before answering.

Aren't there a hard-core coder around who can help me?

For any hard-core coder this must be easy stuff?

Kindly advise. Would love to talk thru skype, if possible.

1) How do see/download the BIOS info?

Savio (abhijeet) said : #5

Do you using windows or ubuntu? Because you mention MS IE and taskshedular?

More monitoring perpose try OSSIM (open source security incident manager)
or something like that. But I think try this is to late.

Regards,
Savio
On 18-Jun-2013 8:51 AM, "tikky1234" <email address hidden>
wrote:

> Question #230489 on flashrom in Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/flashrom/+question/230489
>
> tikky1234 gave more information on the question:
> Though I appreciate the 2 answers so far - then none seems to read my
> questions at all - before answering.
>
> Aren't there a hard-core coder around who can help me?
>
> For any hard-core coder this must be easy stuff?
>
> Kindly advise. Would love to talk thru skype, if possible.
>
> 1) How do see/download the BIOS info?
>
> --
> You received this question notification because you are a direct
> subscriber of the question.
>

Can you help with this problem?

Provide an answer of your own, or ask tikky1234 for more information if necessary.

To post a message you must log in.