Hoping ESET will work

[nofarb 0]

Please tell me if there is a better sub-forum for this post - thanks!

I recently installed ESET Internet Security on two of my desktop pc's running Win10 in hopes that I can salvage these machines from a BIOS based hack that has brought them to their knees:

1) a quad-core i7 with non-UEFI bios running Win10, and

2) a hex-core i7 with UEFI bios running a dual boot between Ubuntu Linux and Win10 (dual-boot set up from Ubuntu)

I also have a UEFI-bios i5 laptop that's the virus has killed at this point. The hex-core pc is running only if I boot to Ubuntu.  I had installed the trial EIS on the Win10 partition, and things seemed fine for a few days, but then a rogue Windows install started on the machine and I immediately hard shut it down and have not been back into the Win10 boot since.  I'm writing this post on the Ubuntu boot of this machine.  The quad-core pc  also has the trial EIS installed on it, and after a while running it over a few days, the bios showed up compromised again (I've since hard reset this bios on the motherboard and the computer seems to run fine for now disconnected from the internet).

 

I ran EIS on both machined (in Win10 boot) and neither scan for either pc showed a compromised bios.  A few days after running that initial scan, both Win10 installations had the hack-related failures I indicated above.

ESET is the only security software I've seen that addresses the bios hack issue on my machines, and I'm hopeful that it can be used to reclaim my machines and get them working again.  I would gladly subscribe on both machines if that was possible.

Can EIS help me get my Win10 machines running again?

Thanks,  Michael

 

 

[Marcos 5,074]

Unfortunately it is not clear what problem with Windows 10 you have. Please elaborate more.

As for UEFI malware, I know only about CompuTrace (https://support.eset.com/en/kb6567) and MossaigRegressor (https://securelist.com/mosaicregressor/98849/) that are stored in the UEFI firmware and both are detected by ESET's UEFI scanner. If nothing was detected it's highly unlikely that your firmware was compromised.

[itman 1,659]

14 hours ago, nofarb said:

The quad-core pc  also has the trial EIS installed on it, and after a while running it over a few days, the bios showed up compromised again (I've since hard reset this bios on the motherboard and the computer seems to run fine for now disconnected from the internet).

Eset scans the boot sectors; e.g. MBR, for malware on BIOS based devices. It does not scan the BIOS since those settings are firmware related and are retained in chip memory on the motherboard. There is no way Eset can physically access that area.

BIOS based malware is very rare and usually is a result of a hacked BIOS firmware update. If you have reason to believe you have BIOS based malware, you should download the latest BIOS firmware update from your device manufacturer's web site and re-flash the BIOS.

Note that BIOS setting corruption is often caused by a dead battery attached physically to the motherboard. This battery supplies power to the chip memory when the device is A/C powered off to retain existing BIOS settings in the chip memory.

14 hours ago, nofarb said:

I also have a UEFI-bios i5 laptop that's the virus has killed at this point. The hex-core pc is running only if I boot to Ubuntu. 

UEFI based systems also deploy a BIOS like component but add an interface component to the OS stored in a hidden partition on the drive Windows is installed on. Ref.: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/configure-uefigpt-based-hard-drive-partitions . Eset scans this UEFI partition for malware. It again has no way to physically access settings stored in firmware.

Also note that the source of the Lojax UEFI malware was a firmware setting built in by the device's manufacture. As far as the second known UEFI malware, it requires physical access to the device;

Quote

Kaspersky Lab still doesn’t know how the bootkits came to be installed on the victim machines. One possibility is that the PCs received a fake UEFI update from a remote source, but there are no signs of that happening in the Kaspersky AV logs.

That leaves company researchers to speculate that the attackers who installed the malicious firmware had physical access. This Hacking Team tutorial provides step-by-step instructions for using a USB drive to install the UEFI bootkit, which Hacking Team internally named VectorEDK, according to the leaked source code.

With the USB key and a few minutes alone with a targeted computer, an attacker could start it up, configure it to boot from the USB key, and allow it to work its magic. As the tutorial images below show, this USB key provides an easy interface.

https://arstechnica.com/information-technology/2020/10/custom-made-uefi-bootkit-found-lurking-in-the-wild/

Here's a good article on the difference between BIOS and UEFI based systems: https://www.howtogeek.com/56958/HTG-EXPLAINS-HOW-UEFI-WILL-REPLACE-THE-BIOS/

Finally note that although Eset can detect known UEFI based malware, it cannot remove them. Again, the only way to do so is to re-flash the UEFI with the original or latest device manufacture's update. Ditto for BIOS based boot sector malware. The MBR needs to be restored with a backup of it. If no backup exists, then by rebuilding the individual boot sector components via Win 10 recovery environment.

Edited October 25, 2020 by itman

[nofarb 0]

Hi folks:

Thanks so much for the replies - sorry for the delay, very busy.

 

So, for Marcos.  I've captured two videos that show the behavior of the bios when the hack is active, and when it is not.  The hack is active once I boot into win10, and the bios becomes stable when I then reboot to a Ubuntu DVD and then restart into Ubuntu on my hard drive.

1) Hacked bios with cursor jumping around in the section to select the boot drive.  I have to madly click the mouse until I luck out and can select the DVD as the boot device:  https://www.youtube.com/watch?v=yWYTUGhec-w

 

2) After I've selected the Ubuntu DVD as the boot, I do the process in the first paragraph, and the computer bios becomes stable (now with the ubuntu partition selected).  As long as I continue to boot into ubuntu, things are fine, but soon after I go back to win10, the hack will appear again in the bios: https://www.youtube.com/watch?v=M5L0uHtJiZM

for itman - lots to digest, will get back to your post when I have more time. Nobody else had access to my computer in my house.

So folks - what do you think of the videos?  Is it clear in the videos?  I've noticed that the bouncing cursor isn't as clear in just the video, but when I'm madly trying to get the stupid cursor to allow me to select the DVD as a boot option.

Thanks for the replies - feeling a bit hopeful at this point,

Michael

 

 

[Marcos 5,074]

Rather than a hack it looks like a hw issue with the mouse or the USB hub/controller or sw issue of the UEFI firmware.

[itman 1,659]

8 hours ago, Marcos said:

Rather than a hack it looks like a hw issue with the mouse or the USB hub/controller or sw issue of the UEFI firmware.

👍

Note that once Windows is loaded, it is using it's mouse driver, USB controller, etc..

When accessing the BIOS directly, the BIOS is using the mouse via direct hardware access to it.

Edited October 28, 2020 by itman

[itman 1,659]

I also reviewed a number of posting on the motherboard forums such a Gigabyte's forum. It appears a common occurrence is to have a firmware update bork mouse use in the BIOS/UEFI GUI. As such, that is where I would start researching as to you your erratic mouse behavior. 

[nofarb 0]

OK, first let me roll out my cred.  I'm a Software Engineer/applications programmer/Sr. Statistical Programmer with more than 40 years of programming and pc building experience.  I have specialized in software quality control and software validation, so I know how to debug and be methodical.

 

I wish it was just a hardware issue, but the problem only occurs after I've booted into Windows and not when I boot into Linux.  I always boot into the bios first to see how it's doing, and the issue affects both the mouse and the keyboard in that I can't access the section of the bios options that allow me to change the boot drive.  Like I said, I click the mouse like crazy until I get lucky and then I select the DVD that allows me to boot into Linux, and then I restart the system from Linux (which changes the bios to point to the Linux boot partition), and then the bios is stable as long as keep booting into Linux.  As soon as I boot into Windows, it changes the bios and the bios boot selection option becomes unresponsive.

Conclusion -

1) Windows booting is causing some sort of bios update (uncommanded by me)

2) Eset Security Software isn't finding the cause in Windows.

Any suggestions of what to try?  My Eset trial has expired.  If I purchase a subscription, will the Eset people take my issue seriously and work on the problem, or just pass the busk like their competitors?

 

Thanks,  Michael

 

 

[itman 1,659]

Microsoft Defender ATP has a UEFI malware scanner: https://www.microsoft.com/security/blog/2020/06/17/uefi-scanner-brings-microsoft-defender-atp-protection-to-a-new-level/ . You will have to have Win 10 Pro+ installed and then purchase a monthly subscription for ATP protection.

Kaspersky also has a UEFI malware scanner: https://www.extremetech.com/computing/315860-kaspersky-finds-sophisticated-uefi-malware-in-the-wild

To my best knowledge, no security product exists that can remove UEFI/BIOS malware.

Also note that MD ATP and Kaspersky AV solutions do exactly what Eset's UEFI protection does; warn you that you have UEFI malware.

One of the best preventive solutions is:

Quote

Kaspersky Anti-Virus for UEFI (KUEFI) is the EFI BIOS level endpoint security solution providing effective protection from rootkits and bootkits and ensuring safe OS loading. The product's key feature is that it starts running in the EFI environment even before the OS bootup process begins, thus preventing any resident malware from loading. By working on EFI level, KUEFI ensures reliable protection from rootkits, bootkits and other malware specifically designed to circumvent desktop anti-malware technologies.

https://www.kaspersky.com/antivirus-for-uefi

However, this is an on-chip solution and only available to OEM manufacturers.

Edited November 8, 2020 by itman

[jdashn 12]

I just wonder why a virus would be content with making your mouse movements difficult, when it'd be data/creds exfiltration and ransomware that'd typically be the goal. I'd also imagine notifying you of infection via mouse difficulties would be the last thing the attacker would want?

I wonder if there is a simpler solution? Occam's razor and all? Maybe you've got a bad mouse driver that only fails when loading up windows vs linux? Would there be software by the hardware manufacturer that might be adjusting bios settings in windows (i know i've seen tools from HP and Dell in enterprise env that'll do that, maybe they're shipping them in home versions now too) for you?

Have you attempted updating/reinstalling bios?

Have you attempted using different hardware?

 

I know you're looking for an AV based solution, but while you've selected the hammer, i dont think your issue is a nail.

Jdashn