Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Clean up rootkit / check firmware integrity

  1. #1
    Join Date
    Aug 2010
    Beans
    11

    Clean up rootkit / check firmware integrity

    Hello.

    I'm in the unfortunate position of having my laptop hijacked. How do I know? The intruder told me. Initially he powered off my laptop 10-15 times (in a single day), then he injected (subtle) messages in my browser, revealing that he's looking at me through the webcam.

    Anyway - format and clean install did nothing. He's still there, so it's storing code in expansion rom (firmware) or BIOS.

    I'll attempt the following strategy:

    Test integrity of all firmware and BIOS, and reflash those whose been altered.

    I'm fairly technically minded but have no extended computer background. So, my question is: How do I do it? Any useful links for example?

  2. #2
    Join Date
    Feb 2007
    Location
    West Hills CA
    Beans
    9,008
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Clean up rootkit / check firmware integrity

    There are tutorials on the web for creating a bootable CD with freedos and the flashing program. You download the correct ROM and spin a Live CD that boots into freedos. Run the flashing program and hope that the new ROM loads OK. Put some tape over your camera.
    -------------------------------------
    Oooh Shiny: PopularPages

    Unumquodque potest reparantur. Patientia sit virtus.

  3. #3
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: Clean up rootkit / check firmware integrity

    I would probably help, if you let use know what version of Ubuntu you are using.

  4. #4
    Join Date
    Aug 2009
    Beans
    Hidden!

    Re: Clean up rootkit / check firmware integrity

    Quote Originally Posted by Vidar30 View Post
    (..) he powered off my laptop 10-15 times (in a single day),
    Please note powering off a device abruptly may be caused by a lot of things, none necessary malicious.


    Quote Originally Posted by Vidar30 View Post
    (..) he injected (subtle) messages in my browser
    Can you give a few examples of those "subtle" messages? How were these messages phrased?


    Quote Originally Posted by Vidar30 View Post
    (..) format and clean install did nothing.
    Also note that re-installing an OS from scratch (conveniently) removes all "evidence" (if any), hence it's not the preferred approach.


    Quote Originally Posted by Vidar30 View Post
    He's still there, so it's storing code in expansion rom (firmware) or BIOS.
    Define "still there"? What (anomalous) behavior does the machine exhibit?

  5. #5
    Soul-Sing is offline Chocolate-Covered Ubuntu Beans
    Join Date
    Aug 2006
    Beans
    1,374
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Clean up rootkit / check firmware integrity

    Had the 'intruder' fysical access to your computer?

  6. #6
    Join Date
    Aug 2010
    Beans
    11

    Re: Clean up rootkit / check firmware integrity

    It is a targeted attack. He's not been malicious so far and I don't expect any "violent" behavor. I believe the intruder has personal motive and is financially resourceful. My Android phone is also hijacked btw but never mind that.

    Does my strategy overall make sense? Is it secure? Any suggestions?

    I've been reading about these kind of rootkits. Some suggest that you can't get rid of it: That the RK may reside in memory while I'm flashing and copy itself back after I'm done. And - I've been reading about attacks which utilize bugs in intel cpu. For all I know, this could be relevant although I don't think so. Google "cpu bug rootkit kris kaspersky" without quotes.

    Should I direct my effort into attempting to identify exactly the nature of the intrusion first? When the RK is active, it must occupy memory space so a memory dump followed by analysis could be helpful. I'm prepared to spend time learning whatever necessary. I want to know what has happened and to be able to safeguard myself in the future, at least being able to detect it without doing network traffic analysis.

    How do I spend my energy wisely?


    tgalati4:
    Thank you. Tape is applied.

    unspawn:
    Give it a rest. Think of it like a hypothetical if you're inclined to doubt it. The intruder dumped a joke concerning the poweroffs. They happened on a 2 days old computer, and only on that particular day, never thereafter. I'm not concerned with evidence as he conceal himself. He hasn't communicated explicitly but through contextual signaling revealing intimate knowledge about me. It's called being subtle. A screendump wouldn't ring you any bells you as you'd need intimate knowledge about me to interpret it.

    Did you know cosmic radiation theoretically can cause a shutdown on your laptop?

    cariboo907:
    Ubuntu 12.10 - but by time you read this it will be 13.04. It's a Sony Vaio laptop model SVE14A1S1EB. I've deleted the UEFI partition, using legacy BIOS.

    Soul-Sing:
    No physical access. I believe the attack surface to be js.

  7. #7
    Join Date
    May 2010
    Location
    Tewkesbury uk
    Beans
    7,959
    Distro
    Ubuntu Development Release

    Re: Clean up rootkit / check firmware integrity

    Hi

    Quote Originally Posted by Vidar30 View Post
    Test integrity of all firmware and BIOS, and reflash those whose been altered.
    Quote Originally Posted by Vidar30 View Post
    No physical access. I believe the attack surface to be js.
    Please don't think i'm being rude as you may well have been compromised. However these two statements make no sense.

    Kind regards
    If you believe everything you read, you better not read. ~ Japanese Proverb

    If you don't read the newspaper, you're uninformed. If you read the newspaper, you're mis-informed. - Mark Twain

  8. #8
    Join Date
    Aug 2010
    Beans
    11

    Re: Clean up rootkit / check firmware integrity

    matt_symes:

    Not sure I follow you.

    The first sentence said (in context) that my strategy will be to check whether firmware/bios has been changed by someone and restore any changes back to default.

    Second sentence said intruder never had any physical access to my laptop and I believe he managed to get into my system through javascript (js).

  9. #9
    Join Date
    May 2010
    Location
    Tewkesbury uk
    Beans
    7,959
    Distro
    Ubuntu Development Release

    Re: Clean up rootkit / check firmware integrity

    Hi

    The point that i was trying to make is the BIOS does not run js.

    Certainly reflash the BIOS if you think that will help, however your BIOS will not run java script.

    It may be able to read it but i don't think it can write it.

    At least not that i have ever seen.

    Kind regards
    If you believe everything you read, you better not read. ~ Japanese Proverb

    If you don't read the newspaper, you're uninformed. If you read the newspaper, you're mis-informed. - Mark Twain

  10. #10
    Join Date
    Aug 2010
    Beans
    11

    Re: Clean up rootkit / check firmware integrity

    matt_symes:

    While I'm the one needing help here, I will of course answer all questions to the best of my ability. Not attempting to be rude, but it'd be more smooth if you just ask instead of producing suggestions about something I doubt you know very much about.

    When someone is talking about "attack surface" it mean the point of entry, which most commonly is javascript. You're quite right, you can't flash bios from js - but, if you manage to exploit js to install malware on a target, then in the following move you may use your new found freedom to execute code to reflash bios. I'm not sure if bios can be altered by a user land rootkit, but it may certainly be done from kernel mode. Ask yourself, how would anyone in the first place get access to run code in kernel mode? If it's a remote attack, that point of entry may very well be js. It's more often js than not, I believe.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •