Preboot malware

mbrhaxd

New Member
Joined
Jun 30, 2023
Messages
4
Reaction score
0
Credits
48
Hi all. I'll keep it short for starters. I'm writing on my phone as my laptop has been rendered useless by a trojan somewhere in preboot/firmware.

Basically I've seen it load a bundle of malicious scripts and binaries into /usr/share as readonly tmpfs and it symlinks everything in /sbin and /bin to busybox. There are scripts like fakeroot.sh and countless stuff that looks malicious from a mile away.

It seems to create a virtual environment as I can be browsing around looking at something suspicious and next time I ls I'm back in my home dir again. Unable to edit files owned by root as root user.

It seems to be a call-home type of deal. It sets up an smb server and a top server where it periodically uploads data first chance it gets. I've see logs where it crawls recent files and a list of excluded directories and sends it in litesql db format or similar down a socket which I assume which seems to be connected to one or many irq chls. Ive seen co figuration with thousands of irq chls of dubious nature like 'homeporn' and shit like that. Ah yes it fires up camera and mic and a remotemediaserverd or similar.

Even if my network interfaces are down its online with a fake dns server 127.0.0.53 which is connected to a socket on my local machine.

Ive been unable to extract an image to usb. When i try to write to usb using dd it wipes it immediately.

This has been ongoing for years and i have cross contaminated all my laptops with a dirty usb stick ithink.

Any pointers on how to get rid of this? The only place where im left alone is in the uefi shell.. I'll try to get some photo evidence but im 100% sure this is a platform independent boot sector virus. Its persisted over 30 attempts at wiping my disk. And ive tried 5 distros. Currently Fedora.
 


I could add that all it needs is a bluetooth connection to an online device nearby to do its thing even if i shut down bluetooth and wlan devices. I've shut down my router and every device in the house but sometimes it seems to connect with my neighbours devices. Seems highly sophisticated and targeted.
 
Just gonna drop what my fresh install of fatdog looks like after boot. Theres a lot more to show so let me know if you're looking for something specific.
 

Attachments

  • 20230630_210527.jpg
    20230630_210527.jpg
    3.9 MB · Views: 636
  • 20230630_210443.jpg
    20230630_210443.jpg
    3.9 MB · Views: 180
  • 20230630_210359.jpg
    20230630_210359.jpg
    3.8 MB · Views: 578
  • 20230630_210248.jpg
    20230630_210248.jpg
    3.5 MB · Views: 212
  • 20230630_210226.jpg
    20230630_210226.jpg
    3.9 MB · Views: 258
  • 20230630_205337.jpg
    20230630_205337.jpg
    3.9 MB · Views: 176
  • 20230630_204817.jpg
    20230630_204817.jpg
    3.5 MB · Views: 173
  • 20230630_204728.jpg
    20230630_204728.jpg
    3.9 MB · Views: 186
  • 20230630_204711.jpg
    20230630_204711.jpg
    3.5 MB · Views: 774
  • 20230630_204642.jpg
    20230630_204642.jpg
    3.5 MB · Views: 173
  • 20230630_204453.jpg
    20230630_204453.jpg
    3.9 MB · Views: 215
  • 20230630_204426.jpg
    20230630_204426.jpg
    3.9 MB · Views: 679
  • 20230630_204345.jpg
    20230630_204345.jpg
    4 MB · Views: 884
  • 20230630_204319.jpg
    20230630_204319.jpg
    3.8 MB · Views: 527
  • 20230630_204227.jpg
    20230630_204227.jpg
    3.6 MB · Views: 433
There are scripts like fakeroot.sh and countless stuff that looks malicious from a mile away.

Umm... I'm going to guess you might have missed something. For example, fakeroute.sh isn't actually malicious but is a necessary file for people who aren't logged in as root but need permissions to act as such via sudo.

The name is terrible, I suppose, but it's perfectly harmless and downright useful.

I don't have the time to go through the rest of it, but that caught my eye.
 
Do you dual boot with windows?

Has the laptop ever run windows?

@MikeWalsh may have some insight here ? (nothing for you to do here, mbrhaxd)
 
Do you dual boot with windows?

Has the laptop ever run windows?

@MikeWalsh may have some insight here ? (nothing for you to do here, mbrhaxd)
Yes it came with win 7 or 10. Switched to Ubuntu because i "felt" hacked in windows. Bought a macbook pro m1. Same thing with the rogue processes and odd network connections / bluetooth tethering.

Got an iPhone 14. Could not keep my icloud passwords for 30 seconds. Noticed macbootfs in some file I think /etc/fstab although m1s are supposed to be bullet proof. Also every time i changed icloud pw on my iphone ios 15.3 it would immediately change (50 times tested).

Each time I boot i have this ro /usr/share that unpacks nasty looking scripts and fills up /run and launches over 300 rogue processes (unless i disable gzip in grub params) so it cant unpack.
 
Each time I boot i have this ro /usr/share that unpacks nasty looking scripts and fills up /run and launches over 300 rogue processes
The /run directory is quite populated. You can check it out with a command like the following as root where "flip" is my username here to get an approximate number of files and directories which reside there, which in this case is over 1000:
Code:
[root@flop ~]# ls -alR /run | grep -E -i 'flip|root' | wc -l
ls: cannot access './user/1000/doc': Permission denied
ls: cannot access './user/1000/gvfs': Permission denied
ls: cannot open directory './user/1000/doc': Permission denied
ls: cannot open directory './user/1000/gvfs': Permission denied
1167

That high number is not unusual.
 
I dunno if anyone is gonna read all your image files.

Also, we've got kids here. So, let's use language like we're on a PBS kid's show, or something of that nature. Thanks!

But, I think you may be worried about being hacked when in fact it's just your computer doing what it's supposed to do. This is one of those things that'd be easier to demonstrate in person.

So, what I'm going to suggest is that you learn a few commands to monitor your network activity. Then, do that - but do so with the idea of learning what all those processes are and what they do. Odds are that your computer is just fine, especially with Linux.
 
2023-07-01_12-41.png
This shows info from a tigerlake system/chip/....almost exclusively used on Windows 11...
 
Tell me also. What evidence can I provide that would convince you?
As @KGIII mentioned in his post #11, perhaps take the time to learn how to monitor network activity, and then post the suspicious outputs which you are not clear about in digestible quantities so that those with the expertise can examine them and help you. The impulse to help is not lacking here.

The first port of call is usually the logs in /var/log, particularly the journal which is accessed through the command: journalctl, with many possible options, and also /var/log/messages which can be accessed with a text editor directly, if that log file exists.

Then there are numerous networking tools which require various degrees of learning to use which can watch the network activity. There's a learning curve to it which cannot be avoided if one wishes to identify and understand network problems or problems that have come through the network.

If you are sure the system has been irretrievably hacked, then the only near sure way of getting a clean system is to back up and re-install. With a new system, it's not difficult to put in place the protections one wishes for, the firewalls, the encryption, the monitoring systems or whatever you need or wish for.

Perhaps the output of a few judiciously chosen logs or network tool outputs may help.
 
Last edited by a moderator:
No disrespect to @mbrhaxd, the OP, but I did not feel like "looking for the needle in the haystack". I picked a few example screenshots, but did not see anything unusual.

Many people in my family work in the medical field. (I am the "black sheep" in our family.) One valuable lesson I learned from them was related to diagnosing a patient's symptoms, what we would call "troubleshooting and determining the root cause":

Let's say you have a patient who has XYZ symptoms. The XYZ symptoms are a perfect, identical match to an extremely rare and unusual condition that strikes only one patient in 10 million ... or ... They could be a common illness, but presents XYZ symptoms that nobody has noticed or published about ever before. The medical people in my family would advise: Start with the common illness and confirm it or rule it out despite the unusual XYZ symptoms.

That advise does not help the OP, who has already reached the conclusion that they are the victim of an advanced persistent malware attack, embedded deep in the firmware of their devices. It may be true. I had not yet reached that conclusion, so I did not post until now.

All too often we see threads where the OP starts a thread with "Help using ABC to Eliminate my DEF Problem!" Everybody dives in trying to help the OP run ABC and focuses on ABC, but few stop to ask, "Does the OP have a DEF problem in the first place? If so, is ABC the best solution for it?"

If you read between the lines of @MikeWalsh's post above, they make the same point.

Customers would tell me their assumptions about the causes of their issues. I would listen politely and take careful notes, because often there were other clues hidden in their comments. At the same time, the essential trick is to keep an open mind and NOT let the customer draw you into jumping to conclusions. Always confirm the initial assumptions first.

It might help if the OP could reduce the problem down to the minimum that proves the successful persistent malware attack on their firmware. Eliminate the noise and distractions so that who want to help can confirm the diagnosis and help make progress.

If the OP is correct, then this type of malware can be very difficult to remove. (Reminder: I would not assume that this is the cause of the OP's perceived issues.) If the OP is correct, then the question is whether the malware can persist beyond a firmware update/replacement. Again I say, reduce this to the minimum problem set and confirm that persistence.

This post is long, but I have not said much beyond the points that @KGIII, @Condobloke, @MikeWalsh, and @osprey have already said above.
 
Those screenshots really don't show anything. If you think your firmware is "hijacked" and your lan as well. Buy a new second hand laptop and a new usb drive, then go to somewhere that is not your house and install it and connect it online there. If you still come to the same conclusion then, the problem seems like it's you but if it's different then than someone might believe you.
I could add that all it needs is a bluetooth connection to an online device nearby to do its thing even if i shut down bluetooth and wlan devices. I've shut down my router and every device in the house but sometimes it seems to connect with my neighbours devices. Seems highly sophisticated and targeted.
Sorry that seems far fetched that they trying to get you through the neighbors device, do you work for the nsa or do you have some top level security clearance that someone would want to go after you. You make it sounds as if you are so important and know something so important as if some foreign government might be after what you know or might know.
This has been ongoing for years and i have cross contaminated all my laptops with a dirty usb stick ithink.
And it's just until now that you have noticed it? If you really think someone is going that far to get you, you should report it to your local authorities and have local police defective tech team check out your devices.
 
Last edited:

Staff online

Members online


Top