Preboot malware

mbrhaxd

New Member
Joined
Jun 30, 2023
Messages
4
Reaction score
0
Credits
48
Hi all. I'll keep it short for starters. I'm writing on my phone as my laptop has been rendered useless by a trojan somewhere in preboot/firmware.

Basically I've seen it load a bundle of malicious scripts and binaries into /usr/share as readonly tmpfs and it symlinks everything in /sbin and /bin to busybox. There are scripts like fakeroot.sh and countless stuff that looks malicious from a mile away.

It seems to create a virtual environment as I can be browsing around looking at something suspicious and next time I ls I'm back in my home dir again. Unable to edit files owned by root as root user.

It seems to be a call-home type of deal. It sets up an smb server and a top server where it periodically uploads data first chance it gets. I've see logs where it crawls recent files and a list of excluded directories and sends it in litesql db format or similar down a socket which I assume which seems to be connected to one or many irq chls. Ive seen co figuration with thousands of irq chls of dubious nature like 'homeporn' and shit like that. Ah yes it fires up camera and mic and a remotemediaserverd or similar.

Even if my network interfaces are down its online with a fake dns server 127.0.0.53 which is connected to a socket on my local machine.

Ive been unable to extract an image to usb. When i try to write to usb using dd it wipes it immediately.

This has been ongoing for years and i have cross contaminated all my laptops with a dirty usb stick ithink.

Any pointers on how to get rid of this? The only place where im left alone is in the uefi shell.. I'll try to get some photo evidence but im 100% sure this is a platform independent boot sector virus. Its persisted over 30 attempts at wiping my disk. And ive tried 5 distros. Currently Fedora.
 


I could add that all it needs is a bluetooth connection to an online device nearby to do its thing even if i shut down bluetooth and wlan devices. I've shut down my router and every device in the house but sometimes it seems to connect with my neighbours devices. Seems highly sophisticated and targeted.
 
Just gonna drop what my fresh install of fatdog looks like after boot. Theres a lot more to show so let me know if you're looking for something specific.
 

Attachments

  • 20230630_210527.jpg
    20230630_210527.jpg
    3.9 MB · Views: 788
  • 20230630_210443.jpg
    20230630_210443.jpg
    3.9 MB · Views: 315
  • 20230630_210359.jpg
    20230630_210359.jpg
    3.8 MB · Views: 727
  • 20230630_210248.jpg
    20230630_210248.jpg
    3.5 MB · Views: 398
  • 20230630_210226.jpg
    20230630_210226.jpg
    3.9 MB · Views: 411
  • 20230630_205337.jpg
    20230630_205337.jpg
    3.9 MB · Views: 298
  • 20230630_204817.jpg
    20230630_204817.jpg
    3.5 MB · Views: 290
  • 20230630_204728.jpg
    20230630_204728.jpg
    3.9 MB · Views: 320
  • 20230630_204711.jpg
    20230630_204711.jpg
    3.5 MB · Views: 895
  • 20230630_204642.jpg
    20230630_204642.jpg
    3.5 MB · Views: 280
  • 20230630_204453.jpg
    20230630_204453.jpg
    3.9 MB · Views: 335
  • 20230630_204426.jpg
    20230630_204426.jpg
    3.9 MB · Views: 795
  • 20230630_204345.jpg
    20230630_204345.jpg
    4 MB · Views: 1,003
  • 20230630_204319.jpg
    20230630_204319.jpg
    3.8 MB · Views: 642
  • 20230630_204227.jpg
    20230630_204227.jpg
    3.6 MB · Views: 573
There are scripts like fakeroot.sh and countless stuff that looks malicious from a mile away.

Umm... I'm going to guess you might have missed something. For example, fakeroute.sh isn't actually malicious but is a necessary file for people who aren't logged in as root but need permissions to act as such via sudo.

The name is terrible, I suppose, but it's perfectly harmless and downright useful.

I don't have the time to go through the rest of it, but that caught my eye.
 
Do you dual boot with windows?

Has the laptop ever run windows?

@MikeWalsh may have some insight here ? (nothing for you to do here, mbrhaxd)
 
Do you dual boot with windows?

Has the laptop ever run windows?

@MikeWalsh may have some insight here ? (nothing for you to do here, mbrhaxd)
Yes it came with win 7 or 10. Switched to Ubuntu because i "felt" hacked in windows. Bought a macbook pro m1. Same thing with the rogue processes and odd network connections / bluetooth tethering.

Got an iPhone 14. Could not keep my icloud passwords for 30 seconds. Noticed macbootfs in some file I think /etc/fstab although m1s are supposed to be bullet proof. Also every time i changed icloud pw on my iphone ios 15.3 it would immediately change (50 times tested).

Each time I boot i have this ro /usr/share that unpacks nasty looking scripts and fills up /run and launches over 300 rogue processes (unless i disable gzip in grub params) so it cant unpack.
 
Each time I boot i have this ro /usr/share that unpacks nasty looking scripts and fills up /run and launches over 300 rogue processes
The /run directory is quite populated. You can check it out with a command like the following as root where "flip" is my username here to get an approximate number of files and directories which reside there, which in this case is over 1000:
Code:
[root@flop ~]# ls -alR /run | grep -E -i 'flip|root' | wc -l
ls: cannot access './user/1000/doc': Permission denied
ls: cannot access './user/1000/gvfs': Permission denied
ls: cannot open directory './user/1000/doc': Permission denied
ls: cannot open directory './user/1000/gvfs': Permission denied
1167

That high number is not unusual.
 
I dunno if anyone is gonna read all your image files.

Also, we've got kids here. So, let's use language like we're on a PBS kid's show, or something of that nature. Thanks!

But, I think you may be worried about being hacked when in fact it's just your computer doing what it's supposed to do. This is one of those things that'd be easier to demonstrate in person.

So, what I'm going to suggest is that you learn a few commands to monitor your network activity. Then, do that - but do so with the idea of learning what all those processes are and what they do. Odds are that your computer is just fine, especially with Linux.
 
2023-07-01_12-41.png
This shows info from a tigerlake system/chip/....almost exclusively used on Windows 11...
 
Tell me also. What evidence can I provide that would convince you?
As @KGIII mentioned in his post #11, perhaps take the time to learn how to monitor network activity, and then post the suspicious outputs which you are not clear about in digestible quantities so that those with the expertise can examine them and help you. The impulse to help is not lacking here.

The first port of call is usually the logs in /var/log, particularly the journal which is accessed through the command: journalctl, with many possible options, and also /var/log/messages which can be accessed with a text editor directly, if that log file exists.

Then there are numerous networking tools which require various degrees of learning to use which can watch the network activity. There's a learning curve to it which cannot be avoided if one wishes to identify and understand network problems or problems that have come through the network.

If you are sure the system has been irretrievably hacked, then the only near sure way of getting a clean system is to back up and re-install. With a new system, it's not difficult to put in place the protections one wishes for, the firewalls, the encryption, the monitoring systems or whatever you need or wish for.

Perhaps the output of a few judiciously chosen logs or network tool outputs may help.
 
Last edited by a moderator:
No disrespect to @mbrhaxd, the OP, but I did not feel like "looking for the needle in the haystack". I picked a few example screenshots, but did not see anything unusual.

Many people in my family work in the medical field. (I am the "black sheep" in our family.) One valuable lesson I learned from them was related to diagnosing a patient's symptoms, what we would call "troubleshooting and determining the root cause":

Let's say you have a patient who has XYZ symptoms. The XYZ symptoms are a perfect, identical match to an extremely rare and unusual condition that strikes only one patient in 10 million ... or ... They could be a common illness, but presents XYZ symptoms that nobody has noticed or published about ever before. The medical people in my family would advise: Start with the common illness and confirm it or rule it out despite the unusual XYZ symptoms.

That advise does not help the OP, who has already reached the conclusion that they are the victim of an advanced persistent malware attack, embedded deep in the firmware of their devices. It may be true. I had not yet reached that conclusion, so I did not post until now.

All too often we see threads where the OP starts a thread with "Help using ABC to Eliminate my DEF Problem!" Everybody dives in trying to help the OP run ABC and focuses on ABC, but few stop to ask, "Does the OP have a DEF problem in the first place? If so, is ABC the best solution for it?"

If you read between the lines of @MikeWalsh's post above, they make the same point.

Customers would tell me their assumptions about the causes of their issues. I would listen politely and take careful notes, because often there were other clues hidden in their comments. At the same time, the essential trick is to keep an open mind and NOT let the customer draw you into jumping to conclusions. Always confirm the initial assumptions first.

It might help if the OP could reduce the problem down to the minimum that proves the successful persistent malware attack on their firmware. Eliminate the noise and distractions so that who want to help can confirm the diagnosis and help make progress.

If the OP is correct, then this type of malware can be very difficult to remove. (Reminder: I would not assume that this is the cause of the OP's perceived issues.) If the OP is correct, then the question is whether the malware can persist beyond a firmware update/replacement. Again I say, reduce this to the minimum problem set and confirm that persistence.

This post is long, but I have not said much beyond the points that @KGIII, @Condobloke, @MikeWalsh, and @osprey have already said above.
 
Those screenshots really don't show anything. If you think your firmware is "hijacked" and your lan as well. Buy a new second hand laptop and a new usb drive, then go to somewhere that is not your house and install it and connect it online there. If you still come to the same conclusion then, the problem seems like it's you but if it's different then than someone might believe you.
I could add that all it needs is a bluetooth connection to an online device nearby to do its thing even if i shut down bluetooth and wlan devices. I've shut down my router and every device in the house but sometimes it seems to connect with my neighbours devices. Seems highly sophisticated and targeted.
Sorry that seems far fetched that they trying to get you through the neighbors device, do you work for the nsa or do you have some top level security clearance that someone would want to go after you. You make it sounds as if you are so important and know something so important as if some foreign government might be after what you know or might know.
This has been ongoing for years and i have cross contaminated all my laptops with a dirty usb stick ithink.
And it's just until now that you have noticed it? If you really think someone is going that far to get you, you should report it to your local authorities and have local police defective tech team check out your devices.
 
Last edited:
Hi all. I'll keep it short for starters. I'm writing on my phone as my laptop has been rendered useless by a trojan somewhere in preboot/firmware.

Basically I've seen it load a bundle of malicious scripts and binaries into /usr/share as readonly tmpfs and it symlinks everything in /sbin and /bin to busybox. There are scripts like fakeroot.sh and countless stuff that looks malicious from a mile away.

It seems to create a virtual environment as I can be browsing around looking at something suspicious and next time I ls I'm back in my home dir again. Unable to edit files owned by root as root user.

It seems to be a call-home type of deal. It sets up an smb server and a top server where it periodically uploads data first chance it gets. I've see logs where it crawls recent files and a list of excluded directories and sends it in litesql db format or similar down a socket which I assume which seems to be connected to one or many irq chls. Ive seen co figuration with thousands of irq chls of dubious nature like 'homeporn' and shit like that. Ah yes it fires up camera and mic and a remotemediaserverd or similar.

Even if my network interfaces are down its online with a fake dns server 127.0.0.53 which is connected to a socket on my local machine.

Ive been unable to extract an image to usb. When i try to write to usb using dd it wipes it immediately.

This has been ongoing for years and i have cross contaminated all my laptops with a dirty usb stick ithink.

Any pointers on how to get rid of this? The only place where im left alone is in the uefi shell.. I'll try to get some photo evidence but im 100% sure this is a platform independent boot sector virus. Its persisted over 30 attempts at wiping my disk. And ive tried 5 distros. Currently Fedora.
I totally Understand your frustration on this cause I have had the same malware on my pc/devices for nearly a year now. Not any distributions, no amount of wipes, no amount of anything has been a solution. And it fluidly moves from Linux to windows. In windows it creates an over lay, turns off processes and defended on preboot screens and utilizes the SYSTEM profile to devour the system. While with Linux it added a mess load of different sources to apt, utilizes python3 in some form or factor to install a crap ton of things. I have tried everything but aye if there’s any type of built in WiFi or Bluetooth there’s no chance to have a stable system. Period. And no one has believed me. Yes there’s an immense RPC presence only difference is mine is on 127.0.0.63.
 
Yea it seems far fetched because of how intense the crap storm is, it is crafted wickedly well, and it isn’t caught by darn near anything… and since you don’t know specifically where it’s coming from trying to pin point the origin is stupidly difficult. Whatever this is… it almost seems like something created by a state sponsored hack group, because nothing has been able to get this crapola off any of my computers, including my work lap top from Amazon running a billion different protectors. It uses tunneling and dnsmasq +bind9 + openvpn to totally divert network traffic and usually it will locks up the system so dang fast you can only get like a few hours of use time if that before it crashes, when you reboot the session file is gone so you can’t login, unless you use a different tty etc. this thing sucks.
 
I would like to point out that it should not be possible to set up the things you said without asking your root password and permission several times. Did you just blindly enter it without a thought? did you just assume linux is like windoze and you were easily hacked?

I did not go through all the image files, but what you are claiming seems highly improbable. Maybe if you give why you think you are being hacked this way, some examples.
 
Still to this day I’m plagued by this ‍ even down to my iPhone.
It's probably best to open a new thread with a description of your problem in more detail and more precise terms so that readers can get a handle on some specific problems that you may wish to have resolved.

A few observations may be of interest with respect to some of your text:

I have had the same malware on my pc/devices for nearly a year now. Not any distributions, no amount of wipes, no amount of anything has been a solution. And it fluidly moves from Linux to windows.

No indications or evidence has been provided that the malware you mention is "the same" as that of the OP in post #1. In particular the use of busybox, fakeroot.sh scripts, the socket issue, the irq issue, the so-called "fake dns server 127.0.0.53", among other things the OP mentioned. Unfortunately the OP didn't provide any details on these issues.

As to your statement that malware moves "fluidly" from linux to windows, the likelihood of this is altogether remote. The two systems have fundamentally different architectures, file systems, and executable formats. Any malware created to work on one operating system has to be crafted and configured for that system and cannot be transferred at all, let alone fluidly, without being recrafted for the other context. If the malware is at the BIOS/UEFI level, then there are means of detection for this for which one can research and provide the details, but none has been provided.

The problem with the OP's problem is that the sense of things being "preboot malware" are all impressionistic which is clear from the text provided in post #1 and #6:
It seems to create a virtual environment post #1
....
looking at something suspicious post #1
....
i "felt" hacked in windows Post #6
....
nasty looking scripts and fills up /run
and then a statement without any substantial supporting evidence:
im 100% sure this is a platform independent boot sector virus

Such impressions are not very useful without supporting evidence which usually consists of outputs from various commands and logs.

The supplied images in the OP's post #3 are of normal outputs of various normal commands on a linux system, without any malware indicated. It's unclear why those particular ones were provided and no explanation was given.

It should be clear at this point that the problems mentioned in post #13 and #14 ( @Narooko) are not the same as those of the OP.

RPCs are remote procedure calls used for the Network File System (NFS) and other such client/server applications. The mention of them in post #13 needs corroboration with information about any NFS or NIS or similar software that is running.

The following statement in post #13 is significant:
And no one has believed me.
That makes sense because there is no substantial evidence, rather, just assertion.

One of the first things that would be useful to check is the mitigations against some known kernel vulnerabilities shown in the snipped output such as the following lscpu command:
Code:
[tom@min ~]$ lscpu
Architecture:             x86_64
  CPU op-mode(s):         32-bit, 64-bit
  Address sizes:          46 bits physical, 48 bits virtual
  Byte Order:             Little Endian
CPU(s):                   20

<snip>

Vulnerabilities: 
  Gather data sampling:   Not affected
  Itlb multihit:          Not affected
  L1tf:                   Not affected
  Mds:                    Not affected
  Meltdown:               Not affected
  Mmio stale data:        Not affected
  Reg file data sampling: Mitigation; Clear Register File
  Retbleed:               Not affected
  Spec rstack overflow:   Not affected
  Spec store bypass:      Mitigation; Speculative Store Bypass disabled via prctl
  Spectre v1:             Mitigation; usercopy/swapgs barriers and __user pointer sanitization
  Spectre v2:             Mitigation; Enhanced / Automatic IBRS; IBPB conditional; RSB filling; PBRSB-eIBRS SW sequence; BHI BHI_DIS_S
  Srbds:                  Not affected
  Tsx async abort:        Not affected

As is apparent from the output on this machine, the known vulnerabilities against a number of issues, are covered. If there are ones that are not covered, then one may have some issue to look into.

There are numerous other means of checking malware in linux, but the use of any such software or other relevant evidence has not been provided which is a significant impediment for readers to help :)
 
Last edited:
no amount of wipes, no amount of anything has been a solution.
Most likely reason when system reinstall doesn't solve the problem is when you also reinstall malicious software that you're used to, such as pirated programs or games which will reintroduce the malware on a fresh system.

You should reproduce the issue without installing anything after OS reinstall.
 
@APTI - the person you are responding to is not the OP.

@Narooko - this is an example of why you should start your own thread if you continue to have concerns.

TIA

Chris Turner
wizardfromoz
 

Members online


Top