Is it possible to get your BIOS/Router/Modem/MBR Infected nowadays?

[azproc12]

Question in thread title. I've previously been on another popular computing forum but seems to have changed since I last visited and I haven't gotten the best of replies so I'm turning to you Anandtech gurus

I might be OCD but recently all the computers in the house have been performing rather strangely. So I did the usual... reset bios, unplug all unnecessary things, format/write zeroes to drive, install fresh genuine Windows.

However, it just seems like I'm being redirected to false websites, re: Microsoft Windows Update doesn't work for me on a Windows 7 machine; just goes to a page not found. I haven't installed any software other than Windows Updates and Microsoft Security Essentials.

So, with that in mind I'd like to ask the Anandtech community of amazing knowledge to shed some light upon how I know I'm not infected, re:

BIOS - if I flash the BIOS, is a BIOS infection gone / how to tell if I have one?
Router - Can someone hijack my router? I've hard-reset it with the reset button, turned off wireless (and took off the antennae to my DIR-655)
Modem - hard reset as well; can someone control the ports?
MBR - on XP machines - fixmbr and fixboot; on Win7 machines, tried everything with bootrec.exe as stated here: How to use the Bootrec.exe tool in the Windows Recovery Environment to troubleshoot and repair startup issues in Windows

Thanks very much and hope this wasn't a waste of anyones time!
Appreciate any input to solve my worries!

Also, if anyone still has an ASUS P5WDH Deluxe, I'm wondering if anything shows up under Advanced -> USB Devices enabled; I have "1 USB hub" there that somehow I haven't noticed before - is my BIOS hacked? Running BIOS 3002 (newest version) by the way.

EDIT: Also in Windows 7 I get random floppy and optical drive access when I'm not using them at all. Any reasons someone can pinpoint?

 

[Chiefcrowe]

I think it is possible.. your situation sounds pretty strange though.

Have you brought in a known good machine to your house to test it out and see if that is fine?

 

[azproc12]

If you're saying it's possible... is it possible for say a BIOS virus to infect across multiple computers on a home network?

Apparently noticing DVDROM drives accessing slower than usual, random floppy drive access.

As well, can anyone with an ICH7-based chipset with Windows 7 confirm the PCI Express Root Port driver; re: does it say "Intel(R) 82801GR/GH/GHM (ICH7 Family) PCI Express Root Port" in the msinfo32 tool; or does it say something else? I think something's taken over my BIOS and making it think that I have a GHM-based chipset when clearly the Intel website: http://www.intel.com/support/chipsets/inf/sb/cs-009269.htm says I should have 82801GB / 82801GR.

Another question - Can I infect my BIOS by simply hooking up a supposedly infected hard drive via internal SATA or external USB otherwise? Not booting from it obviously.

Thanks for the reply Chiefcrowe... would like to know what I can do to test out my theories? And how would such a case be possible / how to tell? I'm scared to get a good machine as apparently I'm feeling that all the machines on my network (3 Win7 Pro, 1 WinXP Pro) are infected in some way or another. Not willing to risk a friend's.

Edit: thought I would mention if my BIOS is infected, would that render all bootable scan solutions unusable?

 

[Modelworks]

The problem with putting malware into a bios is you need to know what bios that computer is using first. There are many varieties of bios and even two motherboards from the same manufacturer may be using a different bios.

The other obstacle is CRC. Bios when they post the very first thing they do is read the contents of the flash into memory and do a CRC check . If even one bit of the code is changed from what it should be the pc will not boot and the bios will display a checksum error.

The last obstacle is getting the bios into write mode. Every flash chip is different and has its own set of commands that have to be issued in order to write information into the bios. While it is possible to do that from within malware it comes back to having to know the exact flash chip and bios used on the board.

I very seriously doubt you have an altered bios. Someone would have to of specifically targeted your pc out of the millions of others.

 

[azproc12]

Thanks Modelworks, that clears up the BIOS issue, so no BIOS bug- >99.9% sure of it according to you.

So moving on to other possible causes:
1) Can a virus/worm/malware make Windows think it is running a chipset/hardware other than what it should be running? Is there anything known to do that? If so, can it use this 'generic' driver process as a tool to exploit things?

2) Can my Router/Modem/Networking devices be hacked into and controlled even post-hard reset?

3) If malware is in my MBR or on a 'hidden partition' on my hard drive, what can I do about it / what can tell me that there isn't?

Thanks again!

Edit: 4) When I'm doing absolutely nothing, my hard drive LED goes on and it appears the hard drive is writing and/or reading. What causes this? Is it sending my data to some unknown server? It seems to be in sync with the network activity but I could be wrong.

 

[Modelworks]

T
1) Can a virus/worm/malware make Windows think it is running a chipset/hardware other than what it should be running? Is there anything known to do that? If so, can it use this 'generic' driver process as a tool to exploit things?

Possible but unlikely. Right click the driver you suspect and click the driver tab then the driver details button . On the details it should say digital signer, and have either microsoft or intel. That signature cannot be faked easily, a 1 in 10000 chance .

2) Can my Router/Modem/Networking devices be hacked into and controlled even post-hard reset?

Yes. Some routers have bugs in the firmware that someone who knows about them can exploit to take control of the router. The only fix is new firmware. Try searching for your router model in google with words like exploit or hack to see if anyone has found any.

3) If malware is in my MBR or on a 'hidden partition' on my hard drive, what can I do about it / what can tell me that there isn't?

Malware can hide in the MBR and it is pretty common for it to hide there so it can load before the rest of the operating system , installing itself as a driver. There is a pretty infamous virus that does this. The way to find out is to look at what is loading as the pc is starting up. Normally people look at the startup programs folder or registry keys with programs but that doesn't reveal things like this often.

Download sysinternals suite. It is free:
http://technet.microsoft.com/en-us/sysinternals/bb842062

extract it to a folder and run the program autoruns.exe, you need to be admin

Click on the boot execute tab.
nothing should be there but 2 microsoft programs, autocheck and scext.dll
Click on winlogon tab
nothing should be there that doesn't say it is from microsoft.
click on print monitor - this is often used by malware
nothing should be there except your printer and microsoft
click scheduled tasks
look for anything you do not recognize as something that should run at preset times. Sometime malware will autostart itself using task scheduler.
click appinit
This is where something would run when you run an application like a browser.

If all that is okay then next run LoadOrd.exe
This will show what the order is for windows loading everything from the second it starts to boot. Anything located in a directory that starts \\??\C:
should be checked out as it isn't part of the normal installation.


Finally open a command prompt in the same folder with the sysinternals programs
type
sigcheck -u -e c:\windows\system32

That will list all the system files that do not have a digital signature. You need to check each one to see if it is okay.


lastly check the folder

C:\Windows\System32\drivers\etc
and open the hosts file.
It should be just

# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost

lines at the bottom

Good luck !

 

[azproc12]

Wow, that's quite a suite I never knew about ModelWorks!

Okay, here's going through each step:
1) No driver suspects - all are Microsoft signed.
- I'm still worried about this - even if it is signed, could they use for example a 945 chipset driver (possibly compromised?) on a 975 chipset like mine? I'm wondering because I see this USB Hub in BIOS that's enabled, and as far as I know, I don't have a USB hub attached. See my second post. Re: 82801GR/GH/GHM - shouldn't it just be GB or GR according to:
http://www.intel.com/support/chipsets/inf/sb/cs-009269.htm

2) Have to check, but for now I'll assume fine - it's the DLINK DIR-655
3)

For flickr references: http://www.flickr.com/photos/54778997@N05/

Under Windows 7 Pro
Sysinternals:
boot excute - nothing at all; normal?
winlogon - one thing from Microsoft
print monitor - nothing at all; normal?
scheduled tasks - see Flickr
appinit - nothing at all; normal?

LoadOrd - nothing with \\??\C:
sigcheck - see flickr; but it did take quite a while then ended (flickr page) and scrolled the cmd prompt window even though nothing showed up in the end. - normal for Win7? Asked a friend on a clean XP computer and a ton of stuff came up - supposedly unsigned drivers on his Dell laptop.

hosts file - ok as stated. However, I tried to sent the file to a friend to look at via the hotmail attachment option within IE, and to my surprise I couldn't see the etc folder within system32\drivers! Could you take a look at the screenshots in flickr and see what I mean? Is this normal / is hotmail preventing things from working? Or does this mean I have two Windows installations running concurrently somehow?

Let me know what other information if any is required.

 

[Modelworks]

For a driver to install it has to match the hardware id numbers. Those numbers are set at the factory and on most hardware cannot be changed easily.


About the router, make sure the firmware is current

SourceSec published a proof-of-concept software tool called HNAP0wn that would enable the hack -- a move that D-Link criticized.
"By publicizing their tool and giving specific instructions, the authors of the report have publicly outlined how the security can be breached, which could have had serious repercussions for our customers," D-Link said in a statement.
D-Link said it only appeared possible to hack the routers using the software tool and not just with stand-alone code.
D-Link and SourceSec differed over which models were vulnerable. SourceSec wrote that it suspected that all D-Link routers made since 2006 with HNAP support were affected, but they said they had not tested all of them.
D-Link said the models affected are the DIR-855 (version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B). Three discontinued models -- DIR-615 (versions B1, B2 and B3), DIR-635 (version A) and DI-634M (version B1) -- are also affected.
The company said new firmware updates are being made available across its Web sites.

Sigcheck can tend to scroll off the screen.
instead use
sigcheck -u -e c:\windows\system32 > sig.txt

The > sig.txt just tells it to send the output to a file named sig.txt. Open it in notepad


The etc folder is set to hidden by default. To show it all the time you have to enable showing of hidden folders in folder options.

 

[Chiefcrowe]

One other thing you may want to try is to use a new router and see if that changes anything.

 

[azproc12]

Merry Christmas everyone! Have some more questions if you don't mind and a screenshot question. Really appreciate all your help!

-So sigtest is clean by the way, Updated router firmware.
-etc folder - I already set the option to show all hidden and system folders, but still doesn't appear in the upload attachment box in both IE and Firefox. Also this folder is not hidden by default!

1) I have an "Unknown user" (S-1-5-21-...) on my users list when I go check file permissions. What is this? Is my system compromised by a phantom user account? Is it forcing me to run as this user instead of myself? Such that when I click "run as administrator", could it give me a false impression that I'm doing so and not actually have control of my system? http://www.flickr.com/photos/54778997@N05/5290916209/
The user number changes depending on the installation it seems:
http://www.flickr.com/photos/54778997@N05/5291577776/

2) Back to the first photo: In the AccessEnum tool from sysinternals suite, I'm noticing that there are a lot of ???marks under each permission. Is this normal? There are quite a few "Access is denied" as well, I'm getting worried about this. I also notice that there are a lot of seemingly duplicate entries, differing only by an asterisk (*), for example C:\Windows\CSC\v2.0.6\.

Thanks

 

[Jjoshua2]

Sometimes keyboards or monitors can act as a usb hub. Try unplugging everything but the power cord and use a vga monitor, and then you can be sure you do not have a usb hub, although it is possible that the usb ports in the back are represented by a hub. You can try disabling the hub and see if it makes any of your ports stop working.