is this real or bogus and paranoia ?gpu-based-paravirtualization-rootkit

[snort]

http://forum.sysinternals.com/gpu-ba...06_page10.html

i did the tests in the topic
according to them i'm infected by this

is this real ? if it is what to do ?

[EricJH]

http://forum.sysinternals.com/gpu-ba...06_page10.html

i did the tests in the topic
according to them i'm infected by this

is this real ? if it is what to do ?

The url is not valid. I get a 404 error message when I go to that page.

[Sanya IV Litvyak]

I think snort tried to link this: http://forum.sysinternals.com/gpu-based-paravirtualization-rootkit-all-os-vulne_topic26706_page10.html
It starts the same way with "gpu-ba" and ends with "06_page10.html" though the link from snort was cut down quite a lot (the "...")

Though I don't really know what it is about and it's linking to page 10 of a topic on another forum and personally I'm not going to read trough 10 pages to get a context.

[snort]

well i'm not a security expret
but it's about a virus  that bypass everything and it's undetected and it infect everything it touch
i linked the page 10 because he posted 2 test to see if you are infected or not

according to his tests i'm infected i wan to know if that thing is real
or those tests determin nothing

and if this is real i can't think of another company  to handle this type of infection

[EricJH]

I don't see download links on that page (even when logged in).

I think it is better to ask for support in that topic. I am not familiar with the rootkit and detection of it.

[Reptillian]

but it's about a virus  that bypass everything and it's undetected and it infect everything it touch
i linked the page 10 because he posted 2 test to see if you are infected or not

Really? Sounds like bogus and this probably wouldn't work on z/OS assuming it's not bogus. Also, there was a link that says even without wifi, your information are stolen.

[snort]

i don't have anyinformation more than what said in that topic
i'm not realated to that topic in anything

i just found the topic did the tests and found that according to those tests i'm infected
and  he said that it spread through everything

Everyone:
Please run the following tests and post your results.
(These tests assume you have Vista or Win7 x64. XP or any 32bit Windows I cannot get valid answers from. Windows 8 I have no idea, it might work, try it out and let me know)

1) From Microsoft's own sysinternals.com get the program ProcessExplorer.
Run it (it's a standalone exe, no installer), you will see a taskmanager like screen with all processes expanded in a tree like display.
Collapse each of the trees so that you only see the process tree bases.
For example explorer.exe should have processes running from it, we dont care about those, explorer.exe is a base.
Now from the top process in the list right click and choose properties.
(system idle process and system you can skip)
You will see an area in the bottom half of the box that says "Parent:"
Some of the processes will show "<Non-existent Process>(xxx)"
This is normal for some but NOT ALL OF THEM.
If you see ALL process tree bases showing "Parent: <Non-existent Process>(xxx)" then it is very likely you have an infected machine.
These processes are in fact NOT non-existent but they are malicious process hosts running from the malicious hypervisor. Again, at least half of them WILL show non-existent because their parent was killed off in normal fashion. The point is that NOT ALL should show this.
I have observed a CLEAN machine so I know what to look for.

2) From Sourceforge get ProcessHacker (the exe installer).
Run the installer with default options, no changes. (need all plugins enabled and kernel mode driver set).
Run ProcessHacker (as admin if you can, I can't be sure we will see proper results otherwise but it might work).
Assuming you have the proper .NET version installed you should see tabs near the top, the one on the right is named Disk. Click the Disk tab and click the bar titled "Name" so that it will be sorted from Z to A.
(we need that to see things we are interested in showing up at the top)
We are now watching for "Unknown Process(xxx)" popping up accessing files.
Under NO CIRCUMSTANCES should you see "Unknown Process" showing up on a clean machine!!!
Open a web browser, IE and Firefox works in my tests. Go to a website, exit (close) the browser and watch the Disk tab! An infected machine will immediately show "Unknown Process" (more than 1) grabbing the browser cache files and other DLLs. If you see this you are infected!
You can also put a shortcut to ProcessHacker in your startup folder, reboot and as soon as it comes up after boot switch to the Disk tab, sort Z-A and just watch. If you are infected you WILL see "Unknown Process(xxx)" accessing
files.

What I need from you:
Please tell me your results of test #1.
If you see process tree bases with a real running parent please make note of that process name and it's parent name. Again, I'm only interested in the process tree BASES, NOT processes hanging off of a base.
Please tell me your results of test #2.

those are the tests



so according to those test i'm infected what now ?

[snort]

no one want to answer

i just don't understand why companies seem to ignore this
they didn't  confirm nor deny it   

[sAyer]

no one want to answer

i just don't understand why companies seem to ignore this
they didn't  confirm nor deny it   

It's 100% bogus and a waste of time. I read through the entire topic. I believe that the majority of the posts are from one person using different names and avatars to perpetuate the subject. Based on the number of posts from each poster, similarities in punctuation and context, and effort to prove the point.

"Super malware" does exist created by governments but nothing even remotely close to the power an complexity as what is being said is possible. If such a malware did exist (which it does not) the controllers would seldom use it, and only use it on a case per case scenario to avoid it from possibly ever being detected. Malware like this would make stuxnet look like the Eicar test string in comparison.

Somebody's been watching to much StarTrek. 

[snort]

extrem thanks sAyer  i really apreciate your post 

your post really helped me tone down the panic  but anyway i'm pretty sure i'm hacked
i don't want to get in the detail and go off topic but the symptoms are somekind of similer of what
is here  " hacked router " " presistant hacked even after formatting / re partion "

anyway  the test results are pretty much scary to me
1- all of the process in system explorer are under unknow parent
2- there are a lot of unknown process accessing ( not just the browser cache )
but even the security tools before it run here is an image
http://i.imgur.com/nzwjfF5.png?1

those process are undetected by gmer / process explorer / process hacker / any process lister

+ i have router that without any doubt hacked  ( i did reset / refirmware ) they keep getting hacked
anyway  routers are cheap  i can buy another one but after knowing that my computer don't have a nasty like
this   it maybe a case per cases bases as you said  ( i hope this is not true  and totaly bogus ) but there are unknown symptoms

BTW i did check for normal malware didn't find anything

i really apreaciate your  replay  and extreme big thanks in advance

[dhrf]

It's 100% bogus and a waste of time. I read through the entire topic. I believe that the majority of the posts are from one person using different names and avatars to perpetuate the subject. Based on the number of posts from each poster, similarities in punctuation and context, and effort to prove the point.

"Super malware" does exist created by governments but nothing even remotely close to the power an complexity as what is being said is possible. If such a malware did exist (which it does not) the controllers would seldom use it, and only use it on a case per case scenario to avoid it from possibly ever being detected. Malware like this would make stuxnet look like the Eicar test string in comparison.

Somebody's been watching to much StarTrek. 

NO Sr

I am RFC Rudel from sysinternals and I use DHRF on other forums.

The malware That I research is based on acpi and paravirtulization, other users tray to get to their own conclusions and test.

Is not  in the wild malware, but the lack of tools and industry silence is not fine.

I am respected MCSE consultor in Argentina.

I can share my findings, but you must read some acpi,xen docs understand virtulization to fully understand.(read how the hackintosh people do magic with dsdt tables, and drivers read gpu room, modify it according to the system and load on memory the modified room.

when the malware resist hd wipes, your pc boot fom your gpu, hd geometry is modified, the malware is complex ok.

tricks like bios shadow, remove the need to flash bios, acpi tables get stored in cmos (like your bios settings)

the tools/risk to install a xen/qmu paravirtual hypervisor and have no tools to detect it is there.

I have tons of problems for make this public, ok.

sorry for the broken English.

on page 15 os sysinternal one person write description on how it works (I don agree 100% because there are diferents tactics to get the same result)

more info here http://www.wilderssecurity.com/showthread.php?t=345273&page=3

look at the facebook page, abut this.
http://www.facebook.com/pages/Unknown-GPU-Hypervisor-Malware/131545397008622

RGDS DHF

[spainach_12]

NO Sr

I am RFC Rudel from sysinternals and I use DHRF on other forums.

The malware That I research is based on acpi and paravirtulization, other users tray to get to their own conclusions and test.

Is not  in the wild malware, but the lack of tools and industry silence is not fine.

I am respected MCSE consultor in Argentina.

I can share my findings, but you must read some acpi,xen docs understand virtulization to fully understand.(read how the hackintosh people do magic with dsdt tables, and drivers read gpu room, modify it according to the system and load on memory the modified room.

when the malware resist hd wipes, your pc boot fom your gpu, hd geometry is modified, the malware is complex ok.

tricks like bios shadow, remove the need to flash bios, acpi tables get stored in cmos (like your bios settings)

the tools/risk to install a xen/qmu paravirtual hypervisor and have no tools to detect it is there.

I have tons of problems for make this public, ok.

sorry for the broken English.

on page 15 os sysinternal one person write description on how it works (I don agree 100% because there are diferents tactics to get the same result)

more info here http://www.wilderssecurity.com/showthread.php?t=345273&page=3

look at the facebook page, abut this.
http://www.facebook.com/pages/Unknown-GPU-Hypervisor-Malware/131545397008622

RGDS DHF

Ah, DHRF. Welcome to the forums. I was hoping you'd jump in here, and here you are now. I wanted to ask a few things.

1. Exactly how was it able to start infection? The possible methods provided for in the thread all require root access, that it would seem the only way it can ever infect something is (a) if it was a specifically targeted system or (b) physical access.

2. Size? The way it's described is that it seems small. But a cross-platform, file-infecting malware seems just all too odd to be that small. I understand that it's capable of infecting files possibly by adding a code over the original. Still, this would constitute file size changes and considering that it seems to intend to infect linux and mac systems, too, well that's triple the size.

If it were to download any other component, then it would have to provide those too with root access. So most possibly, there ought to be a rootkit beside the actual malware. Even then, it still means it requires a considerable size to do so. It cannot go undetected like that. Basically, the more "features" it has, the larger it becomes. I simply could not understand how it can get by undetected with a lumbering size or some genius manage to condense all these, but that's highly improbable (or well, impossible, but I'm just trying to be mathematically accurate here) because of the limits imposed by the current languages.

3. Besides the non-existent processes symptom, are there any other methods of detection? ACPI's, hackintosh, and all that while they may provide context, they don't exactly provide proof. An apple being an apple doesn't mean it's the same apple as every other apple.

Also, you mentioned you're from sysinternals. Do you mean you work for sysinternals or that you're originally a member of sysinternals? If it's the latter, do you mean the forums or the actual  company? I'm just trying to build a profile here so I can better construct my questions. As I recall, these non-existent processes have existed as early as 2007. I've also contacted them about it in 2009 and they responded that it was the way processes exit. They exist in every system though they may vary for every installation. Conflicting programs with processexplorer are also capable of reproducing this effect.

If the symptom mentioned was from the malware, how is it related and why run them in the first place?

4. I agree. There are other avenues it can explore to achieve the same effect, and the one described in page 15 is not a viable choice at all. It will literally cause problems that would either cause the system to be unbootable or the malware to be completely useless. Even so, none of the viable avenues that I know of are capable of surviving reboot, self-actuating, or even capable of executing commands needed to achieve the desired result. Not to mention that the time it needs to accomplish all these in a single session is impractically long. Could you perhaps provide us what you suppose is the possible avenue(s) it uses to take root in the system? The video I found in securitytube doesn't seem possible automated. It requires manual access.

5. It seems all too quiet. The way the malware was described was that it was already fully functional, running bypasses, storing data, infecting files and sending information. With such a capable malware, there should be a huge bidding now somewhere for its source code. But it's just too quiet. They want to be discreet about, well, yeah sure, but there's gonna be a spark somewhere here or there and something as brilliant as the one in description is sure to start a wildfire.

I don't think malware authors "trying new grounds" to quote new2security would release a fully functional malware just to test if it works. The code would be broken down and some of it spread as separate 0-day malware minimizing activity as much as possible while all other tests are done privately.

One could say that it was meant for targeted attacks, but then again, wouldn't it be smarter to minimize activity and anything that's as impractical as file infection would be discarded? It just doesn't add up.

6. If it's capable of file infection, survives re-installation and wipes,  am I to suppose you have a sample with you?

7. Oh and a matter of concern. If it really is a cross-platform, infect-all-files malware, where and how do you do your logs? Shouldn't those get infected, too?

[dhrf]

1. Exactly how was it able to start infection? The possible methods provided for in the thread all require root access, that it would seem the only way it can ever infect something is (a) if it was a specifically targeted system or (b) physical access.

The target was a legal firm in 2010
I detect traffic one night from 1 pc, I start capturing data and close the connection at the firewall, the next packet the pc send was a dhcp release renew, machine was inspected and besides the network traffic all look ok, after wiped, new install media, I notice that the malware not only remains but it keep files of the os that was installed earlier.
That give me the clue of HD geometry modification, and that the bug was not nice….
Story short, all network infected, AD schema was modified, and if close the traffic the pcs loose dns resolution. (Fatal for an active directory domain with exchange etc.)
Network os where compromised by dfs bogus system restore to the clients (primary low level drivers), and fake upgrades of the antivirus server.
No credit fraud was reported. The only objective looks to stay resident.

IT was a specific target YES, but infection is no more complex than a rootkit.

2. Size? The way it's described is that it seems small. But a cross-platform, file-infecting malware seems just all too odd to be that small. I understand that it's capable of infecting files possibly by adding a code over the original. Still, this would constitute file size changes and considering that it seems to intend to infect Linux and mac systems, too, well that's triple the size.

Don’t mix layers, one thing is bare metal hypervisor and another is operating system.
A hypervisor will provide a fake hardware bios to the OS, para-virtualization allows direct access to the machine hardware, that make it less intrusive (don’t need to do a physical to virtual migration) and more hard to find, your PC will work like before.
Now if the os have a layer that can manage hardware, compromise the os is no problem.

If it were to download any other component, then it would have to provide those too with root access. So most possibly, there ought to be a rootkit beside the actual malware. Even then, it still means it requires a considerable size to do so. It cannot go undetected like that. Basically, the more "features" it has, the larger it becomes. I simply could not understand how it can get by undetected with a lumbering size or some genius manage to condense all these, but that's highly improbable (or well, impossible, but I'm just trying to be mathematically accurate here) because of the limits imposed by the current languages.

Wait, if the hypervisor is on the pc, the hypervisor is the owner ok. And all data you can get from that pc can’t be trusted (you dump the gpu bios, but you get the fake shadow one that reside on memory)

3. Besides the non-existent processes symptom, are there any other methods of detection? ACPI's, hackintosh, and all that while they may provide context, they don't exactly provide proof. An apple being an apple doesn't mean it's the same apple as every other apple.

My point was that the compatibility that allow to do some tricks, can also be used to do other things……
I never say nothing about the non-existent processes symptom, still identify this is hard and many people including me end up with false positives.
Is like I ask you to prove that you are not inside the matrix….

Also, you mentioned you're from sysinternals. Do you mean you work for sysinternals or that you're originally a member of sysinternals? If it's the latter, do you mean the forums or the actual  company? I'm just trying to build a profile here so I can better construct my questions. As I recall, these non-existent processes have existed as early as 2007. I've also contacted them about it in 2009 and they responded that it was the way processes exit. They exist in every system though they may vary for every installation. Conflicting programs with processexplorer are also capable of reproducing this effect.

I am 39 years 3 kids, one wife, IT Consulter from Argentina many Microsoft certifications (starting in 1999) I use to work for a consulting firm and sometimes we work in conjunction whit Microsoft consulting services.
I migrate, design deploy and implement AD,Exchnage,Security,network infrastructure for large enterprises for almost 10 years, now I am self-employ. I also use virtualization technology since vmware was born.
I am a gamer, love hardware and overclocking.

If the symptom mentioned was from the malware, how is it related and why run them in the first place?

The symptoms I experience, was a malware that resist HD wipes, that had phantom/fake hardware, that alone point to a low level rootkit, and after many hours, I find that the bios was compromised.(bios can’t be updated, a full bios reset make the PC do many strange things)

4. I agree. There are other avenues it can explore to achieve the same effect, and the one described in page 15 is not a viable choice at all. It will literally cause problems that would either cause the system to be unbootable or the malware to be completely useless. Even so, none of the viable avenues that I know of are capable of surviving reboot, self-actuating, or even capable of executing commands needed to achieve the desired result. Not to mention that the time it needs to accomplish all these in a single session is impractically long. Could you perhaps provide us what you suppose is the possible avenue(s) it uses to take root in the system? The video I found in securitytube doesn't seem possible automated. It requires manual access.

You don’t need to setup your bios every time you start your PC, OS drivers can configure some part of the bios, the only thing you need is a fixed storage (hd geometry will do it) old or fake drivers, and the compatibility that the industry provide to allow many os to be installed on the same hardware do the rest.
That’s the key, it use normal techniques, Linux can emulate firmware for better compatibility, this use acpi tables to create buffers to load firmware, it use bios shadow for mother/gpu etc.
If you download xen, red the documentation, some acpi docs, and is all there.
Detection is hard, hypervisor are very small, os only see what the hypervisor allow.

5. It seems all too quiet. The way the malware was described was that it was already fully functional, running bypasses, storing data, infecting files and sending information. With such a capable malware, there should be a huge bidding now somewhere for its source code. But it's just too quiet. They want to be discreet about, well, yeah sure, but there's gonna be a spark somewhere here or there and something as brilliant as the one in description is sure to start a wildfire.

The only secret is that they use as a rule in the design that the core use normal emulation techniques at a very low level.
It provides a backdoor, under the os. From there use your imagination.

I don't think malware authors "trying new grounds" to quote new2security would release a fully functional malware just to test if it works. The code would be broken down and some of it spread as separate 0-day malware minimizing activity as much as possible while all other tests are done privately.

One could say that it was meant for targeted attacks, but then again, wouldn't it be smarter to minimize activity and anything that's as impractical as file infection would be discarded? It just doesn't add up.

File infection or misconfiguration, is to provide consisted rollback, malware self-defense. And if they own ring 0, no AV will detect it.

6. If it's capable of file infection, survives re-installation and wipes, am I to suppose you have a sample with you?

One in my pocket but for friend only, machine owned from post, is hard to get reliable data, one person that work on this have  dump his gpu rom and inside is a bootloader,ntlr,bcd.

7. Oh and a matter of concern. If it really is a cross-platform, infect-all-files malware, where and how do you do your logs? Shouldn't those get infected, too?

I never said infect all files.
but a hardware backdoor....
I will post some pdf that explain more and in better English.
PD: I can’t resume all in one post. Not to mention that a lot of reading is key to understand how can be done (I read many docs, and have many more waiting)


read the doc please is not long and clear

[dhrf]

best situation: I am nuts, the hole is there and we have no tools.....

more security less usability (gold rule in security desing) it work backwards too.

today hardware plataform, virtualization, use of gpu for virtualization, allow the use and implementation of software with bad intentions (malware)

[spainach_12]

The target was a legal firm in 2010
I detect traffic one night from 1 pc, I start capturing data and close the connection at the firewall, the next packet the pc send was a dhcp release renew, machine was inspected and besides the network traffic all look ok, after wiped, new install media, I notice that the malware not only remains but it keep files of the os that was installed earlier.
That give me the clue of HD geometry modification, and that the bug was not nice….
Story short, all network infected, AD schema was modified, and if close the traffic the pcs loose dns resolution. (Fatal for an active directory domain with exchange etc.)
Network os where compromised by dfs bogus system restore to the clients (primary low level drivers), and fake upgrades of the antivirus server.
No credit fraud was reported. The only objective looks to stay resident.

IT was a specific target YES, but infection is no more complex than a rootkit.
Don’t mix layers, one thing is bare metal hypervisor and another is operating system.
A hypervisor will provide a fake hardware bios to the OS, para-virtualization allows direct access to the machine hardware, that make it less intrusive (don’t need to do a physical to virtual migration) and more hard to find, your PC will work like before.
Now if the os have a layer that can manage hardware, compromise the os is no problem.

Wait, if the hypervisor is on the pc, the hypervisor is the owner ok. And all data you can get from that pc can’t be trusted (you dump the gpu bios, but you get the fake shadow one that reside on memory)

My point was that the compatibility that allow to do some tricks, can also be used to do other things……
I never say nothing about the non-existent processes symptom, still identify this is hard and many people including me end up with false positives.
Is like I ask you to prove that you are not inside the matrix….

I am 39 years 3 kids, one wife, IT Consulter from Argentina many Microsoft certifications (starting in 1999) I use to work for a consulting firm and sometimes we work in conjunction whit Microsoft consulting services.
I migrate, design deploy and implement AD,Exchnage,Security,network infrastructure for large enterprises for almost 10 years, now I am self-employ. I also use virtualization technology since vmware was born.
I am a gamer, love hardware and overclocking.
The symptoms I experience, was a malware that resist HD wipes, that had phantom/fake hardware, that alone point to a low level rootkit, and after many hours, I find that the bios was compromised.(bios can’t be updated, a full bios reset make the PC do many strange things)You don’t need to setup your bios every time you start your PC, OS drivers can configure some part of the bios, the only thing you need is a fixed storage (hd geometry will do it) old or fake drivers, and the compatibility that the industry provide to allow many os to be installed on the same hardware do the rest.
That’s the key, it use normal techniques, Linux can emulate firmware for better compatibility, this use acpi tables to create buffers to load firmware, it use bios shadow for mother/gpu etc.
If you download xen, red the documentation, some acpi docs, and is all there.
Detection is hard, hypervisor are very small, os only see what the hypervisor allow.



The only secret is that they use as a rule in the design that the core use normal emulation techniques at a very low level.
It provides a backdoor, under the os. From there use your imagination.File infection or misconfiguration, is to provide consisted rollback, malware self-defense. And if they own ring 0, no AV will detect it.One in my pocket but for friend only, machine owned from post, is hard to get reliable data, one person that work on this have  dump his gpu rom and inside is a bootloader,ntlr,bcd.I never said infect all files.
but a hardware backdoor....
I will post some pdf that explain more and in better English.
PD: I can’t resume all in one post. Not to mention that a lot of reading is key to understand how can be done (I read many docs, and have many more waiting)


read the doc please is not long and clear

I think you've misunderstood every question. Sorry for that. I'll rephrase them some time next week and see if anything develops. I thank you for your time and patience.