Ultimate Rootkit - Unbeatable/invincible

So... I've recently learned about certain malware possessing capabilities I never thought were possible. Unfortunately, I was taught this the hard way... and about 5 years too late, according to the info I've read online. After losing the fight against this ... 'super virus' ... I feel compelled to share the experience in hopes that it may serve to inform, warn, and/or prevent others from learning this lesson the same way I have.

In reflection, I'm left with a sense of disbelief, still unsure about what, in all the details, astonishes me the most. Is it the fact that I was infected while innocently searching for a legitimate app by the name of PCHunter? Could it be that I was foolish and careless enough to download multiple copies of the aforementioned app from several different websites, the last of which had to be translated to English from Chinese? Personally, I would have to say ... verifying the origin of such ruthless code to be a team of hackers employed and funded by the NSA would be the coup de gras for me.

Here's a run-down, from what I understand:

Some extremely skilled guy going by the name of spritesmods accomplished what no one outside computer engineering has been able to do... something no one conceived possible, for that matter. A step-by-step process is laid out and explained on his website, but ultimately, by targeting the cache on hard drive controller chips, this one guy... the ONLY guy in history... inserted code through JTAG and basically discovered 'hardware' viruses.

I'm uncertain about the transition from spritesmods' proof of concept to it being picked up and evolved by government agencies, but the source has apparently been verified as the NSA. With teams of programmers and a budget that could spare millions of dollars without batting an eye, a hard drive rootkit was developed, presumably for use in surveillance, allowing limitless and ceaseless access to compromised systems through back-doors.

Obviously, I don't believe I've been targeted by the NSA, but I assume it wasn't hard for other hackers, groups, or organizations to obtain the code once it had been exposed... at which point, it could be modified or tweaked as they saw fit, and released back into the wild, spreading across systems, creating back-doors, and collecting sensitive/personal data at lightening speed to transmit back to the "hacker's" remote host.

As scripts ran and code executed on my computer at a SYSTEM level privilege, I was able to monitor some activity, though fractional in amount, I'm sure...

From what I did see... this is undoubtedly the meanest, nastiest, most intrusive and devastating infection I've ever seen, hands down. Queries collect every shred of data available to a SYSTEM privilege service running on the system (which is everything) from net users, accounts, browser cookies, and installed games to attached devices, connections via bluetooth, and detailed information about every piece of hardware used along with their drivers.

What confuses me... is the code was originally written to act as a rootkit... suggesting a stealthy behavior, attempting to avoid detection. This variant seems to have been modified without regard for this. Once it completes scouring a system, it proceeds to create registry keys altering the CurrentControlSet, replaces every driver file you can imagine, creates system services that run in the background, cripples Administrative privileges to the point that no application or program will run, then it REALLY goes to work.

I may not be accurate about this, but speculating from what I saw, even though Windows 10 Home edition does not support drive encryption, the malware enables BitLocker, locks the drive partitions, creates an entirely separate and nearly invisible partition, and ... I'm not sure. Possibly sets up its own master boot record... judging by an eventual inability to boot up anymore.

System restore doesn't work... formatting and reinstalling doesn't work... accessing the command prompt through recovery will do you no good. Check bcdedit, it won't matter. Find the hidden partition using diskpart and delete it, format it... doesn't matter. The only thing I haven't tried is installing an unaffected hard drive, marking it 'master' and then connecting the infected drive as slave... but honestly, I'm afraid that will result in two destroyed hard drives. Did I mention this monster checks for connected devices? Yeah... if you happen to have a USB flash drive inserted, you might as well throw it out your window. Should you stick it into the port of a different system, you can say good-bye to that computer as well.

Something I did notice with the USB drive... a 64GB flash drive was reported by the system to only be 14 GB total. This exhibits the behavior typical of a worm designed to allocate space until none is left, but are there any variants of this type of worm that perform all the other actions I've described? Does anybody have any insight into this? Perhaps I'm wrong in concluding this is the 'invincible' super virus? At any rate, it's the first time I've had to admit defeat in close to 30 years... beaten by some code typed out on a plastic keyboard...

Here are some references I've looked into while researching this:

http://spritesmods.com/?art=hddhack
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring
https://resources.infosecinstitute.com/nsa-bios-backdoor-god-mode-malware-deitybounce/#gref
https://hothardware.com/news/kaspersky-massive-equation-group-hdd-firmware-spying-ring

Those are just a few... and by all means... if you are having trouble believing me... I will gladly send you a flash drive... to a P.O. Box, to a street address... whatever. Let me know... or it might be possible to pull up the same site with the PCHunter download which contains this rootkit. I strongly suggest not flirting with disaster using any system you can't afford to lose.

 

It wasn't from Major Geeks... although it was one of the sites I tried... the thing is... PCHunter no longer works for Windows 10 since a recent update. I was looking for a newer release that did work with Windows 10 now, but couldn't find one. And... as stupid as this is... the one that caused the infection... came from a site based somewhere out of China... Beijing, I think? Yeah... very ignorant of me, I know... but just so others know.

 

Heh... yeah... I know. Rookie move. Guess I got caught slippin... I was nice and relaxed, sunk into my chair... at home in front of my comp where 90% of my spare time is spent, fiddling around like I do. Usually, at least a subconscious lil red flag pops up back there somewhere tryin to scream to me... "don't do it! wth are you doing?!" but this time... nothing. Careless, no regard, just... click, click, clickin away. DERRRRRR

 

Ooops!

6 Dim Sims with every /Rootkit?

 

Yeah... in retrospect, I not only feel extremely ignorant, but I've illustrated my stupidity quite nicely here and given myself a lovely alternate perspective of the entire incident; of which the actions taken almost seem like that of a 9 year old's. :/

I have a bad habit of disregarding simple and fundamental online safety/security measures ... arrogantly believing that even if something were to happen, it wouldn't be anything I couldn't handle. I got exactly what was coming to me with such an egotistical mentality. Well played, internet... well played (and lesson well taught).

 

Well, harden up!

 

Haha, it's cool. It's all good. I just like to demonstrate the ability to recognize my own mistakes or shortcomings... partly to beat any hateful souls out there to the punch, but also to encourage the same behavior in any like-minded individuals. It seems to be a rare trait these days... it seems like the majority of people I encounter in real life exhibit personalities dominated by pride and ego... by a huge margin. I honestly find it refreshing and, actually... somewhat comforting... to run across anyone different... and this only seems to occur behind the anonymity of the internet.

 

So yes, I'm stupid... learn from my mistake! And uhh... overlook my ramblings that are completely off topic. Its another fault of mine

 

We all learn from mistakes....hopefully!

I would agree entirely, no more porridge for me!