Salvaging a fatally hacked PC

Topic

New Reply

LANGALIST By Fred Langa A subscriber’s PC was commandeered by malware; even the administrator’s account is now inaccessible! How can this PC be safely
[See the full post at: Salvaging a fatally hacked PC]

2 users thanked author for this post.

abbodi86, lmacri

Reply | Quote

Replies

Fred Langa wrote:

How can this PC be safely returned to service, especially now that Windows 11 is closing some of the old back-door admin-access workarounds?

The same methods I would use (after replacing a dead drive) if my drive(s) had gone belly up.  If the drive(s) are merely compromised, I could skip the replacement steps.

I would restore my latest Image for Windows full drive image, which, although admittedly two to three months old, will effectively completely wipe the drive and restore my partitioning and all data, some of which (depending on the partition) has not changed in the intervening time period.

Then I would use my latest pertinent partition images (OS, Programs, User Data) which are never more than one week old.  Any relevant new data (since the last weekly image) I can retrieve from my NAS or the cloud.  The full process might take an hour, and leave me confident that I had no vestigial nastiness anywhere.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

One think you didn’t mention was re-flashing with a known good bios.

1 user thanked author for this post.

Carl

Reply | Quote

To recovery from a firmware based exploit you’d need to have a motherboard with the BIOS and network boot flash (if separate) in sockets, and to have taken images of those before hand and made and tested replacements as the soldering now is a bit mission impossible. (The network boot flash is seldom mentioned and separate, but just as vulnerable, with some designs that area can be hooked with a CMOS setting change or default on some systems though SMM / secure boot should catch that and stop the boot). Dealing with SOIC 8 (solder down) chips was difficult, the new chips are half that size again and you can’t socket the BGA chips easily so extreme measures are needed. Basically it can be done but you can see the literal scale in the work you’d be undertaking here (not a PC in this case; just for scale..): https://blog.quarkslab.com/flash-dumping-part-ii.html

It would seem sensible the main target for firmware attacks would be ransoming access to the system and the Windows license so they’re not going to leave the BIOS in a state where you can flash anything, and flashing in the usual context doesn’t usually alter the platform binary table or remove definition blocks which define drivers inserted into the memory by the UEFI firmware which could be / have been vehicles for firmware instigated malware. (https://uefi.org/specs/ACPI/6.4/05_ACPI_Software_Programming_Model/ACPI_Software_Programming_Model.html#definition-blocks)

https://www.bleepingcomputer.com/news/security/trickbots-new-trickboot-module-infects-your-uefi-firmware/

https://www.bleepingcomputer.com/news/security/new-moonbounce-uefi-malware-used-by-apt41-in-targeted-attacks/

And it might be the consumers they come after next year..

https://www.bleepingcomputer.com/news/security/2022-may-be-the-year-cybercrime-returns-its-focus-to-consumers/

So what to do? Probably regular backups (as the software will have been compromised to leverage an attack), add your Windows license to a Microsoft account even if it’s OEM and have a spare motherboard and a device which doesn’t run Windows to find out how and when it might be safe to use that?

By the way, if you want to make an account inaccessible try setting read only on it’s NTUSER.DAT. The user profile service doesn’t like it. How the odd customer managed to achieve that state was always a mystery given the file normally has H and S attributes set… though I last saw that in about 2018..

Also not mentioned as a method for malware removal is the use of reg load (in the command prompt of the recovery options started from external media) to load the system and ntuser.dat hives into the registry of the recovery environment.

You can then use regedit to manually hunt and remove the hard to detect (self hiding) obfuscated code sometimes found in various run keys and shell open command areas of the mounted registries, and remove items such as Windows defender entries which sidestep that protection, to weaken the infection enough to be able to get the Windows protection running to clean up the mess, but to be honest I’ve only done that to get in to export browser settings and the like before backup and bare metal restore.

When attackers have written code to burry itself in and its that custom that malware scanning from a boot disk can’t find it, the time has arrived to declare the whole installation lost and only backup user files which are needed (and treat those as potentially infected after reinstalling / restoring the last backup).

Of course to know which backup to use you need to know when the problem actually arrived, as opposed to when it showed its hand (which could be any time thereafter) and to be honest in that situation the only backup I could really trust is the factory default, and only then if I patched all the software in that factory default  before doing anything else so when I get there it’ll be time for the recovery media..

Windows is a case for creating your base install, adding software, sysprep preparing the software and taking a FFU image (for bare metal recovery), and then once finally set up your account, you can take incremental WIM backups of the partitions or use the usual backup candidates if you care to..

I don’t think “fatally hacked” is a situation unless it refers to something maintaining life which fails in its function. Perhaps “functionally irretrievable within the bounds of sensible economics and technical expertise”? Anyone good with acronyms?

https://www.bleepingcomputer.com/news/security/over-100-000-medical-infusion-pumps-vulnerable-to-years-old-critical-bug/

https://www.bleepingcomputer.com/news/security/access-7-vulnerabilities-impact-medical-and-iot-devices/

https://www.bleepingcomputer.com/news/security/apc-ups-zero-day-bugs-can-remotely-burn-out-devices-disable-power/

 

 

 

 

Reply | Quote

I recovered two installations (two PC’s) completely after a house fire destroyed the hardware by restoring my drive images to new hardware.  By drive images, I mean as described in my reply #2431434 above.  That method is the most time-efficient and fault free.

There’s no need for overkill.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

I agree. I keep 40 generations of incremental backups and 30 image backups on multiple, ransomware protected, backup drives.

If the cost of restoration (my time is valuable) is more than the cost of replacement, guess which one wins. I’d still restore the BIOS from a known good BIOS image (I keep multiple gens of those too) just for peace of mind. I don’t think a sophisticated state actor would be attacking my firmware.

But, I’m looking at two of my backup drives sitting on my desk right now. After reading your comments, I think I’ll get off my lazy *** and put them in the fire proof safe where they belong ……

Reply | Quote

 

Browsers routinely communicate their associated IP address and full user agent string with every site they visit. This data can include the browser family, type, mobile or desktop variant, version, OS brand, bittedness, current resolution, compatibility information, and numerous other platform, browser, and extension details.

But Remote desktop apps have access to every keystroke you press. And we know Google loves to try and analyze what we type to get information on us.

Reply | Quote

Browsers routinely communicate their associated IP address and full user agent string with every site they visit. This data can include the browser family, type, mobile or desktop variant, version, OS brand, bittedness, current resolution, compatibility information, and numerous other platform, browser, and extension details.

Here’s a good article on how to reduce your browser fingerprints

https://www.experte.com/it-security/browser-fingerprint

As far as rescuing some one else’s PC from a bad infection, it’s rare to find users who do regular backups on an external device. If a Windows 10/11 refresh isn’t possible because of the severity of the infection, and there are no good backups, I usually boot a Linux Live USB  and transfer data ONLY to a new USB Hard Drive. Then I’ll do an initial scan with Clam on the USB hard drive. After that, I’ll put the USB hard drive aside, do a fresh format and new Windows install on the PC, and then run malware/anti virus scans on the USB drive before transferring the data back to the PC. If I’m feeling paranoid, I’ll replace the Hard drive on the PC itself before doing the new Windows install (probably a good idea anyway, as HD’s don’t last as long these days).

I’ll set up the user account as a NON ADMIN account, using strong passwords for both the User account and the Admin account (Windows users shouldn’t be running as admin!!).  I’ll talk to them about not downloading email attachments, or accepting all the defaults when installing software (you don’t need multiple anti virus programs or nasty malware just to get a free program). I’ll also talk to them about using firewalls on the PC and the router, and not abuse them by using programs that create holes just to play games and such.

I’ll also suggest doing regular malware and virus scans, along with regular backups on removable media. Speaking of removable media, I’ll suggest scanning all flash or other drives you attach EVERY time you connect them to the PC, and NEVER use a flash drive that’s been used on another PC. Even new ones should be scanned before use!!

I’ll talk about using 2 factor authentication when possible, safe surfing, etc.

And after all that (and more), I’ll expect to hear back from the same user in a year or less complaining about an infection.  Bad habits die hard, and Windows PC’s are a LOT of work to maintain, something people don’t want to hear.

Reply | Quote