How can I remove the bootkit. I mean it’s enterprise level malware.
I’m assuming I need to somehow figure out how it’s executing, change the code back to normal or reflash the bios manually. It has instructions on getting a backup from somewhere and can also move itself onto RAM.
It affects Linux and Windows. The only way I’ve been able to access anything was loading SystemRescue onto RAM.
It even spread to my router and hosted itself via DLNA and installs as a printer driver to re-infect.
1 PC has altered bios which I’m assuming is basically gone.
2 other pcs are secure boot enabled with TPMS. So I’m assuming they can be recovered.
I wanted to see if anyone would be willing to read over the script and Bios file to see if they can see what was going on or assist in what was altered.
My next plan of attack is reflashing the bios, booting an iso into RAM, running anti-root kit software etc and run firmware updates and go from there. I’ve contacted 4 local IT companies that would even touch any of the machines, one is willing to mess around with it.
Any advice would be great if anyone has any other options.
Well, Asus G10CE, bios region is in static parts a100 % identical to a 330 Asus stock bios region.
Different from Asus stock 330 is - of course - NVRAM and one padding between NVRAM with windows code, machine specific data, eventlog.
NVRAM normally has no executable code but it has the certificates for signing secure boot / bootloaders, so I’d reset that.
ME region has no relevant differences in configuration, never heard of a changed ME firmware for a rootkit.
So I’d recommend to transfer FD, GbE and the padding with machine specific data in bios region from your backup to a stock 330 Asus firmware. You can’t get cleaner than this.
Oh no…No, no, no… That’;s not so simple as you think… You can’t turn on that pc without off-site UEFI restore and full SSD wipe… You must reprogram bios on the another pc using flash programmer, fully wipe SSD using DD(alaso on another pc) and then (hopefully) tou;re safe and then you can turn on that pc and do whatever you want to do… Bootkits are rly advansed peace of malware… They’re like Hydra… Youll overite bios, they come back from SSD during OS booting… You’ll wipe SSD, they’ll come back from bios. - that’s in short without going too deep into details how it works…They make changes in such way to hijack execution flow to be able to load itself right after post instead of OS and then redirect executuibn to the OS bootloader. That’s why you can[t simply turn on infected pc and delete lt like simple Windows trojan or any other OS-based malware… Ther’;s a chance that also that bootkit transfers itslef from firmware of the SSD into UEFI, so you can’t remove it without SSD replacement… But! Ther;s alwaays a chance that isn’t so sophiscated rootkit and full SSD dd-wipe and bios refloash may be sufficient… What is your case? Dunno… I’m not a malware reverse-enginner. I’;m just a tech-savy who has general knowlege how bootts more or less works - that’s all…
Hmm did you loot at the bios file before the post by chance?
I did eventually find a store that would flash it manually. Sadly the PC is just sitting until further resolution.
I did wipe the SSD and reflashed the bios a few times but it seems like the original bios never comes back completely. It has one or two modified options that wernt there originally.
I did however reach out to Asus to see if the newer bios versions patched some of those 2024 rootkits that was going around and after two months of harassment to them they did push it out.