This can help only when a dual-BIOS/UEFI system is used, and by resetting, you mean replacing the current (writable BIOS/UEFI) with a protected (non-writable copy).
How to make sure my computer is free from infections?
- Thread starter ByteSentinel
- Start date
- Featured
Please provide comments and solutions that are helpful to the author of this topic.
This can help only when a dual-BIOS/UEFI system is used, and by resetting, you mean replacing the current (writable BIOS/UEFI) with a protected (non-writable copy).
I did not research much about it. The malware embedded in hardware is not the same as the malware embedded in the firmware.
I apologize I jumped too far into the tin foil.
I was just curious as to how one would go about detecting this next level of paranoia since we were on a roll.
Direct detection of firmware rootkits is beyond the capabilities of most users. However, some detections can be done by the AV Firmware/UEFI Scanners (Kaspersky, MD for Endpoint, Eset, etc.).
There are some tools, like SPI flash programmers, to read/compare firmware images. Also, tools such as CHIPSEC can be helpful.
In enterprises, administrators can use Windows Device Health Attestation (DHA) to detect unauthorized firmware modifications.
For example:
There are some tools, like SPI flash programmers, to read/compare firmware images. Also, tools such as CHIPSEC can be helpful.
In enterprises, administrators can use Windows Device Health Attestation (DHA) to detect unauthorized firmware modifications.
For example:
Last edited:
You really can't. Many of the infections are highly targeted spear attacks and they occur via supply chain methods. It's not something you randomly download. That goes double for firmware attacks since those are highly targeted to the controller and even controller revisions. Some like the solid state drive controller infections require a specialized programming tool that just doesn't happen via a regular download since those sectors are in ROM.
Those attacks cost $ millions and are not propagated beyond a very few infected systems. You only need a single infected device to infect an ecosystem. The more devices you infect via specialized methods the more likely you are to be discovered. However if you only infect a single controller then you can use that to move latterly and vertically via regular infection methods. The IT Dept will be curing the regular infections without suspecting a controller. It gets more complicated if your agency has thousands of systems.
No you have to reflash it. You can't just reset to default since default is the infection.
The early badly made firmware infections would not allow an firmware upgrade since checksums won't match to any update. You don't only change the firmware you change the chip the firmware is on. Hence $ millions; not only in R&D but also in bribes to intercept. The weakest link is never hardware. It's always wetware (humans).
That's why each time you return from a trip to a questionable country the first thing you do is send your devices to a forensics department before plugging it into a network.
Reset works with some router malware.
I know reflash is the cure, but it comes at a cost; in countries with potential unexpected power outage, it will cost your MB.
It is possible that buying a TV box from a friend can be more dangerous:
The Kimwolf botnet has reportedly infected over 2 million devices globally, leveraging vulnerabilities in residential proxy networks to facilitate DDoS attacks and malicious online activities, highlighting urgent security concerns.
The Kimwolf botnet has reportedly infected over 2 million devices globally, leveraging vulnerabilities in residential proxy networks to facilitate DDoS attacks and malicious online activities, highlighting urgent security concerns.
Last edited:
I have yet to encounter a firmware infection in my life, so I'm not going to worry about things that haven't happened yet, if this issue becomes rife I'm giving up tech together & living in a decent cave (I have a cave selected)
The least I worry about a firmware malware when I am rich and powerful to be targeted; just give me money and power, and I will take care of the firmware.
At that time if you are a male then you should be worried about the other firmware infections
I've researched dumping the firmware of routers and you need specialized tools to dump it, there are open source tools but they are not reliable or not tested.I apologize I jumped too far into the tin foil.
I was just curious as to how one would go about detecting this next level of paranoia since we were on a roll.
Last time I checked anyway when I was researching it, maybe I just don't have the technical skills
Against a advanced attacker such as Equation group who were infecting the hard drives firmware to drop implants I don't think you can say a re-flash will cure all.
That was 10 years ago now it would be scary their capabilities...
The good news you won't experience these exotic exploits/implants if your not high value or work in a hostile government/intelligence/military.
The good or bad news is that commercial malware/spyware vendors are getting caught, that's the most potent attack vector mobile infection because of E2EE apps.
I've researched dumping the firmware of routers and you need specialized tools to dump it, there are open source tools but they are not reliable or not tested.
Last time I checked anyway when I was researching it, maybe I just don't have the technical skills
Against a advanced attacker such as Equation group who were infecting the hard drives firmware to drop implants I don't think you can say a re-flash will cure all.
That was 10 years ago now it would be scary their capabilities...
The good news you won't experience these exotic exploits/implants if your not high value or work in a hostile government/intelligence/military.
The good or bad news is that commercial malware/spyware vendors are getting caught, that's the most potent attack vector mobile infection because of E2EE apps.
It depends which firmware. If it's a hard drive which majority of data centers still use especially in secured environments (self encrypting hard drive spinners) then each hard drive has the control boards calibrated specifically to that drive. Even swapping control boards with exact model numbers won't be effective since those boards are calibrated per drive. That's why it's so freaking expensive to infect a drive firmware enroute to the customer. It's not something that is done to a regular joe hell it's not even done to important figureheads. That type of effort is only cost effective enmass like a data center.
Most importantly it's not fast and it's not a noisy malware. Many times it fails more than it succeeds. and it takes years to implement. Time and patience is the key to survilance. Craft is not being James bond. Craft is being a janitor.
Last edited:
Methodology for detecting "embedded malware in hardware"
The Vectors
To detect it, you must first define what "it" is. We categorize this into two distinct vectors:
Firmware Rootkits (The "Soft" Hardware Hack)
Malicious code injected into the SPI Flash (BIOS/UEFI), GPU firmware, or Drive Controller. The hardware is legitimate, but the code driving it is compromised. (Examples: LoJax, BlackLotus, MoonBounce).
Physical Implants (The "Hard" Hardware Hack)
A physical device added to the motherboard or cable during manufacturing or shipping (Supply Chain Interdiction) to sniff traffic or inject commands.
Detection Methodologies
The Network "Lie Detector" (Most Practical)
Malware, even in hardware, usually needs to communicate with a Command & Control (C2) server to be useful. It cannot hide the physics of data transmission.
The Problem
You cannot use Wireshark on the suspicious computer, because the rootkit can hide the traffic from the OS.
The Solution
Use an external network tap or a mirrored port on a managed switch.
Action
Place a separate device (like a Raspberry Pi running tcpdump or a dedicated firewall/router) between the suspicious machine and the internet.
Monitor for outbound traffic when the machine is supposedly idle or even powered down (Intel ME/AMD PSP maintain network access in low-power states).
Look for "beaconing" (regular, heartbeat-like connections) to unknown IPs.
Firmware Integrity Validation
This detects if legitimate firmware has been patched with malicious code.
The Gold Standard (SPI Dumping)
The only 100% reliable way is to use a hardware programmer (like a bus pirate or CH341A) to physically "clip" onto the motherboard's flash chip and read the data directly.
The Software Method (CHIPSEC)
For a non-invasive check, use CHIPSEC, a framework for platform security assessment.
Action
Run CHIPSEC to check if BIOS write protections are enabled. If write protections (BIOS_WE, SMM_BWP) are disabled, the system is vulnerable to software-based firmware infection.
Comparison
Compare the hash of your current BIOS region against the "known good" hash provided by your motherboard vendor.
Visual Inspection (Physical Implants)
This detects supply chain interdiction. This requires high attention to detail and a reference image.
Action
Open the chassis.
Locate a high-resolution image of your exact motherboard model from the vendor's website.
"Spot the difference" Look for,
Extra chips soldered onto traces (often covered in epoxy/black blob).
"Rework" signs
Flux residue (sticky/shiny spots) on a board that should be clean.
Cabling that looks non-standard or bulky (e.g., the "O.MG Cable" looks like a normal lightning cable but contains a malicious implant).
Remediation & Resilience
If you confirm hardware compromise, reinstalling Windows/Linux will not fix it. The malware lives on the motherboard, not the hard drive.
Flash the Firmware
Download a clean BIOS/UEFI update from the vendor on a different, clean computer. Put it on a USB drive and flash the suspicious machine using its built-in utility (M-Flash, Q-Flash, etc.).
Note
Sophisticated implants can sometimes survive this or block the update.
Replace the Hardware
In confirmed cases of physical implants or persistent firmware rootkits (like MoonBounce), the only safe option is to decommission the motherboard.
Secure Boot & TPM
Ensure Secure Boot is enabled. This creates a "Chain of Trust" where the system refuses to boot if the firmware signature is invalid.
The Vectors
To detect it, you must first define what "it" is. We categorize this into two distinct vectors:
Firmware Rootkits (The "Soft" Hardware Hack)
Malicious code injected into the SPI Flash (BIOS/UEFI), GPU firmware, or Drive Controller. The hardware is legitimate, but the code driving it is compromised. (Examples: LoJax, BlackLotus, MoonBounce).
Physical Implants (The "Hard" Hardware Hack)
A physical device added to the motherboard or cable during manufacturing or shipping (Supply Chain Interdiction) to sniff traffic or inject commands.
Detection Methodologies
The Network "Lie Detector" (Most Practical)
Malware, even in hardware, usually needs to communicate with a Command & Control (C2) server to be useful. It cannot hide the physics of data transmission.
The Problem
You cannot use Wireshark on the suspicious computer, because the rootkit can hide the traffic from the OS.
The Solution
Use an external network tap or a mirrored port on a managed switch.
Action
Place a separate device (like a Raspberry Pi running tcpdump or a dedicated firewall/router) between the suspicious machine and the internet.
Monitor for outbound traffic when the machine is supposedly idle or even powered down (Intel ME/AMD PSP maintain network access in low-power states).
Look for "beaconing" (regular, heartbeat-like connections) to unknown IPs.
Firmware Integrity Validation
This detects if legitimate firmware has been patched with malicious code.
The Gold Standard (SPI Dumping)
The only 100% reliable way is to use a hardware programmer (like a bus pirate or CH341A) to physically "clip" onto the motherboard's flash chip and read the data directly.
The Software Method (CHIPSEC)
For a non-invasive check, use CHIPSEC, a framework for platform security assessment.
Action
Run CHIPSEC to check if BIOS write protections are enabled. If write protections (BIOS_WE, SMM_BWP) are disabled, the system is vulnerable to software-based firmware infection.
Comparison
Compare the hash of your current BIOS region against the "known good" hash provided by your motherboard vendor.
Visual Inspection (Physical Implants)
This detects supply chain interdiction. This requires high attention to detail and a reference image.
Action
Open the chassis.
Locate a high-resolution image of your exact motherboard model from the vendor's website.
"Spot the difference" Look for,
Extra chips soldered onto traces (often covered in epoxy/black blob).
"Rework" signs
Flux residue (sticky/shiny spots) on a board that should be clean.
Cabling that looks non-standard or bulky (e.g., the "O.MG Cable" looks like a normal lightning cable but contains a malicious implant).
Remediation & Resilience
If you confirm hardware compromise, reinstalling Windows/Linux will not fix it. The malware lives on the motherboard, not the hard drive.
Flash the Firmware
Download a clean BIOS/UEFI update from the vendor on a different, clean computer. Put it on a USB drive and flash the suspicious machine using its built-in utility (M-Flash, Q-Flash, etc.).
Note
Sophisticated implants can sometimes survive this or block the update.
Replace the Hardware
In confirmed cases of physical implants or persistent firmware rootkits (like MoonBounce), the only safe option is to decommission the motherboard.
Secure Boot & TPM
Ensure Secure Boot is enabled. This creates a "Chain of Trust" where the system refuses to boot if the firmware signature is invalid.
You may also like...
-
-
Kaspersky showed 52 disinfected objects after a full scan, but there's nothing in the quarantine folder.
- Started by nonamebob567
- Replies: 13
-
-
Safe ways to run an exe with potential trojan.
- Started by tryxed
- Replies: 14
-
I had to use a few second opinion scanners alongside Kaspersky premium. Any chance of Kaspersky corruption.
- Started by nonamebob567
- Replies: 18