Dell Shipped Server Motherboards With Spyware

Status
Not open for further replies.

jazz84

Distinguished
Mar 24, 2010
80
0
18,630
I'd be curious as to how the spyware even made its way onto the boards to begin with. Sounds like Dell needs to take a closer look at their vendors...

Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.
 

jazz84

Distinguished
Mar 24, 2010
80
0
18,630
[citation][nom]halls[/nom]At least they admitted their mistake, and are making it right.[/citation]

I dunno, this may be too apologist for my taste. Not sure how this is an actual mistake; do they have a pile marked "good" and another marked "inexplicably loaded with malware" in their spares depots? As a couple folks have already pointed out, this simply has "FAIL" written all over it.
 

warfart1

Distinguished
Sep 29, 2009
11
0
18,510
What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.
 

jazz84

Distinguished
Mar 24, 2010
80
0
18,630
[citation][nom]warfart1[/nom]What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.[/citation]

THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.

Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...
 

excalibur1814

Distinguished
Sep 12, 2009
200
61
18,670
[citation][nom]jazz84[/nom]THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...[/citation]

Who has told you that they're not investigating this? Why should the results be public? Maybe they will be once they find something.


 

sirmorluk

Distinguished
Jul 16, 2009
141
0
18,680
Who is on the other end of the telemetry feed is what I want to know?
Where are the boards being manufactured?
My guess is (speculation only)they are being made in China and this is more than likey a case of international corporate espionage.
 

j51

Distinguished
Jun 13, 2009
40
0
18,530
[citation][nom]halls[/nom]At least they admitted their mistake, and are making it right.[/citation]

True.... but How long did it take for Dell to admitted this problem?
 

COLGeek

Cybernaut
Moderator
OK fellow geeks, how could this have been anything other than a malicious action on someone's part? There is no way this was an accident and I am sure identifying the offending programmer is easy. So, what will Dell do next?

Also, think about the comments Dell made that non-Windows users won't be affected and Windows users only require updated AV programs to protect themselves. How do either of these protect against a firmware embedded malicious app?

Interesting situation Dell has created for itself.
 
G

Guest

Guest
If the motherboard is infected, then that means that it's in the BIOS itself and it not a worm, but a RootKit, one which installs itself to the BIOS.

The RootKit writes itself to the empty spaces in the BIOS code and depending on if it's an older type RootKit or a newer type RootKit, the older type (v1) will just infect the BIOS where as the newer types will infect the BIOS and the MBR (v2) the the last type of which I am aware of will also load itself to memory (v3).

Those are the developmental stages of each new variety of BIOS RootKit which Loads before the Operating system itself can even load, making it extremely difficult to detect and even to remove.

Video Cards can become infected very easily too once the motherboard BIOS becomes infected and even the firmware of Hard Drives can become infected. Anything which uses a Firmware/BIOS can be infected these days if it is networked and not secured.

When a Motherboard does become infected, the easiest way to remove the infection from the system and any other infections from your hard drives is to pull the drives and set them to one side making sure to label which drive as to which drive is which. the drives can be connected to another system as Secondary drives and fully scanned with several choice pieces of software, then visually looked over with Windows Explorer so as to remove the majority of infections.

The Motherboard itself you should be able to remove the BIOS chip from it's socket, then use the CLR CMOS jumper to clear out anything that might remain behind. You should be able to order a New BIOS chip from the Motherboard Manufacturer or possibly some other company.

If the BIOS Chip is soldered on the Board, then chances are, you're SOL and you'll need to order a new motherboard.

Once you reconnect your drives and boot up the system, you'll still need to run a few scans so as to clear out any registry entries which could not be accessed while the drives were connected externally and maybe catch a few strays that may have been missed in the mean time.


 
G

Guest

Guest
RootKits are only a small part of the whole and usually the RootKit is installed by a worm.

RootKits don't contain worms or anything else, what they do is to provide protection for other pieces of Malevolent software such as Worms, Viruses, Packet Sniffers, Spyware, FastFlux Proxy Networks, Spam Servers, and what ever else Malware Authors may harbor on your system.

After all, it's a Billion Dollar industry these days that's not tied to any one country. Instead, it's all Internet Mafia Gang related. Some Big time whiles others may be small fries.
 

sirmorluk

Distinguished
Jul 16, 2009
141
0
18,680
lol. semantics. parse away.
Myself and 95% of the readers on this site know exactly what rootkits are.
But if flexing your epeen makes you feel better go right ahead.
 
G

Guest

Guest
Not really trying to do anything here except add a little value to the article for those who may read it and not understand how a motherboard could become infected in the first place. :)

I am a member of the Security Community and offline, I deal with such issues as RootKits and Malware on a regular basis. Family and friends all say I'm the guy to go to when it comes to computer problems. Which can be a bit of an inconvenience when you have other things you may want to do at the time.

As to using the term RootKit, when it comes to the BIOS itself, this becomes more of an inaccurate term seeing as it loads before even the Operating System has a chance to begin to load. BootKit is a more accurate description.

Also, versions 2 & 3 tend to protect themselves by making it extremely difficult to remove the BootKit and any associated infections.

1 - Remove the BootKit with new BIOS chip but fail to clean the drive - BIOS becomes reinfected shortly after.

2 - Clean the Drive without replacing the BIOS chip - Drive becomes reinfected.

3 - Try doing a Clean installation of Windows - Drive still gets infected whether it be from the BIOS or from memory.
 

sirmorluk

Distinguished
Jul 16, 2009
141
0
18,680
I see. You gave good info just came across the wrong way I guess.
I used to be the Information Assurance security officer for an Army installation although that was some time ago. Now I am relegated to the simple tasks of Sys admin. for a large corporation. Much more relaxing.
 
G

Guest

Guest
[citation][nom]jonathan1683[/nom]Thanks for the info, I never heard of having to replace a MB to get rid of a virus. Couldn't you just rewrite the bios/flash it?[/citation]
The BIOS is what controls the motherboard, hence your computer. So what ever you try to boot from, the BootKit is going to load first and it will protect itself. This is why a socketed BIOS chip is important. But there is also the option to password protect your BIOS too which will protect your BIOS providing you use a strong password which can't be attacked and you don't loose the password for when you need to get into your BIOS.

Some of the newer board which have multiple flash options such as the ASUS or GigaByte motherboards, I honestly don't know. I'd say it all depends on what protects they have in place to protect the backup flash along with what ever else they have there would be the determining factors. Cause if anything were to get through, especially when you try to restore a previous BIOS stored on the motherboard, then the motherboard would become toast.

So it would be very important to check out the BIOS backup and protection features before making a purchase. A BIOS chip socket is always a plus.
 

michaelssw

Distinguished
Mar 4, 2010
49
0
18,530
[citation][nom]back_by_demand[/nom]Epic fail[/citation]

They might of deserved a "fail" comment but "epic fail" should be reserved for such things as the iphone4 and DRM.
 

zaznet

Distinguished
May 10, 2010
387
0
18,780
[citation][nom]jazz84[/nom]Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...[/citation]

Weren't those i7's actually just counterfeit boxes with no working CPU inside?

As for this issue it certainly wasn't some miss-step but something more intentional in their supply line. This is far beyond a few poor lifetime transformers.
 

gm0n3y

Distinguished
Mar 13, 2006
3,441
0
20,780
[citation][nom]jazz84[/nom]Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.[/citation]
Nice.
 

jonathan1683

Distinguished
Jul 15, 2009
445
33
18,840
Thanks for the info I will turn on my password for my bios. Can anyone also describe how a virus would infect the firmware on a hard drive? Also from experience with security related things in the past rootkits can be invisible to AV scanners so they would be hard to detect, but how would you detect a bios infection or a firmware infection? I know there are tools that scan for rootkits, but never heard of a bios scanner?
 
Status
Not open for further replies.