All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: November 27th, 2018, 17:11 
Offline
User avatar

Joined: November 27th, 2018, 16:42
Posts: 5
Location: Greece, Amaliada
I have some really strange issues: A completely remote-controlled System even after re-partitioning and complete re-install of latest Windows. And yes, I installed without any internet connected, blocked all Ports in Windows firewall, connected Network and the system got high-jacked again. Never seen something like this before.
It is not a random virus from the internet but a targeted attack! So maybe someone spend lot of money to do it like this. They are very good in hiding and even deleting footsteps. For example when saving logfiles to an USB flashdrive and connect the USBSTICK again (WHEN OFFLINE) I was able to see how the the logfiles on the usbstick were deleted by "system".

I even re-flashed my BIOS (using external hardware-programmer). This happened several times and brought me near a heart-attack.
So one Idea is, someone messed with the firmware of my SSDs. There are not a lot other options left....

It looks like they are able to move my complete system in a virtual machine without any known virus-scanners finding anything. They are also able to change the setup because sometimes "GMER" finds hooks (and crashes immediately to BSOD) - but sometimes it does not find anything!
Those guys are REALLY GOOD! They even broke my Mikrotik firewall as well as the router. But I guess they did by hidden terminal when already logged on to my system (there should be no access through WAN to the mikrotik)

I would really love to reverse-engineer this stuff.

Having tow harddrive affected: One Samsung 830 with S4LJ204X01 3-Core ARM9 based MCX Controller
and one Kingston 512 GB with Sandforce Controller (which I do not know anything about). There is an official Firmware-Upgrade for the Kingston but the tool refuses to write at the 0x92-ATA Command (upload microcode). This really indicates there must be something damn wrong with it....

I guess it is more simple to dump the Samsung Controller.
I found a JTAG-Port with unfortunately 4 PINS only (TCK, TMS, TDI, TDO but no sRst) but having trouble to connect it to OpenOCD (using Raspberry Bitbanging as the Interface).

IDCODE says 0x025966f0f (unknown) which is pretty stable but two more devices in chain which are unstable. I am not able yet to "HALT" the Controller (maybe this needs an sRST?).

so well - I am stuck here.... I found a lot stuff in the internet about the Samsung 850 which is a cortext_m4 based controller. This does not really help.
Im stuck, here.....
Any ideas?


Top
 Profile  
 
 Post subject: Re: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: April 18th, 2019, 19:19 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 226
Location: Portugal
Perhaps this is the continuation of the work started be Equation Group?

Do you have another equal disk to inspect the firmware?

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5


Top
 Profile  
 
 Post subject: Re: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: April 20th, 2019, 1:08 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
Tyra Misoux wrote:
I have some really strange issues: A completely remote-controlled System even after re-partitioning and complete re-install of latest Windows. And yes, I installed without any internet connected, blocked all Ports in Windows firewall, connected Network and the system got high-jacked again. Never seen something like this before.
It is not a random virus from the internet but a targeted attack! So maybe someone spend lot of money to do it like this. They are very good in hiding and even deleting footsteps. For example when saving logfiles to an USB flashdrive and connect the USBSTICK again (WHEN OFFLINE) I was able to see how the the logfiles on the usbstick were deleted by "system".

I even re-flashed my BIOS (using external hardware-programmer). This happened several times and brought me near a heart-attack.
So one Idea is, someone messed with the firmware of my SSDs. There are not a lot other options left....

It looks like they are able to move my complete system in a virtual machine without any known virus-scanners finding anything. They are also able to change the setup because sometimes "GMER" finds hooks (and crashes immediately to BSOD) - but sometimes it does not find anything!
Those guys are REALLY GOOD! They even broke my Mikrotik firewall as well as the router. But I guess they did by hidden terminal when already logged on to my system (there should be no access through WAN to the mikrotik)

I would really love to reverse-engineer this stuff.

Having tow harddrive affected: One Samsung 830 with S4LJ204X01 3-Core ARM9 based MCX Controller
and one Kingston 512 GB with Sandforce Controller (which I do not know anything about). There is an official Firmware-Upgrade for the Kingston but the tool refuses to write at the 0x92-ATA Command (upload microcode). This really indicates there must be something damn wrong with it....

I guess it is more simple to dump the Samsung Controller.
I found a JTAG-Port with unfortunately 4 PINS only (TCK, TMS, TDI, TDO but no sRst) but having trouble to connect it to OpenOCD (using Raspberry Bitbanging as the Interface).

IDCODE says 0x025966f0f (unknown) which is pretty stable but two more devices in chain which are unstable. I am not able yet to "HALT" the Controller (maybe this needs an sRST?).

so well - I am stuck here.... I found a lot stuff in the internet about the Samsung 850 which is a cortext_m4 based controller. This does not really help.
Im stuck, here.....
Any ideas?


I can think of a few things. some of which you may not like or agree with.

1. Maybe you are mistaken and not being targeted with Malware/rootkit/APT.
2. Instead of trying to sanitise the SSD, I would rip it out and replace it with a more secure one . Would not think anyone currently is writing rootkits for these, or at least you will mess up their current M.O.
3. What evidence do you have to support your theory you are being attacked?
4. Take complete network traffic packet capture and analyse
5. get someone like Black Hills security or Mandiant etc to look for you, as you don't appear to have the skills to do this yourself.
6. Are you sure you are "important enough" to be targeted in this manner? If so public forums are not the way forward. Reporting it to someone for them to handle is better. Otherwise you are knowingly leaving yourself vulnerable.


Top
 Profile  
 
 Post subject: Re: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: April 20th, 2019, 9:03 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10828
Location: Portugal
Agree with @HaQue... Not very likely for this to be a sofisticated target attack ... Unless you are someone with something that does have real value ...

Try to find simple explanations first like someone from the inside to be installing stuff on your systems .... like someone with physical access to them ....

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
 Post subject: Re: Samsung SSD EVO830, Persistent Rootkit and JTAGGING...
PostPosted: April 20th, 2019, 10:19 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3380
Location: Adelaide, Australia
I thought of a few questions and comments:
1. what are the actual symptoms you are seeing? Any relevant files you can show or logs etc?
2. Have you got any info from GMER at all that you can post?
3. GMER was great but doesn't appear to have been updated since 2016. While I am certain many of the rootkits are still in the wild, and GMER could detect them, I would be hesitant to agree that GMER would work right, or rootkits would be effective on latest patched Win 10. Win 10 has made a lot of progress re security. This is why you are seeing more attacks trying to use Office, the web and emailed attachments.
4. can you elaborate on this:
Quote:
It looks like they are able to move my complete system in a virtual machine without any known virus-scanners finding anything

5. what antimalware are you using
6. If you are getting attacked, is there any other system or device on the network that could be getting back to this system?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group