Tyra Misoux wrote:
I have some really strange issues: A completely remote-controlled System even after re-partitioning and complete re-install of latest Windows. And yes, I installed without any internet connected, blocked all Ports in Windows firewall, connected Network and the system got high-jacked again. Never seen something like this before.
It is not a random virus from the internet but a targeted attack! So maybe someone spend lot of money to do it like this. They are very good in hiding and even deleting footsteps. For example when saving logfiles to an USB flashdrive and connect the USBSTICK again (WHEN OFFLINE) I was able to see how the the logfiles on the usbstick were deleted by "system".
I even re-flashed my BIOS (using external hardware-programmer). This happened several times and brought me near a heart-attack.
So one Idea is, someone messed with the firmware of my SSDs. There are not a lot other options left....
It looks like they are able to move my complete system in a virtual machine without any known virus-scanners finding anything. They are also able to change the setup because sometimes "GMER" finds hooks (and crashes immediately to BSOD) - but sometimes it does not find anything!
Those guys are REALLY GOOD! They even broke my Mikrotik firewall as well as the router. But I guess they did by hidden terminal when already logged on to my system (there should be no access through WAN to the mikrotik)
I would really love to reverse-engineer this stuff.
Having tow harddrive affected: One Samsung 830 with S4LJ204X01 3-Core ARM9 based MCX Controller
and one Kingston 512 GB with Sandforce Controller (which I do not know anything about). There is an official Firmware-Upgrade for the Kingston but the tool refuses to write at the 0x92-ATA Command (upload microcode). This really indicates there must be something damn wrong with it....
I guess it is more simple to dump the Samsung Controller.
I found a JTAG-Port with unfortunately 4 PINS only (TCK, TMS, TDI, TDO but no sRst) but having trouble to connect it to OpenOCD (using Raspberry Bitbanging as the Interface).
IDCODE says 0x025966f0f (unknown) which is pretty stable but two more devices in chain which are unstable. I am not able yet to "HALT" the Controller (maybe this needs an sRST?).
so well - I am stuck here.... I found a lot stuff in the internet about the Samsung 850 which is a cortext_m4 based controller. This does not really help.
Im stuck, here.....
Any ideas?
I can think of a few things. some of which you may not like or agree with.
1. Maybe you are mistaken and not being targeted with Malware/rootkit/APT.
2. Instead of trying to sanitise the SSD, I would rip it out and replace it with a more secure one . Would not think anyone currently is writing rootkits for these, or at least you will mess up their current M.O.
3. What evidence do you have to support your theory you are being attacked?
4. Take complete network traffic packet capture and analyse
5. get someone like Black Hills security or Mandiant etc to look for you, as you don't appear to have the skills to do this yourself.
6. Are you sure you are "important enough" to be targeted in this manner? If so public forums are not the way forward. Reporting it to someone for them to handle is better. Otherwise you are knowingly leaving yourself vulnerable.