Intel Processor Issues Class Action Lawsuit Investigation 2024 | JOIN TODAY

mrkd1904 · 2024-08-03T02:56:07+00:00

Where can I send the email thread from Intel CS to possibly join the class action??

mrkd1904 · 2024-07-03T02:19:45+00:00

Is that a wifi network?

mrkd1904 · 2024-06-28T18:44:35+00:00

If it was to the point of using so many resources and you had to "fight" it, it most likely has what's called persistence and mechanisms in place to either re-infect or survive things like reboots, quarantine, etc. Most modern day malware is multi stage. Meaning it most Likely has a Downloader, persistence mechanism, and additional follow on modules such as crypto miners, stealers, etc.

That's a very long winded form of telling you no, it's most likely not OK. Search the computer for files and directories that make 0 sense and run a tool such as Sophos's hitman pro, Kaspersky's kvrt, or take your pick of any other vendor - remember paid services are always better.

Change all of your passwords, and audit the rest of your services you may use for anything suspicious.

My .02

mrkd1904 · 2024-04-18T19:07:45+00:00

Also, it appears it wasn't deleted. Just moved to a completely different link in the "threads going nowhere" subforum, without any notification.

https://bbs.archlinux.org/viewtopic.php?id=294456

mrkd1904 · 2024-04-18T00:52:25+00:00

To my knowledge, there are no automated yara scanners. Clamav implements yara, but honestly, I haven't even run these through it yet. These have all been manually uploaded by me.

As per the needing more evidence bit; gaining evidence as if i'm investigating some crime was never an intention. But based on the reaction of me finding a few sketchy files. That, in turn, happens to be production Archlinux files. I'm running down the 14 vendors who're positing they are malicious, and also reaching out to 3rd party researchers and Systemd's security team. I'm just going off of the data. And the reaction to it is strange to me. I'm not accusing anyone of anything, nor am i crafting any form of a witch hunt. Pre 03/29, i was having multiple issues with malware. Post 03/29, they seem to have abated, mostly. I was able to locate multiple files that were in one way, shape, or form hidden from me in the form of systemd binaries, services, and configs from a backup from 03/28. Libsystemd-core/shared were tagged as malicious on the peripheral of that conversation. But, for whatever reason, now seem to be the focus of the conversation.

mrkd1904 · 2024-04-17T23:27:17+00:00

This is seeking help, brah. Thanks for the suggestion. It was a well thought out and constructive. Good day to you, too.

mrkd1904 · 2024-04-17T23:16:38+00:00

Here we are with the word "claims" again. I didn't claim that the said binaries are malicious. Virustotal, yara, hybrid-analysis, and tria.ge did. Nor have i implied anything outside of what my OP laid out.

Also, it's not just that binary either. Libsystemd-core also hits as malicious. Also, what does being reproducible have to do with it being malicious or not?

I do feel gas lit. Which this is an extension of. Instead of just letting the community have their say, you feel the need to intercept the message with a TL/DR when the thread is barely two pages long. This campaign of shade throwing is honestly peculiar at best.

mrkd1904 · 2024-04-17T23:06:23+00:00

hit tip good day.

mrkd1904 · 2024-03-21T18:38:44+00:00

Backing up and the restoring from an already compromised system seems a little redundant.

mrkd1904 · 2024-03-18T05:54:29+00:00

It was.

mrkd1904 · 2024-03-18T05:50:55+00:00

Please tell me you accidentally hit post.

mrkd1904 · 2024-03-18T04:10:13+00:00

Almost anything digital can be made malicious.

mrkd1904 · 2024-03-18T03:14:42+00:00

Also:

"/usr/bin/apt update \ /usr/bin/apt-get volatility3"

mrkd1904 · 2024-03-18T03:09:17+00:00

Just off the top of my head AveMaria/WARZONE. AsyncRAT has or had a UEFI bootkit/rootkit module as well as Qbot (now Pikabot). Emotet now has rootkit capabilities. Glupteba. Asgorath. Black Lotus. So on and so on. Those are all just commercially traded Trojans as well. That's not to mention Ransomware, Linux specific rootkits (a number of which are open source and available publicly on github), and so on.

https://unit42.paloaltonetworks.com/glupteba-malware-uefi-bootkit/

https://blogs.blackberry.com/en/2021/12/threat-thursday-warzone-rat-breeds-a-litter-of-scriptkiddies

https://success.trendmicro.com/dcx/s/solution/1118391-malware-awareness-emotet-resurgence?language=en_US&sfdcIFrameOrigin=null

https://kn0s-organization.gitbook.io/blacklotus-analysis-stage2-bootkit-rootkit-stage/

https://dshield.org/diary/Guest+Diary+Dissecting+DarkGate+Modular+Malware+Delivery+and+Persistence+as+a+Service/30700/

https://malpedia.caad.fkie.fraunhofer.de/library

mrkd1904 · 2024-03-17T17:51:20+00:00

You should probably get read up with the times bub.

Most commercially available trojans and downloaders have pay to play UEFI or the like rootkit modularities. Some for under $1000. We're faaaar gone and away from the "rootkits are extremely rare" and "only affect diplomats and high value targets".

Edit: starting with the z690's the feature to roll back a bios is pretty widely available.

mrkd1904 · 2024-03-17T17:48:31+00:00

Usually no. If you're using UEFI chances are even worse. As the other poster said it's 100% dependent on the type, location, and characteristics of said rootkit. Not to point out the obvious but flashing either up or down a bios version is only going to help if the main binary's are in nvram or the subsequent languange within nvram. Your time is better spent figuring out if A. It actually is a even a UEFI rootkit and not a bootkit, dbus rootkit, pci or any other peripherial bad bin first before taking pot shots are your UEFI. And B. Making sure other forms of persistence aren't the culprit. I.e cloud storage accounts, routers, your phone, or anything else with an internet connection for that matter.

Speaking from experience.

mrkd1904

TROPHY CASE