Just installed W7x64 SP1, installed Ethernet driver supplied by Gigabyte the motherboard manufacturer accompanying silver dvd as its not picked up & installed by Windows OEM dvd. Had to download kb 3138612 from https://www.microsoft.com/en-us/download/details.aspx?id=51212 as the default IE8 browser installed gets shown a warning saying the browser is out of date if using the link https://support.microsoft.com/en-us/kb/3138612 which is also supplied by MS's new https://catalog.update.microsoft.com for looking up updates along with details on what patch replaces or has been superceded by other patches. A bit of a MS fail if I might say so! If I don't use this download, then the system never downloads any updates even when left for days!
So anyway installed said patch, rebooted and then got all the updates downloaded including recommended ones using the Windows update service for standalone pc's (not using WSUS on a corporate network setup). Once done, installed Norton Internet Security (NIS) which was on Gigabytes silver dvd for the motherboard, version 20 I believe. Downloaded various updates and a few patches requiring reboots before getting trial offer to test NIS 22 which is what I'm not testing. Not used any burner dvd's or plugged in any mem sticks at all to date.
Have to say initially NIS is a better interface than earlier versions. So going through the history and notice the an entry at 05:54 local time this morning.
Category: Norton Product Tamper Protection
Date & Time,Risk,Activity,Status,Recommended Action,Date,Actor,Actor PID,Target,Action,Reaction
10/01/2017 05:54:30,Medium,Unauthorized access blocked (Set Registry Security Key),Blocked,No Action Required,10/01/2017 05:54:30,C:\WINDOWS\SYSTEM32\SVCHOST.EXE,720,HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_BHDRVX64\0000\Control\,Set Registry Security Key,Unauthorized access blocked
So I had left the computer to go to sleep, unplugged it from the router and switched off the router so its got no net access what so ever.
So can anyone say whats going on here for it to be woken up? Theres no alarm function in use in the UEFI and theres nothing but Windows, updates including IE11 and NIS installed on this computer at this stage. I had been downloading additional software and printing off loads from the MSDN website amongst other places, but hadn't knowingly visited any suspect webpages flagged by NIS.
Its just I appear to have some malware which changes the make and model of the HD and CD/DVD when the bios shows the devices on a 2004 pc which uses EIDE ribbon cables to connect. On the newer pc's using SATA and have UEFI but not using Secure Boot, you don't get to see this happen as the UEFI screens flash up and disappears so quickly, but the disk lights on the case indicate some sort of disc acitivity is occurring before the UEFI screen appears. I know from reading an article from a MIT student Bios and UEFI load USB devices first unless Fast Boot is set. Interestingly despite this UEFI bios supporting Win 8 secure boot it always fails to install Win8 in secure boot mode, it will only ever install in legacy mode which is another thing I need to dig further into.
I also have observed data appearing on various block devices like usb mem sticks and (micro)SD cards despite having used dd if=/dev/zero to wipe said block devices on Linux. I always check them in a hex editor including 3TB hd's to ensure they are blank before reuse and MS & most Linux distro's no longer provides the proper formatting option which blanks the disks/mem sticks or sd cards, like we used to see in the Windows XP early 00's time.
Having looked at what MS have to say about USB devices in their TechNet and driver sections, namely the device firmware has to be downloaded when a usb device is plugged in, and knowing that various hacks on USB microcontrollers on USB devices now exist, as seen here https://opensource.srlabs.de/projects/badusb , I wondered what Norton or Symantec AV products might actually work to verify the firmware of said devices?
I've already contacted PNY who rebrand some of Genesys Logic Inc products to see if they can supply some software to verify the integrity of the firmware on their USB devices as its stuff I own and use of theirs, because from what I can see there is essentially two chip options available to manufacturers. The expensive route is the firmware is burnt into the chip and is fixed for life, ie no updates can ever be made, or manufacturers/rebranders can get a reprogrammable chip which is a lot cheaper and allows the rebranders to release firmware updates in their name with the added risk, any one with a bit of patient and logical thinking can do the same things themselves with the tools & source code freely available online like FlashRom, or code examples from places like HDDGuru.com if you want to attack hardware. In essence this appears to be an attack on Capitalism as manufacturers typically only support devices for a short period of time after a sale has taken place and with the IoT attack on the US and UK in Oct 2015 due to device manufactuers not spending a bit extra providing unique username/password combo's to their IoT devices, I can see this hacking getting worse forcing people into having to throw away some of their IoT devices despite password changes being made when you consider how many devices allow firmware upgrades simply by the cheap chips being used internally.
So far I'm not getting anything back from PNY or Genesys Logic, so I'm now contacting various AV companies to see what they can do to verify the firmware on my USB devices have not been tampered with and the firmware on my Hard drives and cd/dvd's have not been tampered with.
On the point of micro(SD) cards, many appear to use an ARM processor to handle the wear levelling function, but it also means these can have their firmware altered like we see with a variety of devices already out in the field eg phones and just like Intel and AMD microcode can be altered on those processors.
So can anyone explain why the pc was woken up and this message appeared in the history log of NIS and what reassurances can Norton/Symantec give me that their products can verify the authenticity of the firmware of the devices attached to this computer, and that this computer doesn't have malware/virus code on it that they cant detect? I'm aware it took over a year for Stuxnet to be discovered and classed as a virus. To me it seems like Stuxnet, Duqu, BadUSB, BadBios, Flame and Shamoon are all different names given to different parts of the suite of malware that has evolved over the years.
Thanks,
Richard