ACPI tables of Acer Aspire E11 ES1-111-C5M1
Hello,
I did quite a few checks both using Windows and Linux whose clearly showed me that my ACPI tables got manipulated (not from the start, but by physical or remote access).
Therefore I urgently need the extracted ACPI tables of my netbook model mentioned in the subject in order to carry through a further analysis. One can extract those using "Read&Write Everything" on Windows or extract / disassemble / decompile using the iasl under Linux.
Could anyone owning this model please do me the further to extract the ACPI tables, upload them somewhere and post the links?
It's really easy when you are using Windows: "Reader & Write Everything" can be downloaded for free from http://rweverything.com/ and you would just have to choose the ACPI tables and click on "save all".
I would highly appreciate it if anyone could do so. Thanks in advance!
Answers
-
It seems like this manipulation of my ACPI tables lead to an infection of my system with a rootkit, as ScoopyNG also confirms:
The Linux dmesg output points into this direction as well and indicates that there are also other firmware components being affected: dmesg output
One can read about this way to implement a rootkit by doing so on a blackhat.com:
Implementing and Detecting an ACPI BIOS rootkit
I performed the checks described in this paper and obviously it's right. If anyone would like to download my ACPI tables and other extracted firmware components as a 'living example' of this, please feel free to do so:
Acer Aspire E11 - Manipulated firmware
I also used IdaPro and other tools in order to analyze how this actually manipulates / compromises a whole Windows system. On those sample screenshots you can see how it affects Windows:
[edited to comply with guidelines]
0 -
... And here you can see how that prevents one from installing Comodo Internet Security:
0 -
If anyone would like to take a deeper look into some compromised files using IdaPro or another disassembler, here you go:
0 -
On ScoopyNG report i don't see any rootkit evidence, to be honest.
it's litke the first sample:
http://www.trapkit.de/research/vmm/scoopyng/sample1_native.txt
all native as on yours.
I'm not an Acer employee.0 -
Well then take a close look at the dmesg output and the activties recorded using MultiMon and you will see the evidence.
0 -
Here's the according screenshot where you can see that I can not even install CIS and MultiMon gives you the answer why:
0 -
And other antivirus or softwate apart comodo?I'm not an Acer employee.0
-
I finally managed it to get CIS installed, but then I couldn't activate the advanced tasks / services view and the GeekBuddy remote access connection got disconnected a few times. Well, after a while I was able to start this, and to me all those services running on my computer look a little bit suspicious:
0 -
According to the Comodo tech support, my wireless drivers got corrupted.
Here's another screenshot of the services running on my computer:
0 -
The FirmwareTestSuiteLive confirms my suspiciouns that it's a rootkit deployed by manipulating firmware:
The whole results of the firmware test suit live distro can be downloaded from here:
0 -
Hello everyone,
I got an official confirmation from malwr.com that my Acer netbook is infected by an ACPI rootkit:
On that site one can only see how this rootkit affects Windows, but by using AIDE under Linux (a tool for checking file system integrity), I was able to see that it compromises Linux systems as well.
I can rule out the possibility that my system got infected by that rootkit because of an executable file I executed or a website I visited etc., and I'm sure to the almost same degree that nobody had physical access to my computer.
Here (and elsewhere) you can read more about the fact that network devices switch into 'maintenance mode' when receiving packets containing so-called 'magic numbers', which in consequence opens the door for the infection by rootkits:
0
