0

Got infected by a malware/virus by downloading and opening a .doc file in an email attachment, when restarting the machine it failed on boot several times, I used recovery mode to fix boot issue but then I realized that I have to wipe the disk so I reinstalled Win 10 using the second option that format the drive and makes hared to recover files, this option is called "remove everything".

When searching on the internet I found that this feature format the disk and replace every bit with 0 so I assume it's safe to use that machine again but I still have some doubts, I have no idea of how advanced the virus was.

I can't change the machine because I do not have enough money to buy another one, what are my options to stay safe from another infections and how to be sure there's no risk using the actual machine?

What I've done so far:

  • Installed free Norton AV on Win 10 - run full scan all clean
  • Installed Kaspersky Virus Tool Removal it can search on system memory, boot sector, startup objects and recovery partition
  • Dual-boot with Ubuntu 17
  • VPN on both os
  • Router config (mac address filter, no upnp, new ssid name/pass, new admin account)
  • Sometimes I use Tor but if my machine is still infected it's really worthless
  • For banking I changed my credentials on android phone and if pc needed I run Tails on top of Ubuntu

Some other thoughts:

I'm using a Surface pro 4 that comes with a thing called secure boot and basically it looks for signatures or something like that before launching the os, it was enabled the moment I opened the virus, can still the BIOS get infected?

This machine comes with a lot of components, how hard is to install a virus on firemware of ssd, camera, sensors, gpu, ect?

I know the actual setup is pretty safe since I received another file attachment and suspicious links from the attackers. I did not bother to click on that.

I really appreciate any kind of help.

usfslk
  • 117
  • 3
  • One thing people rarely think about is the fact that any malware advanced enough to infect your firmware would _not_ let you realize it existed. You would see no signs of infection. – forest Feb 28 '18 at 03:09
  • How hard to install on SSD? Extremely difficult. Camera? Probably impossible. Sensors? Likewise impossible. GPU? Depends on how it works, most likely very difficult to impossible. – forest Feb 28 '18 at 03:19

3 Answers3

2

It's technically possible to infect firmware, but difficult. It happened in some attacks by state actors. edit: UEFI rootkits generally require privileged access to install.

Since whatever malware you got just broke your OS, rather than do something worse (spy on you or encrypt your files for ransom), it's extremely unlikely that it's been created by someone competent enough to attack firmware.

Assuming your firmware hasn't been compromised (more than 99% likely), you just need to format the drive and reinstall the OS, which you've done. A more paranoid option would be to reinitialize the disk to make sure the GPT is clean (one of the tools that does it is Secure Erase). However, Secure Boot is supposed to protect against exactly such GPT bootkits.

As for how to prevent this from repeating, just follow best security practices. Work under a non-admin account, open random files using Word's default read-only mode or not at all, keep some defensive software running.

Therac
  • 2,610
  • 11
  • 18
  • The attacker have been spying on me for a period of time. For secure erase I think I can do it with gparted on Linux but I'll have to create same partition structure, there's a primary, one reserved for system like 100mb and mbr? – usfslk Feb 27 '18 at 19:17
  • After you do secure erase, you can just clean install Windows on the system from a USB stick. The installer will create the necessary partitions. – Therac Feb 27 '18 at 19:23
  • Do you know if the Surface uses BootGuard? – forest Feb 28 '18 at 03:06
  • Also, I think the "best known" UEFI rootkits would be those from cr4sh, which do not require physical access to install (though they do require privileged local access). -1 though for claiming that secure erase would help at all, even for the paranoid. No matter what, secure erasure does not get rid of malware. – forest Feb 28 '18 at 03:17
0

Depending on who you think the attacker is, you may have to go so far as getting a new machine if you want to be 100% sure that you are safe.

A government actor can install malware on firmware across your computer, as you stated, but this is not likely the case if you were hit by a script kiddie with not particular target.

In the end, it's up to you and how paranoid you are. There's no way to be sure, sadlym

user196499
  • 1,121
  • 7
  • 11
0

I would say that you have done a good job recovering. At some point you will have to take a chance and see if all is well or not. I would leave it off line and run complete virus scans. Atleast you will be safe if computer is offline.

Mac IT
  • 26
  • 4