0

I do have a problem, how do I remove a persistent MBR malware? probably the malware hides itself in HDD sector that an OS couldn't even access. Already tried to format it and remove clean all partitions. And also tried to change OS type from windows to linux. Got infected from an office PC. Symtoms are whenever I'm online the mouse moves by itself probably a RAT type. Tried to analyze traffic but couldn't see any (e.g. somewhat like a Pushed Microsoft Security Update traffic).

Update:

My Malware Analyzation:

  • probably its much more beyond OS rootkits somewhat like BluePill (firmware rootkit) but not hardware dependent
  • it adapts on what OS you are using (injects and download over ethernet specific type of malware for different OS)
  • actively listens and sends outgoing connections (can't be blocked by firewall) on low-level
  • and also the fact that I know its a mbr malware is because, my office pc have a different type of board (logically it's not somewhat bios malware where it is hardware dependent and mostly this type of malware only attacks intel motherboards) using amd on my laptop
  • somewhat like a malware that was recently demo'ed at DEFCON (forgot the name of malware) but that is bios type of malware using openbios + seabios. It is fully undetectable so much low-level type of attack malware.
  • and on the malware that infects me seems like --- it embeds itself on removable flash disk on low level firmware so it could infect other systems.

Update:

Here are some symptoms why I know it's a malware:

  • High peek of network usage even no process is accessing any network connections. (already check the process through netstat and process explorer).
  • Check md5 sums of files before and after has change. Probably the malware spreads itself and changing everything like a root kit.

I know the symptoms are very few because I've just recently check and observed it. And the malware is fully undetectable. Hard to distinguish between a normal process. Very low memory process consumption. And I assume it also hides itself also on volatile RAM. That's why whenever I try to format the HDD it would still be there after the boot.

Additional info why I won't contact my employer regarding this is because our company has a rule that is never put any removable device on any of our workstation.

And if you think this is some type of advance malware probably you're thinking back way 90's there is already a gap between open source and close source funded projects. You are probably just observing some open source malware projects. Just like microsoft before google had apply some 3d rendering engine on Chrome. I think there is a 10 - 15 years difference in an open source and closed source research project. And not only the military and or government could deploy this.

Ed Abucay
  • 127
  • 3
  • Considering the symptoms you get, have you considered a simple radio frequency interference? Have you switched your wireless channel perhaps, to help eliminate that as a cause? So far, what you describe, doesn't necessarily have to be an infection at all. I'm not saying that it isn't, I'm just saying it's a bit difficult to say, given the level of detail you provide. – TildalWave Nov 20 '13 at 02:22
  • I know there is on my office PC --- they've put a remote support tool so that they could monitor us. The first software that they've put is Bomgar Remote Client. Secondly they've installed a malware so even if we tried to disable the Bomgar Remote Client they could still monitor us. By the way working on an IT security firm as a programmer. They are too paranaoid that they think we would sneak out some source code. – Ed Abucay Nov 20 '13 at 02:29
  • And secondly the probable cause that it moves because of radio frequency is somewhat not feasible in my case. Before I injected a usb that came from my office PC my laptop touchpad doesn't do or don't move by itself. One sign is it moves from one screen to the other infact on or mostly the mouse goes to the edge of the screen. Does it look weird ain't it. – Ed Abucay Nov 20 '13 at 02:34
  • 1
    Please add detail to your question, there is no need to convince me, I'll form my opinion based on facts you supply to us, like anyone else. Honestly, it still sounds iffy, but I'm not trying to prove or disprove anything based on lack of evidence. I still wonder though, why don't you report your issues to your employer? And if it is really their PC, then well, it's theirs. I suggest you don't use it for anything else than work anyway. BYOD with your own data plan for anything else, if you really have to (do your stuff while they pay you to do theirs). – TildalWave Nov 20 '13 at 02:41
  • 3
    1) Still have no idea what your asking 2) Why would you be targeted with some kind of 'advanced malware'? Are you a military/high-value target? 3) Why haven't you formatted your PC? 4) Why don't you get your office tech team to investigate?    Voted to close – NULLZ Nov 20 '13 at 03:56
  • 3
    Closed: I agree with the other comments here - you seem to be speculating. You'll need to look at network traffic (if you see none, then there probably is none), take some basic remediation steps (it is very easy to remove any malware in MBR, from a clean machine), and actually find evidence. The symptoms you describe do **not** sound like a malware issue. – Rory Alsop Nov 20 '13 at 11:06
  • 1
    @FitzAbucay - Unfortunately, no matter how much information you add, **this isn't the type of thing that can be reliably diagnosed by explaining symptoms to someone over the Internet**. You need to have someone look at the machine who knows what he's doing. That's the beginning and the end of it. We can be of no more help; all you can get is baseless speculation. – tylerl Nov 22 '13 at 07:53
  • LOL WUT. Absent of any data except 'my mouse is weird', this just reads like unabashed tinfoilhattery. An IT security firm worth their salt wouldn't code (any malware or at least) a malware that manifested in so blatant a way as your mouse jumping around. Have you been eating over your touchpad? Coupla other things: "Check md5 sums of files before and after has change." Which files??!? that'd be like the first thing I'd mention. As for the network, did you consider it's maybe updates downloading in the background? So few problems, so much conspiracy theorising. [edit: oops i just saw the date] – underscore_d Nov 06 '15 at 01:07

1 Answers1

5

If the only symptom of the issue is that your mouse moves involuntarily then I'd suggest that malware is unlikely to be the cause. Malware is either designed to be stealthy, collecting information and sending it back to command and control systems, or it is designed to be noticed, preventing normal work in order to simply annoy you or demand some sort of ransom.

Even if there is malware that allows remote control of your system it would be either from the command line or a virtual console, your mouse wouldn't move.

It sounds like the most likely cause of your mouse moving is simply your mouse is broken, or something is wrong in your drivers or hardware. Try to eliminate these possibilities before you spend more time wiping your computer.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • 3
    Agreed. Annoying viruses kinda stopped at least a decade ago, to be replaced by profitable ones. If it's malware at all, it's probably doing this by accident, but I strongly suspect that it's not. @Fitz Abucay - without meaning to sound patronising, have you tried changing the mouse over? A dodgy focus on an optical mouse lens can cause this kind of thing. – Owen Nov 20 '13 at 12:29
  • By the way it's a touchpad from a laptop. Also tried to add external mouse. Still got the same problem. I think they're trying to annoy me and as if they're saying you should not be sneaking out some source code out of the company. And malware are not just the same way back before that it would only listen and collect data information. Malwares nowadays has the capability to download additional type of viruses (e.g. Some Remote administration Tool Server) that could control and observed a user. Malwares nowadays are not just passive. – Ed Abucay Nov 22 '13 at 01:21