On 6/11/2023 3:23 PM, Carlos E.R. wrote:

On 2023-06-11 21:18, Johnny wrote:

Published June 11, 2023

A cybersecurity company called Eclypsium has made a startling
discovery. They found a hidden backdoor in the firmware of motherboards
(the main circuit board in a computer) made by a Taiwanese company
called Gigabyte, and this backdoor makes the motherboards easily
accessible for hackers to break into.

Gigabyte apparently integrated a Windows executable file into the
firmware of its motherboards. This file is executed when the computer
starts up, meaning that each time you restart your computer, the
firmware's code activates Gigabyte's app center. This app center then
proceeds to download and run a file from the internet.

I'd appreciate some technical language, instead of layman first grader speak.

What you posted is impossible to decipher.

Continued:

https://www.foxnews.com/tech/pcs-motherboard-hidden-vulnerability-risk

https://eclypsium.com/blog/supply-chain-risk-from-gigabyte-app-center-backdoor/

"Our follow-up analysis discovered that firmware in Gigabyte systems is
dropping and executing a Windows native executable during the system
startup process, and this executable then downloads and executes
additional payloads insecurely. It uses the same techniques as other
OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent)
abused by threat actors and even firmware implants such as Sednit LoJax,
MosaicRegressor, Vector-EDK. Subsequent analysis showed that this same code
is present in hundreds of models of Gigabyte PCs. We are working with
Gigabyte to address this insecure implementation of their app center capability."

Here is an example of a Computrace dropper (attack from BIOS). Computrace
would be popular in laptop design. Computrace got right to the point, mounted the file system and overwrote autochk.exe :-)

https://www.blackhat.com/docs/us-14/materials/us-14-Kamluk-Computrace-Backdoor-Revisited-WP.pdf

By flash-updating the BIOS, as long as the structures and code are
removed, there will be no "new occurrences". But you would not know
whether a persistent threat had been put onboard or not. It would depend
on what the dropper did to gain a foothold.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 6/13/2023 5:51 AM, Carlos E.R. wrote:

On 2023-06-12 23:05, Jeff Barnett wrote:

On 6/11/2023 1:18 PM, Johnny wrote:

...

Note that Option two is a way for a device to stuff code into an OS at a level where it can do anything it pleases! Could this be what was going on at Gigabyte? Where they just obeying the ACPI spec?

UEFI spec.

And the term would be "exploiting the UEFI spec".

*******

While you're sitting there, UEFI is running at the
same time as your OS is running. SMI interrupt, raised
maybe 30 times a second, allow UEFI to run for short
intervals, and adjust power converters and voltages.
And these are "UEFI", because we have to associate
some firmware entity with the responsibility. SMI
(system management interrupt) and System Management Mode (SMM),
is a high priority interrupt, higher than the clock tick
(if clock ticks are being used), and capable of usurping the OS.

There are lots of details about modern hardware that
need documentation.

In this picture, I am using a whizzy piece of software,
just for a readout, to see what my machine is doing. The
fan speed (not shown), varies in real time, and the noise
of the fan correlates with some of the dials in this. This
watches as UEFI adjusts the knobs in the (SMI) background.

[Picture]

https://i.postimg.cc/wjGtvFXK/automatic-cooling-system-readout.gif

One reason it says on the CPU box "water cooling recommended", is
the full frequency range is "exposed" if you have sufficient cooling.
If your cooling isn't quite there (my cooler is a little weak
on purpose), then the adjustment process will not run the CPU
at peak frequency. With a water cooler attached, there would
be more "headroom" for the adjuster to work.

The sad part, is when you visit Tomshardware with your web browser,
there is enough Javascript railing a core, to really make the fan noisy. Carrying out other tasks, running on all cores, the fan is not
quite as noisy (since the system is now "resource limited"). Without
looking, I can now tell which sites have an "excess of advertising".
I just listen to the fan.

I expect the same sort of function, on Intel boards, but with a
different sensor suite inside the hardware.

Speedfan no longer works on my board (no driver for the SuperIO).
Even Linux "sensor" package, cannot read out anything! (A linux
guy does have a driver, but it's not in the kernel at the moment.)

So right now, the AMD software is all I've got. (The MSI mobo package,
if there is one, is "too big" to be loading onto the machine.
The AMD one is bad enough in this regard, on its own, and is
more than 100MB.) And all of the companies want to "spy on your
usage pattern", so you have to remember to untick the box about
reporting to headquarters.

Paul

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)