Microsoft
MicrosoftHi, I was reporting strange behavior from several PC's I owned in the last year that I now know are part of the "nodersok"/"divergent" attack. The fileless malware seems to be storing info on the SPI on Intel machines & the UEFI on AMD based ones. Nothing gets rid of it. BIOS reflashing, new HDD, even have gotten motherboards with this infection built into it somehow. I've tried different installation media, since my initial install of Windows 10 came from upgrading from Windows 7 Ultimate & I've tried DVD/flash drive versions, however, the infection persists. Downloading the latest version results in the download of the insider preview with the latest Enterprise apps installed but non-functional to the user & it disables Windows Defender completely, yet it shows no warnings, redirects Windows Update, etc. Something to note is that it uses a UNIX OS behind Windows 10, which runs as a "virtual machine". The registry shows a blank BCD, there's tons of hidden SID's with admin capabilities, Windows version is showing NT 6.0 or Windows Server 2016, it keeps a record of every install, even when running a RAM disk with no HDD, as I am now(Hiren's PE).
Looking at web page source will show various local individuals using multiple affiliate programs for pay-per-click. It runs a cell phone relay, can infect other PC's with ransomware or this same hack, running Linux you can see that it monitors your shopping, local stores security cams, cash register terminals, etc. For me it is very local, found within a 25mi. radius, every PC at 2 Walmarts are infected, the Landsford library is infected, it ruined 6 PC's of mine, this Ideapad 320 bought new from Walmart in 8/2018 came infected.
So how do I get rid of this? Buying a new laptop didn't work, new PC components didn't work, replacing all peripherals didn't work, meaning this is "out in the wild" more than we think. Sure, now it seems preventable if you can find a clean machine to start with. What do the multitudes already deeply infected do? I can buy another Windows 10 flash media, however this seems to hop onto flash drives in a 4-5MB inaccessible area it creates on plug in. A hacker contacted me via console to inform me it is written in "C" & that an "ancestor" is required. There are no legit Azure accounts tied to this machine or any others I had. This version of "nodersok" is cross platform. It installs on any version of Windows, Linux, Unix, Slackware, Ubuntu, Mac, even Android (my phone, mom's phone & my Vizio smart TV from 2014 all have this hidden partition on an embedded chip).
To run Windows Defender's newest version I need to be able to install Windows properly or the non-malware disables most of it, like the APT part. Another "heads up" on this is the earliest file footprint goes back to 2008, XP/Vista. Further exam reveals it started in this area (18218,18235) around 2012 as the beginning of this being used locally. This can "touch" files, change what you see on screen, has full AI when not connected to any internet. I found drivers for a "BDA tuner", HAM radio receivers, OOB transmitter drivers, GPRS modem, so much it's unreal. I have 20 + years in PC's & this is the nastiest thing I've run across. Looking at the UEFI files, there's about 3MB of non-sense out of a 5MB partition that is locked as RO for me. Somehow I made it so the C&C cannot overwrite the SPI anymore. All the local attacker's IMEI's, MAC's, IP's are stuck in that area permanently.
Sorry for the long post. This info is critical to solving the issue of this latest threat. Hopefully, someone can lend me a code to rid this thing of the current infection. Otherwise I can foresee a massive shutdown of all infected PC's like happened years back (500,000 I think). I am a member of CERT & have reported this to proper authorities as well. Any help is greatly appreciated.
