Page 1 of 2 1 2 LastLast
Results 1 to 10 of 12
  1. #1
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Latest Official BIOS images for C6E contain malware?

    Hello,

    I always use the official ASUS site for driver and BIOS image downloads https://www.asus.com/us/Motherboards...Desk_Download/

    I then upload the driver or BIOS files to www.virustotal.com for scanning just in case. For the two most recent zips of BIOS versions 7106 and 7201 five scanning engines identified the files as malware. Here are screenshots of the virustotal results:

    Click image for larger version. 

Name:	Virus_Total_2019Aug11_BIOS7106.JPG 
Views:	0 
Size:	250.0 KB 
ID:	81337

    Click image for larger version. 

Name:	Virus Total 2019AUG11 BIOS7201 p1.JPG 
Views:	0 
Size:	253.4 KB 
ID:	81338

    The zip files downloaded from ASUS contain the BIOS file and the BIOSRenamer.exe file. It appears that it is BIOSRenamer.exe that is triggering the positive detections:

    Click image for larger version. 

Name:	Virus Total 2019AUG11 BIOS7201 p3.JPG 
Views:	0 
Size:	134.1 KB 
ID:	81339


    Normally with virustotal, I'd ignore if one engine found a problem. But 5 engines has me wondering if I should even unzip these files. Virustotal engines use a combination of signature matching and heuristic analyses. My PC antivirus McAfee did not detect any malware in these BIOS zips.

    Does anyone have any insight into this issue with these BIOS images?

    I know ASUS had a malware problem with LiveUpdate which distributed a supply chain malware called "shadowhammer". As you can see in my Virustotal scans, ClamAV identified shadowhammer. Are we still having problems with infected downloads or are these results merely false positives?

    Thank you
    Last edited by R5Eandme; 08-11-2019 at 06:14 PM. Reason: An additional scanning engine detection plus more information

  2. #2
    ROG Member Array
    Join Date
    Aug 2018
    Reputation
    13
    Posts
    19

    It looks like it's the BIOS renamer exe that's affected, not the actual firmware. Why that file is even shipped with the firmware I have no idea. Before it used to be only the CAP that was inside the zip.

    Just did a scan with ClamAV on my Linux OS and it does indeed flag the BIOS Renamer exe as having a virus.

    Also just did an online scan on Jotti:

    https://virusscan.jotti.org/en-US/fi...job/ny1q3mahsw

    ClamAV picks it up there as well. However, VBA32 does not, whereas it did on VirusTotal.

    The certificate is also revoked on BIOS Renamer. The filename also comes up as "ûú BIOSRenamer.exe" when extracted, which is a bizarre way to name a legit file.
    Last edited by usernameistooshort; 08-13-2019 at 02:06 PM.

  3. #3
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Thanks usernameistooshort for doing this research. I did a new virustotal scan today, with focus on BIOSRenamer.exe and now there are 6 engines detecting malware.

    The certificate for BIOSRenamer.exe is no longer valid. I don't know if has been injected with malware or if ASUS updated it and forgot to update its certificate.

    I opened a tech support request with ASUS and uploaded images of the virustotal scans. They escalated the request and we should know more soon I hope.

    Click image for larger version. 

Name:	Virus Total 2019AUG13 BIOS7201 p1.JPG 
Views:	0 
Size:	134.1 KB 
ID:	81365

    Click image for larger version. 

Name:	Virus Total 2019AUG13 BIOS7201 p2.JPG 
Views:	0 
Size:	195.3 KB 
ID:	81366

    Click image for larger version. 

Name:	Virus Total 2019AUG13 BIOS7201 p3.JPG 
Views:	0 
Size:	120.7 KB 
ID:	81367
    Last edited by R5Eandme; 08-14-2019 at 03:57 AM.

  4. #4
    New ROGer Array
    Join Date
    Jul 2019
    Reputation
    13
    Posts
    35

    Sigh. Asus continue to surprise me with just how crap their software development practices can be... ignoring for the moment the stupidity of including an exe file solely to rename another file (I mean seriously, wtf?), it appears the reason it's being flagged by these AV tools is because it is signed with a certificate that was discovered to be compromised and used to distribute malware 5 months ago.

    Look at the second image in R5Eandme's second post, the one with the certificate details. Note the serial number given for the "AsusTek ..." certificate, the one beginning "05 E6 A0 ...".

    Now look at the report from Kaspersky, who first uncovered the fact that Asus servers were being used to distribute malware back in MARCH: https://securelist.com/operation-shadowhammer/89992/

    They give the compromised certificate serial number, and it is 05e6a0be5ac359c7ff11f4b467ab20fc - yep, it's the same one that is still apparently being used to sign these (completely useless!) .exe files.

    I don't know if the .exe files are infected with the actual malware Kaspersky describe in addition to being signed with the compromised certificate, but I would not run them on my machine, that's for damn sure!

    To be perfectly honest, if you have ANY Asus tools running on your PC I would think long and hard about whether you actually need them. I'm not saying they're all infected with something, they're just generally bloated, badly designed and install a ton of background services. You can usually find better alternatives.

  5. #5
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    I love ASUS hardware. But I don't know whether to be more worried about malware in BIOSRenamer.exe or of incorrect reuse of a revoked digital certificate for BIOSRenamer.exe.

    On the ASUS news web pages I found an advisory about certificate revocation that may or may not be relevant to this post about BIOSRenamer.exe. But it does show that ASUS appears to be making efforts to improve security of their software distribution system:

    https://www.asus.com/News/HYIZEHXIGeIRyrVT

    ASUS Certificate Maintenance Advisory - Motherboards, Graphics Cards, Mini PCs, Workstations, Servers and Gaming Gear
    2019/04/13

    "ASUS is releasing this advisory to provide information related to the new implementation of a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem.

    The upgrade requires the current code-signing certificate of several ASUS products to be revoked. This revocation can cause some existing software utilities to trigger a Windows Security dialog box, and may prevent legitimate ASUS programs, such as Aura, AI Suite III, GPU Tweak II, Armoury II and others, from running normally when users attempt to execute the associated Setup.exe™ or AsusSetup.exe™ file. "
    (con't)
    Last edited by R5Eandme; 08-14-2019 at 04:00 AM.

  6. #6
    New ROGer Array
    Join Date
    Jul 2019
    Reputation
    13
    Posts
    35

    Yeah that update looks like them attempting to deal with the aftermath of having their certificate compromised in March.

    I'm sure what's happened here is that although they've updated tools like AI Suite etc, they have overlooked the need to compile a new version of BIOSRenamer.exe signed with the new certificate. Since it's such a trivial app there would normally be no reason for it to need updated on each BIOS release, so they'll likely have just kept distributing the original versions of it with every BIOS on their website.

    I just checked the latest C7H BIOS download (2501) out of interest, and yep, its copy of BIOSRenamer is signed with the revoked certificate! If you were able to get their support team to pay attention then hopefully it will eventually be fixed for new BIOS downloads at least (I'm not sure if they'll actually go to the trouble of repackaging all existing BIOS zip files...)

  7. #7
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Quote Originally Posted by adr82 View Post
    Yeah that update looks like them attempting to deal with the aftermath of having their certificate compromised in March.

    I'm sure what's happened here is that although they've updated tools like AI Suite etc, they have overlooked the need to compile a new version of BIOSRenamer.exe signed with the new certificate. Since it's such a trivial app there would normally be no reason for it to need updated on each BIOS release, so they'll likely have just kept distributing the original versions of it with every BIOS on their website.

    I just checked the latest C7H BIOS download (2501) out of interest, and yep, its copy of BIOSRenamer is signed with the revoked certificate! If you were able to get their support team to pay attention then hopefully it will eventually be fixed for new BIOS downloads at least (I'm not sure if they'll actually go to the trouble of repackaging all existing BIOS zip files...)
    Thank you adr82, for a perfectly logical explanation. I hope ASUS gets around to all their legacy downloads that still have revoked certificates.

    Still I wonder why the unzipped filename for ??BIOSRenamer.exe is preceded by two non-standard characters. Not heard yet from ASUS support.

    Even if there was malware in BIOSRenamer, do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?

  8. #8
    New ROGer Array
    Join Date
    Jul 2019
    Reputation
    13
    Posts
    35

    Quote Originally Posted by R5Eandme View Post
    Thank you adr82, for a perfectly logical explanation. I hope ASUS gets around to all their legacy downloads that still have revoked certificates.

    Still I wonder why the unzipped filename for ??BIOSRenamer.exe is preceded by two non-standard characters. Not heard yet from ASUS support.

    Even if there was malware in BIOSRenamer, do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?
    Sure, just unzip and delete the .exe without running it. Or even better just extract the .CAP file alone - if you're using the Windows zip file handler, click to open the zip file, select only the .CAP, hit Ctrl-C, go to another folder and do Ctrl-V to paste it there.

    I have no idea what the deal is with the extra characters before the real filename - if I had to guess I'd say it's some unintended side-effect of whatever process they use to compile the application, and they just haven't bothered to fix it (in true Asus style).

  9. #9
    ROG Guru: Orange Belt Array R5Eandme PC Specs
    R5Eandme PC Specs
    MotherboardRampage V Extreme/U3.1
    Processori7-5930K
    Memory (part number)Corsair Vengeance LPX CMK64GX4M8A2400C14
    Graphics Card #1MSI Geforce GTX 980Ti
    Sound CardAsus Essence STX II
    MonitorAcer B286HK 4K UHD
    Storage #1Samsung 960 Pro 1TB NVMe
    Storage #2Samsung 850 Pro 1TB SSD
    CPU CoolerNoctua NH-D15S
    CaseCooler Master HAF 932
    Power SupplyThermaltake TPG-1200M-F 1200W
    Keyboard Corsair K70 Cherry MX Brown
    Mouse Asus Sica
    Mouse Pad "And God said ... <Maxwell's equations> ... and there was light."
    OS Win 10 x64 Pro
    Accessory #1 Asus USB 3.1 A, StarTech USB 3.1 C PCIe adapters
    Accessory #2 Syba 1394A/B Firewire PCIe adapter PEX30009
    Accessory #3 Asus OC Panel I
    R5Eandme's Avatar
    Join Date
    Jun 2017
    Reputation
    58
    Posts
    263

    Quote Originally Posted by adr82 View Post
    Sure, just unzip and delete the .exe without running it. Or even better just extract the .CAP file alone - if you're using the Windows zip file handler, click to open the zip file, select only the .CAP, hit Ctrl-C, go to another folder and do Ctrl-V to paste it there.

    I have no idea what the deal is with the extra characters before the real filename - if I had to guess I'd say it's some unintended side-effect of whatever process they use to compile the application, and they just haven't bothered to fix it (in true Asus style).
    Thanks for that advice on selective file unzipping from an archive. I've learned something new today. And thanks for helping figure this mess out, very helpful!

    I opened the zip archive and deleted the zipped ??BIOSRenamer.exe file. Then I extracted the CAP file and uploaded it to www.virustotal.com and it had no detections, it is clean:

    Click image for larger version. 

Name:	Virus Total 2019AUG14 BIOS7201 CAP p1.JPG 
Views:	0 
Size:	235.3 KB 
ID:	81381

    and further info pages from virustotal showed that all certificates are valid, PK and KEK, for Secure Boot, etc.. We are good to go.
    Last edited by R5Eandme; 08-14-2019 at 05:16 PM.

  10. #10
    ROG Member Array
    Join Date
    Aug 2018
    Reputation
    13
    Posts
    19

    Quote Originally Posted by R5Eandme View Post
    do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?
    As others have mentioned, it's perfectly fine. An added security measure you could implement is to install a VM and always use that for testing things out. If there truly is a virus, then just delete the VM.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •