cancel
Showing results for 
Search instead for 
Did you mean: 

Latest Official BIOS images for C6E contain malware?

R5Eandme
Level 12
Hello,

I always use the official ASUS site for driver and BIOS image downloads https://www.asus.com/us/Motherboards/ROG-CROSSHAIR-VI-EXTREME/HelpDesk_Download/

I then upload the driver or BIOS files to www.virustotal.com for scanning just in case. For the two most recent zips of BIOS versions 7106 and 7201 five scanning engines identified the files as malware. Here are screenshots of the virustotal results:

81337

81338

The zip files downloaded from ASUS contain the BIOS file and the BIOSRenamer.exe file. It appears that it is BIOSRenamer.exe that is triggering the positive detections:

81339


Normally with virustotal, I'd ignore if one engine found a problem. But 5 engines has me wondering if I should even unzip these files. Virustotal engines use a combination of signature matching and heuristic analyses. My PC antivirus McAfee did not detect any malware in these BIOS zips.

Does anyone have any insight into this issue with these BIOS images?

I know ASUS had a malware problem with LiveUpdate which distributed a supply chain malware called "shadowhammer". As you can see in my Virustotal scans, ClamAV identified shadowhammer. Are we still having problems with infected downloads or are these results merely false positives?

Thank you
4,307 Views
11 REPLIES 11

usernameistoosh
Level 9
It looks like it's the BIOS renamer exe that's affected, not the actual firmware. Why that file is even shipped with the firmware I have no idea. Before it used to be only the CAP that was inside the zip.

Just did a scan with ClamAV on my Linux OS and it does indeed flag the BIOS Renamer exe as having a virus.

Also just did an online scan on Jotti:

https://virusscan.jotti.org/en-US/filescanjob/ny1q3mahsw

ClamAV picks it up there as well. However, VBA32 does not, whereas it did on VirusTotal.

The certificate is also revoked on BIOS Renamer. The filename also comes up as "ûú BIOSRenamer.exe" when extracted, which is a bizarre way to name a legit file.

Thanks usernameistooshort for doing this research. I did a new virustotal scan today, with focus on BIOSRenamer.exe and now there are 6 engines detecting malware.

The certificate for BIOSRenamer.exe is no longer valid. I don't know if has been injected with malware or if ASUS updated it and forgot to update its certificate.

I opened a tech support request with ASUS and uploaded images of the virustotal scans. They escalated the request and we should know more soon I hope.

81365

81366

81367

Sigh. Asus continue to surprise me with just how crap their software development practices can be... ignoring for the moment the stupidity of including an exe file solely to rename another file (I mean seriously, wtf?), it appears the reason it's being flagged by these AV tools is because it is signed with a certificate that was discovered to be compromised and used to distribute malware 5 months ago.

Look at the second image in R5Eandme's second post, the one with the certificate details. Note the serial number given for the "AsusTek ..." certificate, the one beginning "05 E6 A0 ...".

Now look at the report from Kaspersky, who first uncovered the fact that Asus servers were being used to distribute malware back in MARCH: https://securelist.com/operation-shadowhammer/89992/

They give the compromised certificate serial number, and it is 05e6a0be5ac359c7ff11f4b467ab20fc - yep, it's the same one that is still apparently being used to sign these (completely useless!) .exe files.

I don't know if the .exe files are infected with the actual malware Kaspersky describe in addition to being signed with the compromised certificate, but I would not run them on my machine, that's for damn sure!

To be perfectly honest, if you have ANY Asus tools running on your PC I would think long and hard about whether you actually need them. I'm not saying they're all infected with something, they're just generally bloated, badly designed and install a ton of background services. You can usually find better alternatives.

I love ASUS hardware. But I don't know whether to be more worried about malware in BIOSRenamer.exe or of incorrect reuse of a revoked digital certificate for BIOSRenamer.exe.

On the ASUS news web pages I found an advisory about certificate revocation that may or may not be relevant to this post about BIOSRenamer.exe. But it does show that ASUS appears to be making efforts to improve security of their software distribution system:

https://www.asus.com/News/HYIZEHXIGeIRyrVT

ASUS Certificate Maintenance Advisory - Motherboards, Graphics Cards, Mini PCs, Workstations, Servers and Gaming Gear
2019/04/13

"ASUS is releasing this advisory to provide information related to the new implementation of a tiered certificate structure that upgrades the security infrastructure of our expanding software ecosystem.

The upgrade requires the current code-signing certificate of several ASUS products to be revoked. This revocation can cause some existing software utilities to trigger a Windows Security dialog box, and may prevent legitimate ASUS programs, such as Aura, AI Suite III, GPU Tweak II, Armoury II and others, from running normally when users attempt to execute the associated Setup.exe™ or AsusSetup.exe™ file. "
(con't)

Yeah that update looks like them attempting to deal with the aftermath of having their certificate compromised in March.

I'm sure what's happened here is that although they've updated tools like AI Suite etc, they have overlooked the need to compile a new version of BIOSRenamer.exe signed with the new certificate. Since it's such a trivial app there would normally be no reason for it to need updated on each BIOS release, so they'll likely have just kept distributing the original versions of it with every BIOS on their website.

I just checked the latest C7H BIOS download (2501) out of interest, and yep, its copy of BIOSRenamer is signed with the revoked certificate! If you were able to get their support team to pay attention then hopefully it will eventually be fixed for new BIOS downloads at least (I'm not sure if they'll actually go to the trouble of repackaging all existing BIOS zip files...)

adr82 wrote:
Yeah that update looks like them attempting to deal with the aftermath of having their certificate compromised in March.

I'm sure what's happened here is that although they've updated tools like AI Suite etc, they have overlooked the need to compile a new version of BIOSRenamer.exe signed with the new certificate. Since it's such a trivial app there would normally be no reason for it to need updated on each BIOS release, so they'll likely have just kept distributing the original versions of it with every BIOS on their website.

I just checked the latest C7H BIOS download (2501) out of interest, and yep, its copy of BIOSRenamer is signed with the revoked certificate! If you were able to get their support team to pay attention then hopefully it will eventually be fixed for new BIOS downloads at least (I'm not sure if they'll actually go to the trouble of repackaging all existing BIOS zip files...)


Thank you adr82, for a perfectly logical explanation. I hope ASUS gets around to all their legacy downloads that still have revoked certificates.

Still I wonder why the unzipped filename for ??BIOSRenamer.exe is preceded by two non-standard characters. Not heard yet from ASUS support.

Even if there was malware in BIOSRenamer, do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?

R5Eandme wrote:
Thank you adr82, for a perfectly logical explanation. I hope ASUS gets around to all their legacy downloads that still have revoked certificates.

Still I wonder why the unzipped filename for ??BIOSRenamer.exe is preceded by two non-standard characters. Not heard yet from ASUS support.

Even if there was malware in BIOSRenamer, do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?

Sure, just unzip and delete the .exe without running it. Or even better just extract the .CAP file alone - if you're using the Windows zip file handler, click to open the zip file, select only the .CAP, hit Ctrl-C, go to another folder and do Ctrl-V to paste it there.

I have no idea what the deal is with the extra characters before the real filename - if I had to guess I'd say it's some unintended side-effect of whatever process they use to compile the application, and they just haven't bothered to fix it (in true Asus style).

adr82 wrote:
Sure, just unzip and delete the .exe without running it. Or even better just extract the .CAP file alone - if you're using the Windows zip file handler, click to open the zip file, select only the .CAP, hit Ctrl-C, go to another folder and do Ctrl-V to paste it there.

I have no idea what the deal is with the extra characters before the real filename - if I had to guess I'd say it's some unintended side-effect of whatever process they use to compile the application, and they just haven't bothered to fix it (in true Asus style).


Thanks for that advice on selective file unzipping from an archive. I've learned something new today. And thanks for helping figure this mess out, very helpful!

I opened the zip archive and deleted the zipped ??BIOSRenamer.exe file. Then I extracted the CAP file and uploaded it to www.virustotal.com and it had no detections, it is clean:

81381

and further info pages from virustotal showed that all certificates are valid, PK and KEK, for Secure Boot, etc.. We are good to go.

R5Eandme wrote:
do you think it is safe to unzip the bundled files in order to get the BIOS CAP file, and delete the BIOSRenamer?

As others have mentioned, it's perfectly fine. An added security measure you could implement is to install a VM and always use that for testing things out. If there truly is a virus, then just delete the VM.