

Ask HN: My laptop has a bios level keylogger my security is at threat help - dudeofjude

I have the following laptop - http:&#x2F;&#x2F;www8.hp.com&#x2F;in&#x2F;en&#x2F;ad&#x2F;ultrabooks&#x2F;intel.html<p>I have been encountering suspicious activities and private data getting out.<p>It has been informed to me that,its either a bios level keylogger or a virus that catches your camera is creating trouble for me.<p>I searched the net, could not help myself. I formatted the laptop, scanned bios still things are not safe.<p>Please help!
======
SchizoDuckie
Note: The title of this article is most likely misleading.

Please post some detailed analyiys of what's going on here. What data gets
out? What type of suspicious activities?

\- Have you tried package-capturing with wireshark on the internet connections
your laptop makes?

\- Are you sure that there's no other attack point in your network that could
be more easily infected than a BIOS?

\- Have you checked your phone for instance?

\- Have you checked the Master Boot Record of your harddrive?

\- Have you checked your router?

\- Have you tried unhackme (rootkit scanner) ?

A BIOS is _very_ device specific, which would mean that either somebody finds
you _very_ interesting on a level that's NSA-tech worthy, or China hackers
just leveled up.

I have a hard time just believing this, and there's a ton of attack angles
that would be much more efficient to bug someone.

Also. Since when was hacker news downgraded to a personal helpdesk?

~~~
dudeofjude
Please post some detailed analyiys of what's going on here. What data gets
out? What type of suspicious activities?

    
    
        They know my gmail passwords.
    

\- Have you tried package-capturing with wireshark on the internet connections
your laptop makes?

    
    
        Yes.
    

\- Are you sure that there's no other attack point in your network that could
be more easily infected than a BIOS?

    
    
        Can be.
    

\- Have you checked your phone for instance?

    
    
        Downgraded the phone.
    
    

\- Have you checked the Master Boot Record of your harddrive?

    
    
        Yes.
    

\- Have you checked your router?

    
    
        Don't have access.
    

\- Have you tried unhackme (rootkit scanner) ?

    
    
        Yes.
    

A BIOS is very device specific, which would mean that either somebody finds
you very interesting on a level that's NSA-tech worthy, or China hackers just
leveled up.

I have a hard time just believing this, and there's a ton of attack angles
that would be much more efficient to bug someone.

    
    
         I am facing it. 
    

Also. Since when was hacker news downgraded to a personal helpdesk?

    
    
        Where else shall I go to resolve the crisis?

------
doubt_me
Tech here:

What did you scan your bios with?

How did you format your laptop?

What system are you running? Windows 8 or 7?

How did you activate your windows OS?

What is the exact model number of your laptop?

answer as much as possible so I can help

~~~
dudeofjude
avast antivirus.

and [http://www.malwarebytes.org/](http://www.malwarebytes.org/)

usb device.

win 8, i had a genuine iso file and keys.

Model - 41113TU Product - C7D86PA#ACJ

~~~
doubt_me
If you already formatted your laptop those viruses should be gone but if you
think you have a rootkit

Scan with this tool called kaspersky anti rootkit TDSSKiller

[http://support.kaspersky.com/us/5350#block1](http://support.kaspersky.com/us/5350#block1)

If you find something delete it.

But just to be extra safe re flash your bios/ update it and then scan
afterwards to see if anything pops up.

~~~
dudeofjude
Do you have pointers on flashing the bios.

Had tried that TDSSKiller earlier.

~~~
doubt_me
Yea you can download it from this link and then follow the instructions

[http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?sof...](http://h10025.www1.hp.com/ewfrf/wc/softwareDownloadIndex?softwareitem=ob-115172-1&cc=us&dlc=en&lc=en&os=4132&product=5375658&sw_lang=)

~~~
dudeofjude
thanks, worked like a charm.

So having flashed the BIOS and upgrading it, should I be secure that there is
no rootkit inside the machine?

~~~
doubt_me
Yup.

Just ugh try not downloading random cracked programs and open up any spam
emails.

------
psycho-geek
Get rid of Windows 8 and the TPM2 crap. Your machine is no longer yours. It is
spied upon and owned by Microsoft. They have FULL control over your machine. I
have caught Windows 8.1 uploading my data to Microsoft. They encrypt the
communications, but I was monitoring Windows and what files it was accessing
and what communications it was performing over the Internet. When I blocked
the ip addresses, it evaded my blocks by using a different set. All ip
addresses were owned by Microsoft.

~~~
dudeofjude
How were you monitoring communications?

Is it possible for me to monitor any communication that is going at BIOS
level?

~~~
psycho-geek
I used Wireshark ([http://www.wireshark.org/](http://www.wireshark.org/)). I
was actually diagnosing a different issue, until I noticed that my Win8
machine was especially chatty. When I looked more into it, I was horrified as
to how much data was being uploaded to Microsoft. I used many different
techniques, including Man in the Middle in order to see what info was actually
being sent. It was especially creepy to see that the Win8 box took evasive
actions as I tried to spy on its communications. I wonder exactly what
Microsoft has to hide regarding this communication and has to encrypt it and
be evasive.

I am not aware of any easy way of monitoring BIOS level communications. If you
are afraid that the BIOS has been compromised by a virus then I would suggest
that you update the BIOS with an update from the vendor's web site. Even if it
the same version that's installed.

If you are worried that the machine's vendor has somehow added spying routines
into the BIOS, then for safety's sake don't use the machine for work, or for
any secure info. Use it only play.

------
vertr07
Maybe reflash your bios? Have you considered that it might be your network?

~~~
dudeofjude
Does reflashing it guarantees removal of keyloggers or laptop camera
mismanagement?

~~~
vertr07
No, but it's better than being paranoid and not doing anything about it.

------
dylanhassinger
get a mac

~~~
dudeofjude
no money!

~~~
S4M
install linux then.

~~~
dudeofjude
BIOS is still there, right?

~~~
fit2rule
Reflash the BIOS from a different machine, install linux.

~~~
dudeofjude
any pointers how to go about?

