Security and privacy Q&A

Well this won’t likely make you feel better, but…

I think even you are now thinking that you experienced a genuine attack. what’s unclear is if it was successful or not.

The Intel graphics DLL is actually a known way that a computer can be spied on. The attack in that case installs an altered DLL, that surreptiously sends whatever you are viewing to a receiving remote computer.

And that along with the other “positives” you are seeing definitely show there was an attempt, but I still think defender ultimately did what it was supposed to and thwart it.

So that all being said, while I’m reasonably certain you are fine, OTOH I totally get why it continues to bother you as it would me.

Sad to say it, but the only way you are going to be truly certain I think is a full reset/reinstall.

Again I’d say its 95% likely you are fine, but TBH that 5% would bother me too.

2 Likes

That holds true for any DLL that has been altered in an attack though right? If you can get Windows to load modified DLLs those could be involved in unintented (by the user) behavior.

I’m still confused about the message “MsMpEng.exe attempted to load igd10iumd64.dll that did not meet the Custom 3 / Antimalware signing level requirements.”. Does this happen when the file is accessed by the system, Defender checks it (since it checks all files that are opened/accessed), and finds that the file is not properly signed? That sounds like something that could be attributed to occasional lax coding/certification by in this case Intel (e.g. not properly signing that DLL). Based on this link this kind of thing does happen for non-nefarious reasons.

For now I’ll wait for the full scan to complete. I’m up to “35 files infected”, but I’m most concerned about the first volley of 18 in c:\windows. Unfortunately the Scanner tool doesn’t let you see intermediate findings, you have to complete the whole dang three hour scan to see what it found. Come on MS!

The answer is yes to both. In fact it’s a common issue on a lot of consumer HP and Lenovo systems where the OEMS make tweaks of the hardware/software stack for various reasons. For example Dell disables 4k (max 1080p) over HDMI on their low end consumer towers. So how this could occur would be if you installed drivers directly from intel instead of the “certified” ones from the OEM.

But Surface systems to date, at least the ones we’ve seen have avoided this stupidity.

So there can be other reasons including occasionally a game that installs it’s own DLL. That was really common in the days of OpenGL where every OEM had their own version and they were usually not compatible broadly with other OEMs and are often not signed.

But again since this is a surface , a not properly signed DLL/Driver/etc, is almost unheard of unless you are on the insider early track.

So TLDR, there is a lot of conflicting information for me to make a definitive diagnosis.

BTW: this is one area where Malwarebytes scanner is very good at detecting actual malware. I wouldn’t purchase it, but you can download the latest version free, and then just uninstall it instead of activating it after the trial period.

I was skeptical , but last year we had a customer where MS tools didn’t detect anything, but it found several serious issues.

1 Like

Thanks, that’s one of the ones I was looking at. I also considered the ESET online scanner, back in the day that had a good reputation. Not sure if it is likely to find anything that the MS tool won’t find. I’ll see what the MS Safety scanner finds, and perhaps run MWB afterward. Wow, I feel like I’m back in the nineties!

One last thing. If you have access to genuine network scanning software such as Sniffer Pro, using that on another PC you could look for unusual UDP/FTP etc, traffic especially on nonstandard or undefined ports.

Just beware that at first glance it will look like the sky has fallen…just make intelligent use of the filters to determine what’s genuine.

Ooh boy, I foresee a whole new level of PC-Hypochondria

Well this is exciting, the MS Safety Scanner claims it did remove something:

image

Oddly the UI offers no way to find where it located these, i.e. which specific files it removed.

Once I closed that dialog it updated its log file c:\windows\debug\msert.log where I was able to see that these are issues related to some log analysis tool “SmarterStats”. I don’t use that anymore, so probably unrelated to the July 14 crash. Seems like I might be OK. Kind of bad that the scanner tool doesn’t tell you about the log file.

Yeah it looks like the attempt was a backdoor logger, viewer type of attack designed so they could watch you do things like banking etc.

But the fact that it only found the remote shell and chopper bits, is very solid evidence that the attempt was unsuccessful as there would be about a dozen more including mousetrak and keycap if it had been successful. So that’s good news.

Regardless, thanks for sharing all this as it’s definitely useful info generally for us.

PS: That type of attack is 99% likely a poisoned website, so you might want to review the sites you visit, and be extra careful about the less mainstream ones

2 Likes

This was a really interesting thread to read. :slight_smile:
A while ago, I set up W10/11 Controlled Folder for my own laptop and work colleagues (we are a small team) and was wondering how effective is it really against ransomware attacks and do others here use it as well?
(taken into account that someone does not blindly add everything to the allowed list)

So this is a serious and rapidly growing concern. Though ARS again buries the lead here. It’s not that an individual will be affected directly, but that there are tons of Python based sites out there especially the smaller and medium based ones.

@JoeS I wonder if the possible recent attempt on your system was down to a website that had this compromised code.

Some more ominous errors in the Event Viewer:

Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load \Device\HarddiskVolume3\Program Files\Bonjour\mdnsNSP.dll that did not meet the Microsoft signing level requirements.

I searched for the DLL using locate32, and it didn’t find it. Then I updated the file index, and it did find it. So seems like this DLL was added in the past few months (hadn’t updated the index in a while), but AFTER I installed iTunes, which is what usually installs Bonjour.

The reason I started digging again is because I remembered to try the ESET online scanner, and it opens and then closes again, so now I’m back to being paranoid. Sigh.

This is where being multi-lingual is truly beneficial. Make that phrase a combination of words from three or four different langauges and I’m guessing it has to be handed over to the linguist department at NSA/GCHQ to break it.

1 Like

yeah unfortunately there are some hacked (with backdoors) versions of the bonjour software out there.

Though in this case there is an easy fix which is to do a “repair” on your iTunes install. It always replaces the core itunes stack including Bonjour with the current versions on apples servers and the associated dlls for things like connecting an old iPod as well.

Though I think at this point the only way you are going to get piece of mind is to reformat and clean install. Otherwise it’s death by a 1000 cuts, or at least it will feel that way.

Yeah I was having a last go at doing a truly offline scan. Rebooted Win11 in Safe Mode with Networking. Found out it doesn’t support the SLS wifi adapter. Seriously? Found out it doesn’t support the Lenovo TB3 dock ethernet adapter. Geez. Found out it doesn’t support a USB-C bare bones network adapter. Come on!

Next I was trying a scan off USB, but I’m having a ■■■■ of a time figuring out how to boot from USB on an SLS.

It’s all just suspicious enough to keep me on edge. Nothing has explicitly detected anything new, but trying to run the Eset scanner (sometimes does get past the initial screen) I get this error:

A security setting is preventing this driver from loading

Allegedly this is part of the rootkit detection components of ESET. An admin on the ESET forum states “The driver is necessary for detection of active rootkits. We do not know the cause of the error, something is preventing the driver from being loaded.” Yay.

Does anyone (or rather, @Desertlap , do you) know of a tool that can be run fully online without requiring an online database update? I can’t run the ESET online scanner (duh) in Win11 safe mode because it insists on checking for a database update, and my safe mode doesn’t give me network connectivity.

Interestingly there is exactly one guy on the entire internet that has the same thing happen, down to Safe Mode not providing networking. Microsoft bug or fancy hack?

Sorry @JoeS I’m not aware of anything that can do an effective job, completely standalone without pulling down updated threat definition etc. It’s a sad case that they are now so numerous and frequent that it seems that’s the only way to keep pace.

And I realize that getting the SSD out of the system and connected to another device is a PITA but that’s the only option I can think of short just reformatting and clean reinstall.

And it certainly does appear that guy did get got by the same type of potential malware that you are looking for.

BTW, more generally, this type of attack seems to be more often targeted at business users than the general public.

The point here is that the majority of our business customers for example have policies that forbid their users from talking about things like this in public forums, because of possible negative business impacts, so just because you seem to be alone or nearly so doesn’t necessarily mean that more aren’t affected as well. After all the fact that it looked familiar to me should indicate that it did because we’ve seen similar elsewhere.

1 Like

Back to the boader topic of security, this is a potentially big issue, though so far not widespread , but has the potential to be if companies don’t start taking this more seriously.

One of our security consultants is a white hat hacker and he has repeatedly shown both T-Mobile and Verizon, multiple serious flaws and holes in their home Internet via 5g products and there “lack of concern” is alarming in his opinion.

A lot of the comments on the article complain that the issue is not so much with 5G, but rather that it helps reach IoT devices with bad security, at least that’s what I got from the comments.

Warning: long post coming up. If Dale is going overboard with swapping devices, I guess I’ll be the user going overboard with security concerns…

Meanwhile I’m still in my self inflicted security freakout. Feel free to ignore and/or see it as entertainment. :grimacing:


What I tried:

Tried to make an ESET SysRescue disk to scan before booting Windows. Did this on a separate system, making a bootable disk using Rufus based on a .img file with the rescue software on it. Seemed to go fine. Spent way too long to figure out how to boot from USB on an SLS.

[before doing any of this, make sure that you know how to locate your bitlocker recovery key, the system will ask for it after having disabled and reenabled secure boot]

To boot the Surface Laptop Studio from USB:

  • turn machine off
  • hold volume up (button, make sure Fn is not activated), press power until logo appears, release
  • wait for UEFI menu.
  • disable secure boot (right? otherwise it won’t even look at the USB stick)
  • plug in bootable USB-C stick
  • in UEFI go to boot order, swipe left on USB, get offered to exit and boot from USB

Incredibly this actually works (plus alarming red bar to indicate secure boot is off), except… after the boot attempt in tiny font I read “could not open “EFI\BOOT\fallback.efi” 14” or similar.

Redid the process of creating the bootable USB, tested it on the clean machine, and there it doesn’t show the error, although after choosing the rescue option no further UI shows, so I wasn’t able to test further. This same newly created USB gives the fallback.efi problem when used on the suspect SLS.

I mean if this is a virus causing all this, hats off to the hackers! Right? Because to stop the USB stick from being used to boot, some kind of code would have to run interference from the UEFI environment before even booting Windows (or unlocking the drive). That would be impressive.

BTW it seems like I only struggle with ESET. The ESET online scanner has this weird issue with shutting down after a few seconds, and now the issue with the rescue disk. MalwareBytes says I’m OK, Defender says I’m OK other than two files with expired certificate, Microsoft Safety Scanner says I’m fine.

I briefly started the process of running Kaspersky (going as far as clicking OK on the UAC dialog - whoops), but man, seeing “Moscow” in the terms and conditions gives me pause. Terminated app, did not run scan.

Also looked at Sophos HitManPro. Interesting, seems like they have a way to instantly verify whether a gmail address is real. Declined my fake ones, approved the real one, without any other user interaction. Is this a service google offers? HitManPro starts with a huuuuge list of terms and conditions, seems like all your data is fair game. I hope I’m misreading. Did run it though… HitManPro also found ‘suspicious’ files (same expired certs), but nothing else.

I also installed nirsoft’s FullEventLogView. Nirsoft has been one of the good guys for decades, although there’s always a risk that they’re bought by someone less trustworthy. Either way, if you ever want a heart attack, scroll through all log lines generated. The app shows a linear list of all log entries from the event viewer, so you don’t have to open ten folders (or create a custom view) to see what happened in the last five minutes. Based on the stream of entries you’d think this system was on its last legs. Looked many issues up online, some seem annoyingly unique, many others known and deemed harmless. It’s the rabbit hole of all rabbit holes. :cold_sweat:


What’s next

Homework: run FullEventLogView on a “healthy” system and see if it looks equally alarming. If so, maybe Win11 is just somewhat broken, and having all those alerts in the Event Log is normal. Here’s hoping.

Final steps, when I have more time I will crack open my SLS, take out the SSD, put it in an external drive case, and investigate it from a fully up-to-date known good machine. If I don’t find anything that way, uhm… well, what then? If the answer is “clean install anyway”, why even go through the trouble of scanning the SSD?

Side note, when I shut down the SLS, I hear a faint “beep boop” (two-tone PC speaker type bleeps). Is this a known indication of anything? It happens twice per shutdown, say two seconds apart. I swear I’m not going that crazy, the two-tone beep really happens. Thoughts?

So easiest thing first. Your Studio is doing something similar to what my Pro 8 does and which I posted about I think in the Pro 8 thread on the old board, which was that mine “chirped”.

Apparently all of the Surface devices with 11th gen Core I do this, though I’ve never gotten a complete explanation as to why, it seems to be a leftover of development work on the firmware for 11th gen core I devices. The 5 SLS systems we have in the office all do what you describe, though it’s quiet enough that most don’t hear it until it’s pointed out to them.

The Surface Laptop also makes something like a quiet “thwack” under the same scenario…

So back to the topic at hand, I think I said quite a while back that though I think there was most definitely an attempt to hack into your system, I also believed (and still do) that it was ultimately unsuccessful.

The question is if you can be satisfied with that. Speaking for myself, I’d be fine with a clean scan report on a known good system.

PS: Full event log view is a helpful tool, but you aren’t the first to get paranoid about the output as it catches tons of non dangerous stuff as well, that more often than not, is down to bugs in code as much as anything. In other words, if there was a real remaining issue, it’d be obvious in it.

1 Like

Rationally I agree, and I acknowledge that I’m likely diving down a rabbit hole (see what I did there) for no good reason. If I do continue with my paranoia I’ll post here so others may learn from my mistakes. :slight_smile: I don’t want to admit how long it took until I figured out how to boot from USB. :grin:

1 Like

Bug or feature?