Suspect of a BIOS malware

Hi,
I have a DELL inspiron 5557, and late last year I decided to install ZORIN OS in it. But before the installation, I was having some trouble with a DELL BIOS update, and couldn't boot my laptop. Then I reached for the DELL forum, and a user suggested a CUSTOM BIOS from a google drive to downgrade the system to BIOS version 1.2.3 and get it running again. Althought I was a little concerned, in a hurry I decided to try it, flashed it, and it worked.

Recently, checking my files, I found the .exe of this custom BIOS, and worrying about it again, searched a way to verify it and I found virustotal.com, which made the report in the link below. Although the file .exe doesn’t appear malicious to any database, it is registered to have contacted malicious IP adress (13.107.4.52 , 131.253.33.203, 23.216.147.64). Right now, I already installed a DELL BIOS version 1.3.2 over the custom one, using a pen drive and scanned my PC for any malware using Clamav, and it didn’t find anything.

Is there anything else I can do to make sure that my pc and BIOS are safe?

Looking at the I.P. addresses that you list:

  • 13.107.4.52
    13.107.4.52 is an IP address located in Redmond , Washington , US that is assigned to Microsoft Azure (ASN: 8068). As this IP addresses is located in Redmond, it follows the "America/Los_Angeles" timezone.
    This IP address (13.107.4.52) is a proxy connection and is NOT associated with any recent SPAM blacklist activity or abusive behavior. IPQS proxy detection scoring has identified 13.107.4.52 as a VPN connection. IPQS fraud scoring algorithms have rated this IP address as suspicious , scoring 70 out of 100. Connections from this IP address may require additional scrutiny and verification.

  • 131.253.33.203
    131.253.33.203 (a-0003.dc-msedge.net) is an IP address located in Redmond , Washington , US that is assigned to Microsoft Corporation (ASN: 8068). As this IP addresses is located in Redmond, it follows the "America/Los_Angeles" timezone. The IP Reputation for 131.253.33.203 is rated as high risk and frequently allows IP tunneling for malicious behavior.

Both of the above are Microsoft - the second address deals with TPM, which MS uses to access users computers. It is why many of us recommend that TPM be turned off.

  • 23.216.147.64
    23.216.147.64 (a23-216-147-64.deploy.static.akamaitechnologies.com) is an IP address located in Seattle , Washington , US that is assigned to Akamai Technologies (ASN: 20940). As this IP addresses is located in Seattle, it follows the "America/Los_Angeles" timezone.
    This IP address (23.216.147.64) is a proxy connection and is NOT associated with any recent SPAM blacklist activity or abusive behavior. IPQS proxy detection scoring has identified 23.216.147.64 as a VPN connection. IPQS fraud scoring algorithms have rated this IP address as suspicious , scoring 65 out of 100. Connections from this IP address may require additional scrutiny and verification.

This last one is Akamai Technologies which, while I cannot vouch for their trustworthiness, is a company associated with Microsoft, not a private entity hacking in.

I find it unsurprising that Microsoft associated addresses would be potential Spam or Tunneling. We are all mostly aware that Microsoft is keen on getting user data that they can sell.
However, it does not look like the file you used to handle your BIOS was MalWare, anymore than anything you would get directly from Microsoft.

1 Like

Good reason to give Linux a try.

2 Likes

As @Aravisian pointed out those ips are associated with Microsoft and Akamai, akamai handles telemetry for microsoft. A Bios would reach out to these most likely to verify the hardware key for windows activation. And to gather hardware/system information including ip for census

But as you got the bios from a suspect source you can find older bios revision from Dells website, and do a Bios recovery not upgrade* this will wipe and rewrite the bios as a extra precaution.

1 Like

Thank you very much for the reply. This issue is making me lose my sleep.

My main worry is that, 13.107.4.52 for example is related to Microsoft Azure, which as stated by some comments in the virustotal comment section indicates that could be used by a costumer account, not exactly Microsoft. In the most recent comment there, it says:

This a root kit. DNA tracers.
ROOT KIT USES EVASION TECHNIQUES to jump and attach itself to different executables.
Look for executbables listed as 'suspended' in your task list / manager. that is where they hide them selves.
##############################
VirusTotal
498760eb880b550c408a5204bfec1775a161bc4781828cae84626298b90200b3
##########################
infected file | "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"
hash | 9d3a27ff69f7a4aeff78806d21119b44c5072e7d0b260507326398b17b563e6c
related ip | 20.82.210.154
#############################
hash of infected file | 'settings.exe'= 109c459b6f1077ec96439864396f4ab8e710fb5ec6cab09793a4b5324f2b157f
related ip's | 13.107.4.50 192.168.0.26 23.216.147.64
#############################
hash of infected file | 'settings.exe'= 109c459b6f1077ec96439864396f4ab8e710fb5ec6cab09793a4b5324f2b157f
related ip's | 13.107.4.50 192.168.0.26 23.216.147.64
##########################
infected file | "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"
hash | 9d3a27ff69f7a4aeff78806d21119b44c5072e7d0b260507326398b17b563e6c
related ip | 20.82.210.154
#########################
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy
"C:\Program Files\WindowsApps\Microsoft.YourPhone_1.22022.147.0_x64__8wekyb3d8bbwe"
####MALICOOUS RUNTIME BROKER
"C:\Windows\System32\RuntimeBroker.exe"
###################

Also, the Communicating Files in the 13.107.4.52 relation section, indicates a lot of malicious files related to this IP address.

Some of the Dropped Files in the File relation section are marked as malicious or unknown.

Considering this scenario, a root kit or other kind of malware, Just flashing an official version of the BIOS over the Custom one as I did, would be enough? Could it have infected my SSD or other devices I connected to the laptop?

An inevitability of the internet is that it is very common to come across a lot of people that feel the need to validate themselves by trying to say they are "smarter than the average bear". Often they push ideas that they know the average person cannot easily verify in five minutes worth of time like "The Moon landings were faaaaaked!"
Yes, we really did land on the Moon back in 1969. But by sowing confusion and making it look like they can "see through" the curtain of "lies", they validate the idea that they are Unique and Special and Better than Average.
And this applies to people claiming Viruses and rootkits and whatnot.

What matters most for peace of mind is evidence.
Evidence talks louder than even the loudest loudmouth.

On Zorin OS (Or other distro), you can install and run a Rootkit Hunter if you need a bit of personal reassurance:

If it is not finding actual bonafide malicious software... then you really can lay some fears down to rest.

Needless to say, if you are not using Windows, you already are much, much safer. Even if there is a malicious file on that server, (Which I have not seen actual evidence of... Someone feeling that the invasive techniques employed by Microsoft counts as "Malicious" is something that I fully support: but it is not a malicious foreign actor) then it clearly is written for Windows, not Linux and would be like a person getting a silicon-based virus. Sounds scary, but would be completely incompatible with the system and unable to do its viral dastardly deeds.

I am a protective person by nature (guardian type personality) and if I had any thought you were in danger, I would already have been all over it like a dog on a three legged cat. A fat cat. Covered in bar-b-q sauce.
Reading the comments, most everything I noted was "Ack! I do not know what this is so I assume it is the worst possible Computer disease you can get. Prove me wrong!"
It doesn't really bear much merit...

If you prefer safe rather than sorry, you can re-flash your BIOS. But if you are not experiencing finding a rootkit or a Virus... It probably is not worth the trouble - or lost sleep.

3 Likes

Just out of curiosity, how has this anything to do with Zorin OS or Linux in general?
Seems like it affects Windows only.

2 Likes

It affects the PC as if the computer was enrolled initially with intune it is possible it will phone home to redmond from firmware/efi even if you install linux. While im no expert,at a previous temp job, i have deployed some big brother type policies using DFCI to enrolled company laptops in the past that remotely update and change uefi/firmware and and can even trigger devices to ping as stolen after a harddrive wipe / or swap. Once enabled in bios these systems are forever active so even if released by the organization the device will always check to see if it is lost or stolen. its similar to computrace, intel anti theft, and absolute

Which may mean even a full bios recovery may not 'fix' the issue

3 Likes

@Aravisian,
Thank you again for the patience and help. Having calmed down, and inspired by your post, I decide to search a little more about this issue. I downloaded all BIOS from Dell support site and sent each one to virustotal.

Here is the report for each one of them:

Inspiron_5457_1.3.2.exe

Inspiron_5457_1.4.1.exe

Inspiron_5457_1.6.0.exe

Inspiron_5457_1.9.0.exe

And the customized one

Versions 1.3.2 and 1.4.1 has no related IP addresses. Related IP addresses only appears in version 1.6.0 and 1.9.0. Version 1.9.0 connects to several IP addresses plus the same 3 IP addresses that the custom one connects, corroborating with the information you and @seanhinkley shared. So, i re-flashed my BIOS anyway, and disabled both TPM and secure boot, as suggested in other posts.

I apologize if I got off-topic with the forum purpose, and I really appreciate the help. The minimum I could do was share the little information I could gather above. Hope this post at least serves as an example of the invasive techniques employed by Microsoft, and the privacy, security and good community of Linux distros.

1 Like

It isn't really the scope of the forum and if needs be, that fact can be utilized. But in general, I personally think that it is perfectly acceptable to stray into the surrounding fields from time to time.
The forum is not so hopping-busy that it cannot devote time to a little bit of Off-Topic discussion.
And a little off-topic banter can help members interact - which encourages being helpful and willing to step up.

1 Like

Bro this comment just made literally every PC problem I've suspected my system of having in the last 4 months click you have no idea. Had heavy suspicious of an infection but am not incredibly well-versed in malware but I have enough sense to know when a system isn't running properly and mine hasn't been. Every file listed in the comment you quoted I have assumed were involved in some sort of root kit affecting my system but had no way of knowing for sure or clue on how to get rid of one properly. Certainly I would know my system better than anyone prematurely judging my situation remotely.

1 Like

File locations match the ones mentioned as well. So glad you posted this info even if it was just a comment from VT.

1 Like