Dell Shipped Server Motherboards With Spyware

FAIL

Epic fail

At least they admitted their mistake, and are making it right.

I'd be curious as to how the spyware even made its way onto the boards to begin with. Sounds like Dell needs to take a closer look at their vendors...

Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.

I dunno, this may be too apologist for my taste. Not sure how this is an actual mistake; do they have a pile marked "good" and another marked "inexplicably loaded with malware" in their spares depots? As a couple folks have already pointed out, this simply has "FAIL" written all over it.

What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell [b]HAD[b] to know the boards were bad.

THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.

Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...

Who has told you that they're not investigating this? Why should the results be public? Maybe they will be once they find something.

Who is on the other end of the telemetry feed is what I want to know?
Where are the boards being manufactured?
My guess is (speculation only)they are being made in China and this is more than likey a case of international corporate espionage.

True.... but How long did it take for Dell to admitted this problem?

OK fellow geeks, how could this have been anything other than a malicious action on someone's part? There is no way this was an accident and I am sure identifying the offending programmer is easy. So, what will Dell do next?

Also, think about the comments Dell made that non-Windows users won't be affected and Windows users only require updated AV programs to protect themselves. How do either of these protect against a firmware embedded malicious app?

Interesting situation Dell has created for itself.

If the motherboard is infected, then that means that it's in the BIOS itself and it not a worm, but a RootKit, one which installs itself to the BIOS.

The RootKit writes itself to the empty spaces in the BIOS code and depending on if it's an older type RootKit or a newer type RootKit, the older type (v1) will just infect the BIOS where as the newer types will infect the BIOS and the MBR (v2) the the last type of which I am aware of will also load itself to memory (v3).

Those are the developmental stages of each new variety of BIOS RootKit which Loads before the Operating system itself can even load, making it extremely difficult to detect and even to remove.

Video Cards can become infected very easily too once the motherboard BIOS becomes infected and even the firmware of Hard Drives can become infected. Anything which uses a Firmware/BIOS can be infected these days if it is networked and not secured.

When a Motherboard does become infected, the easiest way to remove the infection from the system and any other infections from your hard drives is to pull the drives and set them to one side making sure to label which drive as to which drive is which. the drives can be connected to another system as Secondary drives and fully scanned with several choice pieces of software, then visually looked over with Windows Explorer so as to remove the majority of infections.

The Motherboard itself you should be able to remove the BIOS chip from it's socket, then use the CLR CMOS jumper to clear out anything that might remain behind. You should be able to order a New BIOS chip from the Motherboard Manufacturer or possibly some other company.

If the BIOS Chip is soldered on the Board, then chances are, you're SOL and you'll need to order a new motherboard.

Once you reconnect your drives and boot up the system, you'll still need to run a few scans so as to clear out any registry entries which could not be accessed while the drives were connected externally and maybe catch a few strays that may have been missed in the mean time.

Rootkits can contain worms, packet sniffers and other malicious baddies.

RootKits are only a small part of the whole and usually the RootKit is installed by a worm.

RootKits don't contain worms or anything else, what they do is to provide protection for other pieces of Malevolent software such as Worms, Viruses, Packet Sniffers, Spyware, FastFlux Proxy Networks, Spam Servers, and what ever else Malware Authors may harbor on your system.

After all, it's a Billion Dollar industry these days that's not tied to any one country. Instead, it's all Internet Mafia Gang related. Some Big time whiles others may be small fries.

lol. semantics. parse away.
Myself and 95% of the readers on this site know exactly what rootkits are.
But if flexing your epeen makes you feel better go right ahead.

Thanks for the info, I never heard of having to replace a MB to get rid of a virus. Couldn't you just rewrite the bios/flash it?

Not really trying to do anything here except add a little value to the article for those who may read it and not understand how a motherboard could become infected in the first place.

I am a member of the Security Community and offline, I deal with such issues as RootKits and Malware on a regular basis. Family and friends all say I'm the guy to go to when it comes to computer problems. Which can be a bit of an inconvenience when you have other things you may want to do at the time.

As to using the term RootKit, when it comes to the BIOS itself, this becomes more of an inaccurate term seeing as it loads before even the Operating System has a chance to begin to load. BootKit is a more accurate description.

Also, versions 2 & 3 tend to protect themselves by making it extremely difficult to remove the BootKit and any associated infections.

1 - Remove the BootKit with new BIOS chip but fail to clean the drive - BIOS becomes reinfected shortly after.

2 - Clean the Drive without replacing the BIOS chip - Drive becomes reinfected.

3 - Try doing a Clean installation of Windows - Drive still gets infected whether it be from the BIOS or from memory.

I see. You gave good info just came across the wrong way I guess.
I used to be the Information Assurance security officer for an Army installation although that was some time ago. Now I am relegated to the simple tasks of Sys admin. for a large corporation. Much more relaxing.

The BIOS is what controls the motherboard, hence your computer. So what ever you try to boot from, the BootKit is going to load first and it will protect itself. This is why a socketed BIOS chip is important. But there is also the option to password protect your BIOS too which will protect your BIOS providing you use a strong password which can't be attacked and you don't loose the password for when you need to get into your BIOS.

Some of the newer board which have multiple flash options such as the ASUS or GigaByte motherboards, I honestly don't know. I'd say it all depends on what protects they have in place to protect the backup flash along with what ever else they have there would be the determining factors. Cause if anything were to get through, especially when you try to restore a previous BIOS stored on the motherboard, then the motherboard would become toast.

So it would be very important to check out the BIOS backup and protection features before making a purchase. A BIOS chip socket is always a plus.

Ohh, Dell tried to spy on its customers.

They might of deserved a "fail" comment but "epic fail" should be reserved for such things as the iphone4 and DRM.

Weren't those i7's actually just counterfeit boxes with no working CPU inside?

As for this issue it certainly wasn't some miss-step but something more intentional in their supply line. This is far beyond a few poor lifetime transformers.

Nice.

Thanks for the info I will turn on my password for my bios. Can anyone also describe how a virus would infect the firmware on a hard drive? Also from experience with security related things in the past rootkits can be invisible to AV scanners so they would be hard to detect, but how would you detect a bios infection or a firmware infection? I know there are tools that scan for rootkits, but never heard of a bios scanner?

Unlike Apple! :-)

Generally, with RootKits and BootKits, it takes an experienced person to notice the signs or even to suspect that the system may be infected with one. You develop a feel for what you are doing and you learn what to look for in the logs of the programs you use to find and remove any Malware & such.

Because these items usually will do what ever it takes to hide themselves from being noticed and BootKits load before the Operating system itself. But there are tools out there which can be used to detect signs of RootKits.

BIOS infections can cause problems accessing the BIOS itself, it can cause video problems before Windows loads up and there are other signs too which may or may not be present depending on the variant.

Plus one of the biggest things is you get your system completely cleaned of any infections including any RootKits (not knowing of the BIOS infection), then next thing you know, shortly after your system is connected to your Broadband modem, it's infected again without your even doing anything except leaving it turned on for a few hours.

What happens is the BootKit will notice the MBR RootKit and possible Memory resident too is missing, so it'll connect online to download a new downloader module which in turn will download RootKit and any other Malware Modules which were removed.

Seriously Dell? Do they just ship these out and when they get a complaint go "oops, my bad"?

common answer to dodge bullet:

It doesn't come from us it's 3rd party... (google)

How in god's name do you manage to do this?

Extremely important, you may only flash your bios once, but if that one time gets interrupted -- bye bye computer; if the motherboard doesn't feature a proper BIOS recovery mode, then your fancy laptop becomes a brick.

From Digital Trends report:

“Systems running non-Windows operating systems are not vulnerable to this malware and this issue is not present on motherboards shipped new with PowerEdge systems.”

Also note that the system management firmware is the carrier, not the BIOS. Most high-end server systems have separate subsystems for updating the BIOS, checking power supply and fan status, and resetting boot passwords using a separate out-of-band connection like another network cable or even RS-232 serial ports.