Sign in with
Sign up | Sign in

Dell Shipped Server Motherboards With Spyware

By - Source: Tom's Hardware US | B 41 comments

Got a recently replaced Dell server motherboard? Time to run some scans.

Dell is warning its customers that it has shipped server motherboards that are infected with a spybot worm.

Specifically, the motherboards affected are the PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and fortunately, only the ones sent out for replacement, but not the ones fresh from factory systems.

The Register received the following response from Dell:

“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers - PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.

This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.

Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Display 41 Comments.
This thread is closed for comments
Top Comments
  • 24 Hide
    halls , July 23, 2010 11:38 AM
    At least they admitted their mistake, and are making it right.
  • 23 Hide
    jazz84 , July 23, 2010 11:43 AM
    I'd be curious as to how the spyware even made its way onto the boards to begin with. Sounds like Dell needs to take a closer look at their vendors...

    Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.
  • 15 Hide
    dan117 , July 23, 2010 11:10 AM
    FAIL
Other Comments
  • 15 Hide
    dan117 , July 23, 2010 11:10 AM
    FAIL
  • -6 Hide
    back_by_demand , July 23, 2010 11:11 AM
    Epic fail
  • 24 Hide
    halls , July 23, 2010 11:38 AM
    At least they admitted their mistake, and are making it right.
  • 23 Hide
    jazz84 , July 23, 2010 11:43 AM
    I'd be curious as to how the spyware even made its way onto the boards to begin with. Sounds like Dell needs to take a closer look at their vendors...

    Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.
  • 3 Hide
    jazz84 , July 23, 2010 11:45 AM
    hallsAt least they admitted their mistake, and are making it right.


    I dunno, this may be too apologist for my taste. Not sure how this is an actual mistake; do they have a pile marked "good" and another marked "inexplicably loaded with malware" in their spares depots? As a couple folks have already pointed out, this simply has "FAIL" written all over it.
  • 4 Hide
    warfart1 , July 23, 2010 11:52 AM
    What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.
  • 2 Hide
    jazz84 , July 23, 2010 12:05 PM
    warfart1What I want to know is how spyware is running off a motherboard. There is either a dedicated ROM chip for the bot to run off of, or there is an infected BIOS, in either case Dell HAD to know the boards were bad.


    THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.

    Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...
  • 0 Hide
    excalibur1814 , July 23, 2010 12:17 PM
    jazz84THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...


    Who has told you that they're not investigating this? Why should the results be public? Maybe they will be once they find something.


  • 6 Hide
    sirmorluk , July 23, 2010 12:32 PM
    Who is on the other end of the telemetry feed is what I want to know?
    Where are the boards being manufactured?
    My guess is (speculation only)they are being made in China and this is more than likey a case of international corporate espionage.
  • 0 Hide
    j51 , July 23, 2010 1:12 PM
    hallsAt least they admitted their mistake, and are making it right.


    True.... but How long did it take for Dell to admitted this problem?
  • 0 Hide
    COLGeek , July 23, 2010 1:27 PM
    OK fellow geeks, how could this have been anything other than a malicious action on someone's part? There is no way this was an accident and I am sure identifying the offending programmer is easy. So, what will Dell do next?

    Also, think about the comments Dell made that non-Windows users won't be affected and Windows users only require updated AV programs to protect themselves. How do either of these protect against a firmware embedded malicious app?

    Interesting situation Dell has created for itself.
  • 2 Hide
    Anonymous , July 23, 2010 1:30 PM
    If the motherboard is infected, then that means that it's in the BIOS itself and it not a worm, but a RootKit, one which installs itself to the BIOS.

    The RootKit writes itself to the empty spaces in the BIOS code and depending on if it's an older type RootKit or a newer type RootKit, the older type (v1) will just infect the BIOS where as the newer types will infect the BIOS and the MBR (v2) the the last type of which I am aware of will also load itself to memory (v3).

    Those are the developmental stages of each new variety of BIOS RootKit which Loads before the Operating system itself can even load, making it extremely difficult to detect and even to remove.

    Video Cards can become infected very easily too once the motherboard BIOS becomes infected and even the firmware of Hard Drives can become infected. Anything which uses a Firmware/BIOS can be infected these days if it is networked and not secured.

    When a Motherboard does become infected, the easiest way to remove the infection from the system and any other infections from your hard drives is to pull the drives and set them to one side making sure to label which drive as to which drive is which. the drives can be connected to another system as Secondary drives and fully scanned with several choice pieces of software, then visually looked over with Windows Explorer so as to remove the majority of infections.

    The Motherboard itself you should be able to remove the BIOS chip from it's socket, then use the CLR CMOS jumper to clear out anything that might remain behind. You should be able to order a New BIOS chip from the Motherboard Manufacturer or possibly some other company.

    If the BIOS Chip is soldered on the Board, then chances are, you're SOL and you'll need to order a new motherboard.

    Once you reconnect your drives and boot up the system, you'll still need to run a few scans so as to clear out any registry entries which could not be accessed while the drives were connected externally and maybe catch a few strays that may have been missed in the mean time.


  • 3 Hide
    sirmorluk , July 23, 2010 1:37 PM
    Rootkits can contain worms, packet sniffers and other malicious baddies.
  • 2 Hide
    Anonymous , July 23, 2010 2:04 PM
    RootKits are only a small part of the whole and usually the RootKit is installed by a worm.

    RootKits don't contain worms or anything else, what they do is to provide protection for other pieces of Malevolent software such as Worms, Viruses, Packet Sniffers, Spyware, FastFlux Proxy Networks, Spam Servers, and what ever else Malware Authors may harbor on your system.

    After all, it's a Billion Dollar industry these days that's not tied to any one country. Instead, it's all Internet Mafia Gang related. Some Big time whiles others may be small fries.
  • 0 Hide
    sirmorluk , July 23, 2010 2:11 PM
    lol. semantics. parse away.
    Myself and 95% of the readers on this site know exactly what rootkits are.
    But if flexing your epeen makes you feel better go right ahead.
  • 0 Hide
    jonathan1683 , July 23, 2010 2:21 PM
    Thanks for the info, I never heard of having to replace a MB to get rid of a virus. Couldn't you just rewrite the bios/flash it?
  • 3 Hide
    Anonymous , July 23, 2010 2:29 PM
    Not really trying to do anything here except add a little value to the article for those who may read it and not understand how a motherboard could become infected in the first place. :) 

    I am a member of the Security Community and offline, I deal with such issues as RootKits and Malware on a regular basis. Family and friends all say I'm the guy to go to when it comes to computer problems. Which can be a bit of an inconvenience when you have other things you may want to do at the time.

    As to using the term RootKit, when it comes to the BIOS itself, this becomes more of an inaccurate term seeing as it loads before even the Operating System has a chance to begin to load. BootKit is a more accurate description.

    Also, versions 2 & 3 tend to protect themselves by making it extremely difficult to remove the BootKit and any associated infections.

    1 - Remove the BootKit with new BIOS chip but fail to clean the drive - BIOS becomes reinfected shortly after.

    2 - Clean the Drive without replacing the BIOS chip - Drive becomes reinfected.

    3 - Try doing a Clean installation of Windows - Drive still gets infected whether it be from the BIOS or from memory.
  • 1 Hide
    sirmorluk , July 23, 2010 2:38 PM
    I see. You gave good info just came across the wrong way I guess.
    I used to be the Information Assurance security officer for an Army installation although that was some time ago. Now I am relegated to the simple tasks of Sys admin. for a large corporation. Much more relaxing.
  • 0 Hide
    Anonymous , July 23, 2010 2:42 PM
    jonathan1683Thanks for the info, I never heard of having to replace a MB to get rid of a virus. Couldn't you just rewrite the bios/flash it?

    The BIOS is what controls the motherboard, hence your computer. So what ever you try to boot from, the BootKit is going to load first and it will protect itself. This is why a socketed BIOS chip is important. But there is also the option to password protect your BIOS too which will protect your BIOS providing you use a strong password which can't be attacked and you don't loose the password for when you need to get into your BIOS.

    Some of the newer board which have multiple flash options such as the ASUS or GigaByte motherboards, I honestly don't know. I'd say it all depends on what protects they have in place to protect the backup flash along with what ever else they have there would be the determining factors. Cause if anything were to get through, especially when you try to restore a previous BIOS stored on the motherboard, then the motherboard would become toast.

    So it would be very important to check out the BIOS backup and protection features before making a purchase. A BIOS chip socket is always a plus.
  • 1 Hide
    digiex , July 23, 2010 3:48 PM
    Ohh, Dell tried to spy on its customers.
Display more comments