Dell Shipped Server Motherboards With Spyware
Got a recently replaced Dell server motherboard? Time to run some scans.
Dell is warning its customers that it has shipped server motherboards that are infected with a spybot worm.
Specifically, the motherboards affected are the PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and fortunately, only the ones sent out for replacement, but not the ones fresh from factory systems.
The Register received the following response from Dell:
“Dell is aware of the issue and is contacting affected customers. The issue affects a limited number of replacement motherboards in four servers - PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 – and only potentially manifests itself when a customer has a specific configuration and is not running current anti-virus software.
This issue does not affect systems as shipped from our factory and is limited to replacement parts only. Dell has removed all impacted motherboards from its service supply chain and new shipping replacement stock does not contain the malware.
Customers can find more information on Dell’s community forum.” – Forrest Norrod, vice president and general manager of server platforms at Dell.

Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.
Then again, this is Dell we're talking about. "Meh, good enough" is practically their corporate policy.
I dunno, this may be too apologist for my taste. Not sure how this is an actual mistake; do they have a pile marked "good" and another marked "inexplicably loaded with malware" in their spares depots? As a couple folks have already pointed out, this simply has "FAIL" written all over it.
THIS. Someone has to go out of their way to make something like this happen. For Dell to essentially respond to the issue with, "Whoopsiedaisy, we made a little boo-boo!" is a total side-step. They should be launching a full internal investigation to find the origin of the program(s) as well as how and where the boards were tampered with. Half-arsing it, however, is par for the course for Dell.
Kinda makes me wonder whatever happened with the investigation into those counterfeit i7s, but that's a question for another thread...
Who has told you that they're not investigating this? Why should the results be public? Maybe they will be once they find something.
Where are the boards being manufactured?
My guess is (speculation only)they are being made in China and this is more than likey a case of international corporate espionage.
True.... but How long did it take for Dell to admitted this problem?
Also, think about the comments Dell made that non-Windows users won't be affected and Windows users only require updated AV programs to protect themselves. How do either of these protect against a firmware embedded malicious app?
Interesting situation Dell has created for itself.
The RootKit writes itself to the empty spaces in the BIOS code and depending on if it's an older type RootKit or a newer type RootKit, the older type (v1) will just infect the BIOS where as the newer types will infect the BIOS and the MBR (v2) the the last type of which I am aware of will also load itself to memory (v3).
Those are the developmental stages of each new variety of BIOS RootKit which Loads before the Operating system itself can even load, making it extremely difficult to detect and even to remove.
Video Cards can become infected very easily too once the motherboard BIOS becomes infected and even the firmware of Hard Drives can become infected. Anything which uses a Firmware/BIOS can be infected these days if it is networked and not secured.
When a Motherboard does become infected, the easiest way to remove the infection from the system and any other infections from your hard drives is to pull the drives and set them to one side making sure to label which drive as to which drive is which. the drives can be connected to another system as Secondary drives and fully scanned with several choice pieces of software, then visually looked over with Windows Explorer so as to remove the majority of infections.
The Motherboard itself you should be able to remove the BIOS chip from it's socket, then use the CLR CMOS jumper to clear out anything that might remain behind. You should be able to order a New BIOS chip from the Motherboard Manufacturer or possibly some other company.
If the BIOS Chip is soldered on the Board, then chances are, you're SOL and you'll need to order a new motherboard.
Once you reconnect your drives and boot up the system, you'll still need to run a few scans so as to clear out any registry entries which could not be accessed while the drives were connected externally and maybe catch a few strays that may have been missed in the mean time.
RootKits don't contain worms or anything else, what they do is to provide protection for other pieces of Malevolent software such as Worms, Viruses, Packet Sniffers, Spyware, FastFlux Proxy Networks, Spam Servers, and what ever else Malware Authors may harbor on your system.
After all, it's a Billion Dollar industry these days that's not tied to any one country. Instead, it's all Internet Mafia Gang related. Some Big time whiles others may be small fries.
Myself and 95% of the readers on this site know exactly what rootkits are.
But if flexing your epeen makes you feel better go right ahead.
I am a member of the Security Community and offline, I deal with such issues as RootKits and Malware on a regular basis. Family and friends all say I'm the guy to go to when it comes to computer problems. Which can be a bit of an inconvenience when you have other things you may want to do at the time.
As to using the term RootKit, when it comes to the BIOS itself, this becomes more of an inaccurate term seeing as it loads before even the Operating System has a chance to begin to load. BootKit is a more accurate description.
Also, versions 2 & 3 tend to protect themselves by making it extremely difficult to remove the BootKit and any associated infections.
1 - Remove the BootKit with new BIOS chip but fail to clean the drive - BIOS becomes reinfected shortly after.
2 - Clean the Drive without replacing the BIOS chip - Drive becomes reinfected.
3 - Try doing a Clean installation of Windows - Drive still gets infected whether it be from the BIOS or from memory.
I used to be the Information Assurance security officer for an Army installation although that was some time ago. Now I am relegated to the simple tasks of Sys admin. for a large corporation. Much more relaxing.
The BIOS is what controls the motherboard, hence your computer. So what ever you try to boot from, the BootKit is going to load first and it will protect itself. This is why a socketed BIOS chip is important. But there is also the option to password protect your BIOS too which will protect your BIOS providing you use a strong password which can't be attacked and you don't loose the password for when you need to get into your BIOS.
Some of the newer board which have multiple flash options such as the ASUS or GigaByte motherboards, I honestly don't know. I'd say it all depends on what protects they have in place to protect the backup flash along with what ever else they have there would be the determining factors. Cause if anything were to get through, especially when you try to restore a previous BIOS stored on the motherboard, then the motherboard would become toast.
So it would be very important to check out the BIOS backup and protection features before making a purchase. A BIOS chip socket is always a plus.