I'm the owner of a Lenovo G710, and after I saw a huge number of ACPI related error
messages in the Linux dmesg log, whose were also confirmed by running Firmware Test Suite
Live, I decided to do some research on this, which gave me a really strong impression:
I extracted the ACPI tables using Read&Write Everything (Windows) and submitted them
for getting them analyzed. Here you can see what the running of the ACPI
code on the malwr.com
sandbox (Windows environment) did, and which one normally
wouldn't expect as I guess:
Registry keys changed:
Behaviorial analysis (particularly interesting):
What is even more unsettling is the fact that I found several sites related to malware,
when I searched for the registry keys, files or mutexes changed/created by that ACPI
You can download the extracted ACPI tables from malwr.com
after registering there, but I
also uploaded it on Google Drive and gave shared access to it:
Now I would assume that those are not genuine ACPI tables by Lenovo. I have a few
questions in this regard:
1) Obviously I didn't flash my BIOS' ACPI tables with malicious code - So how can
those be modified? Would it be possible that the computer's network adapter enters a
so-called 'maintenance mode' by receiving packages containing certain 'magic
numbers'? At least I've read in various sources that generally it would be
possible to do that.
2) I'm not an expert about ACPI code at all (just knowing x86 assembly stuff), but
when looking at the disassembled ACPI tables (which I did using iasl under Linux) I could
find no hint at all pointing to all those code actions which are being performed. I know
that ACPI code is very obscure litterally speaking, but is it possible to hide all this?
3) I downloaded a BIOS image using a secure method, flashed the BIOS while being offline
and installed an OS right after rebooting - With no effect at all, the ACPI code was still
the same. Shouldn't the ACPI tables be overwritten by flashing the BIOS? If that's
not possible, then is it in fact impossible to get rid of this by any means?
Those are the GERM scan results, which don't look nice as well:
Like, "SSDT ZwAcceptConnectPort fffff80003135d20
\SystemRoot\system32\xNtKrnl.exe" sounds rather suspicious.
I guess that there is no chance to find out where those connections lead to, since my
system seems to be modified on such a deep level - There's nothing suspicious being
visible in Wireshark and Comodo doesn't give any alert as well. But still I'm
deeply interested in what the origin of all this might be - And since it seems like it all
started with the ACPI code modifying the OS, this information must logically be stored in
the ACPI code as well. Would there be any chance to find out some information on this?
I would highly appreciate any thoughts, comments and advices. Maybe someone having a
Lenovo G710, too, could extract his ACPI tables, so that a comparison could give some
hints about what has been modified.
Finally, I also did some information gathering using the Volatility Tools under Linux, and
it seems like this code might affect Linux as well, but I still have to conduct further
analysis in this regard to be sure that this is not just a false alert. In any case I have
the strong impression that this code demonstrates very high technical skills.
Kind regards and thanks in advance