+- PINE64 (https://forum.pine64.org)
+-- Forum: Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=111)
+--- Forum: General Discussion on Pinebook Pro (https://forum.pine64.org/forumdisplay.php?fid=112)
+--- Thread: Windows malware on /boot from factory? (/showthread.php?tid=8221)
Windows malware on /boot from factory? - msquared - 11-06-2019
While updating the built-in Debian+MATE, the update script detected three unexpected files in the /boot filesystem:
- autorun.inf
- darfrp.exe
- lxrx.pif
The updater offered to remove them, but couldn't because the filesystem was read-only (probably by design?). I made a copy of the files, remounted /boot as read-write, then removed them. I then rebooted to completed the update.
I then submitted the .exe and .pif files to Kaspersky's online scanner, which identified them both as "Trojan.Win32.Small.cox".
Any idea how these files could have made it onto my pristine-from-factory pinebook pro?
Also, can I download a pristine factory image online, verify it, and overwrite the entire eMMC to ensure there's no trace of the malware left?
Ah, I found this thread, which describes the problem and its resolution: https://forum.pine64.org/showthread.php?tid=8198
RE: Windows malware on /boot from factory? - fire219 - 11-06-2019
I see you found my pinned thread, but I'll repost the contents of it here in case other people overlook it (or see the title of this thread and panic):
On some number of PBP systems (not all), the boot directory contains files belonging to the Sality class of Windows malware. It likely has been caused by one or more flashing/test stations at the factory which are infected by this malware. These files take the form of one or more .exe or .pif files with cryptic names, as well as an autoexec.inf file.
IT DOES NOT POSE ANY DANGER TO YOUR PINEBOOK PRO. Again, it is Windows malware, and can't run on Linux (especially ARM Linux!). However, in the interest of complete safety, MrFixit has pushed an update which includes a small script which tests for unexpected files in this boot partition and asks you if you wish to delete them. This script will only run once upon update, as the malware files can not reappear. The script is available here, if you wish to inspect it or run it on your own.
The factory will be notified of this issue, and hopefully it will not recur in the future.