Windows malware on /boot from factory?
#1
While updating the built-in Debian+MATE, the update script detected three unexpected files in the /boot filesystem:
  • autorun.inf
  • darfrp.exe
  • lxrx.pif

The updater offered to remove them, but couldn't because the filesystem was read-only (probably by design?).  I made a copy of the files, remounted /boot as read-write, then removed them.  I then rebooted to completed the update.

I then submitted the .exe and .pif files to Kaspersky's online scanner, which identified them both as "Trojan.Win32.Small.cox".

Any idea how these files could have made it onto my pristine-from-factory pinebook pro?

Also, can I download a pristine factory image online, verify it, and overwrite the entire eMMC to ensure there's no trace of the malware left?

Ah, I found this thread, which describes the problem and its resolution: https://forum.pine64.org/showthread.php?tid=8198
#2
I see you found my pinned thread, but I'll repost the contents of it here in case other people overlook it (or see the title of this thread and panic):

On some number of PBP systems (not all), the boot directory contains files belonging to the Sality class of Windows malware. It likely has been caused by one or more flashing/test stations at the factory which are infected by this malware. These files take the form of one or more .exe or .pif files with cryptic names, as well as an autoexec.inf file.

IT DOES NOT POSE ANY DANGER TO YOUR PINEBOOK PRO. Again, it is Windows malware, and can't run on Linux (especially ARM Linux!). However, in the interest of complete safety, MrFixit has pushed an update which includes a small script which tests for unexpected files in this boot partition and asks you if you wish to delete them. This script will only run once upon update, as the malware files can not reappear. The script is available here, if you wish to inspect it or run it on your own.

The factory will be notified of this issue, and hopefully it will not recur in the future.
Community administrator and sysadmin for PINE64
(Translation: If something breaks on the website, forum, or chat network, I'm a good person to yell at about it)



Possibly Related Threads…
Thread Author Replies Views Last Post
  Cant boot into an OS trashtendenz 3 670 10-23-2024, 03:49 AM
Last Post: chaylengordon
  3 days in, slow/stuck or no boot. lgmpbp2 30 3,728 09-05-2024, 08:49 AM
Last Post: lgmpbp2
  Unable to boot? YossiS 4 385 09-04-2024, 10:35 AM
Last Post: wdt
  upgrading u-boot--what version? where to get it? bsammon 11 2,614 05-22-2024, 09:33 AM
Last Post: wdt
  uboot wont boot to SD card after upgrade jbradley419 7 2,283 01-19-2024, 02:29 PM
Last Post: wdt
  Video Flashing/adjusting on boot and reboot jbradley419 0 630 01-16-2024, 09:17 AM
Last Post: jbradley419
  Brand new Pinebook Pro doesn't boot after Manjaro update johnboiles 8 3,724 12-15-2023, 02:11 PM
Last Post: wdt
  PBP won't boot after trying to reinstall Manjaro ARM soupgirl 3 1,470 12-13-2023, 08:17 PM
Last Post: trillobite
  Various freezes during boot & while running several Linux distros - hardware error? donuts 1 1,046 11-22-2023, 11:47 AM
Last Post: fxc
  Cannot boot to Kali SD card after uboot upgrade jbradley419 4 1,938 09-19-2023, 08:48 AM
Last Post: dachalife

Forum Jump:


Users browsing this thread: 1 Guest(s)