usb das keyboard firmware flashes toshiba laptop bios with malware

  • 1
  • Problem
  • Updated 9 months ago
  • Acknowledged
pc is a toshiba satellite laptop running win 8.1 with latest tm internet security.

i have a das keyboard i bought about 6 months ago from a website that was selling the particular model i was after for $50 cheaper than the next lowest store. i thought it was a bargain, so i ordered it.

i started noticing that after switching off my toshiba laptop for a while (over night, for instance) that the laptop would not switch on completely. the led around the power button lights up, but the display remains blank. i would then switch it off, then switch it back on again, and it boots up fine. this would occur anytime after being switched off for a few hours.

i reflashed the bios, and it stopped going into this quasi-on state and boots up fine, however, i've done this before and eventually it starts happening again, requiring another flash of the bios. i've isolated the cause of the strange bios overwrite to my das keyboard.

the whole time i had trend micro internet security installed, and this had no effect on the malware installation.

i don't want to throw away the das keyboard because it's a good quality keyboard, however, how do i protect myself against this usb device?
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
  • indifferent

Posted 9 months ago

  • 1
Photo of TM_Pat

TM_Pat, Official Rep

  • 4,236 Points 4k badge 2x thumb
Hello eagle.soar and welcome to the Community!

Thank you for letting us know of this problem that you have encountered. Apologies for whatever inconvenience this has caused you.

For your concern about a possible malware infection on your machine, I'm afraid that Trend Micro Security is not designed to protect you against firmware and hardware changes as Trend Micro Security works on operating system level only.

Although are not ruling out possible malware infection, it is unlikely in this case. Since we are talking about firmware levels here, the best candidate to help you with this is the manufacturer.

I hope this answers your question. Should you have any other concern, please do not hesitate to reach out to us.

Enjoy the rest of the week!

Trend Micro Home Users Community
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
hi there,

i've looked at the das keyboard support forum and although the keyboards are firmware upgradable, they haven't yet released any firmware updates for any of their keyboards.

i'm fairly certain that it's the keyboard that's causing it and i'd like to intercept the communications of the das keyboard. does trend micro offer any protection against usb devices? or does trend micro just simply protect against autorun on drives and nothing else?

is there some sort of equivalent of a packet sniffer for usb ports? short of a tin foil hat, i don't know what else to try.
Photo of TM_Pat

TM_Pat, Employee

  • 4,226 Points 4k badge 2x thumb
Hi eagle.soar,

Thank you for providing us these information and for the screenshot that you have provided as well.

It will be better if you can get in touch with the manufacturer of the keyboard that you have recently purchased since Trend Micro Security does not offer protection on firmware and hardware level.

From the screenshot that you have provided below, that I believe is from the BIOS (Basic Input/Output System). While you are still in that level (BIOS), your operating system is not yet loaded as well as the Trend Micro program as it is basically attached to the operating system of your machine.

The Trend Micro program on your computer can only protect you against harmful threats at the operating system level.

I hope this clears out your concern.

Trend Micro Home Users Community
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
thanks for your stock-standard response, repeating basically everything in the previous comment.

the screenshot is not the bios, it's toshiba's recovery software after booting from the first installation disc. it's not windows recovery software so i understand trend micro can't protect me against it at this stage of installing windows.

however, i believe the malware bios would need to infect windows in order to transmit any keypresses to a target server, of which trend micro should (but doesn't) protect me.
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
the screenshot below shows yellow, green, and grey text that appears for a quarter of a second when the bios is infected and reinstalling the operating system from the factory install discs. please note that this extra text didn't show up after flashing the bios with it's intended bios and reinstalling to a factory state a couple of days ago.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 18,452 Points 10k badge 2x thumb
Hi Eagle.soar,

This screenshot does help a lot.
If you install to a factory state and stay from a network and put in your usb keyboard, what is happening then?

Kind regards,
Tom
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
i ran a usb communications interceptor and didn't notice anything strange when plugging in the keyboard.

the infection that keeps reoccurring must be happening somewhere else, but i don't know where.

so far after plugging in the keyboard and shutting down the laptop overnight, no power issues. i have no idea where the infection is occurring.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 18,452 Points 10k badge 2x thumb
Hi eagle.soar.

I think that in the same time that you start tot use your new keyboard, you also put on a new program that got a infection OR a email with a infectied attachment. Witch version of TM you was on And was your folder protection on ?
Here from you.

Kind regards,
Tom
Photo of eagle.soar

eagle.soar

  • 222 Points 100 badge 2x thumb
hi tom,

i am always using the latest version of trend micro internet security, and folder protection was on - however i doubt folder protection has anything to do with it.

i suspect the infection occurs with toshiba service station (a driver update utility) of which contains a severe security flaw, and requires an update on first run to the latest version of toshiba service station.

usually when i run the recovery software on first boot, toshiba service station detects required driver updates, however i think windows update is upgrading these drivers and is why it doesn't detect any required updates - maybe.

what's funny about the abnormal bios is that it has display corrections that don't occur with the intended bios - with the intended bios, sometimes web pages that are updated don't display the updated parts correctly and i have to switch tabs or drag the window off screen and back on screen again to show the updated parts of the web page.

no matter where the infection occurs, trend micro apparently can't help me. i appreciate your inquisitiveness, however when it comes to the bios, it seems i'm on my own.

i won't make any more posts here, so thanks for your time.
Photo of Tom Emmelot

Tom Emmelot, Champion

  • 18,452 Points 10k badge 2x thumb
Hi Eagle,

Yes if it is on bios level than your on your own. Only if there is a user group with someone  with the same bios then you get help.
I do a lot in my bios, but if i am on someone els computer than often i don't get it all!

Good luck.

Kind regards,
Tom