[Devel] ACPI tables of Lenovo G710

[David Renz <efficient_language_learning at yahoo.com>]

[-- Attachment #1: Type: text/plain, Size: 4117 bytes --]

Hello,

I'm the owner of a Lenovo G710, and after I saw a huge number of ACPI related error messages in the Linux dmesg log, whose were also confirmed by running Firmware Test Suite Live, I decided to do some research on this, which gave me a really strong impression:
I extracted the ACPI tables using Read&Write Everything (Windows) and submitted them to malwar.com for getting them analyzed. Here you can see what the running of the ACPI code on the malwr.com sandbox (Windows environment) did, and which one normally wouldn't expect as I guess:


File changes:

https://malwr.com/analysis/ZmEyZTNhNzg1ZTg3NDBhM2I2OWEwYTFjM2FiYmVmOTM/#summary_files

Registry keys changed:
https://malwr.com/analysis/ZmEyZTNhNzg1ZTg3NDBhM2I2OWEwYTFjM2FiYmVmOTM/#summary_keys

Mutexes:
https://malwr.com/analysis/ZmEyZTNhNzg1ZTg3NDBhM2I2OWEwYTFjM2FiYmVmOTM/#summary_mutexes

Behaviorial analysis (particularly interesting):
https://malwr.com/analysis/ZmEyZTNhNzg1ZTg3NDBhM2I2OWEwYTFjM2FiYmVmOTM/#behavior


What is even more unsettling is the fact that I found several sites related to malware, when I searched for the registry keys, files or mutexes changed/created by that ACPI code:
http://www.lavasoft.com/mylavasoft/malware-descriptions/blog/BackdoorWin32Farflie1368ba67c
https://isc.sans.edu/forums/diary/Suspect+Sendori+software/16466/
https://isc.sans.edu/diary.html?date=2013-08-29


You can download the extracted ACPI tables from malwr.com after registering there, but I also uploaded it on Google Drive and gave shared access to it:
https://drive.google.com/open?id=0B62Y5Qk_rdbWRFg1aDZPcEs4bTA


Now I would assume that those are not genuine ACPI tables by Lenovo. I have a few questions in this regard:
1) Obviously I didn't flash my BIOS' ACPI tables with malicious code - So how can those be modified? Would it be possible that the computer's network adapter enters a so-called 'maintenance mode' by receiving packages containing certain 'magic numbers'? At least I've read in various sources that generally it would be possible to do that.
2) I'm not an expert about ACPI code at all (just knowing x86 assembly stuff), but when looking at the disassembled ACPI tables (which I did using iasl under Linux) I could find no hint at all pointing to all those code actions which are being performed. I know that ACPI code is very obscure litterally speaking, but is it possible to hide all this?
3) I downloaded a BIOS image using a secure method, flashed the BIOS while being offline and installed an OS right after rebooting - With no effect at all, the ACPI code was still the same. Shouldn't the ACPI tables be overwritten by flashing the BIOS? If that's not possible, then is it in fact impossible to get rid of this by any means?


Those are the GERM scan results, which don't look nice as well:
http://pastebin.com/A5J3pmpF

Like, "SSDT  ZwAcceptConnectPort  fffff80003135d20 \SystemRoot\system32\xNtKrnl.exe" sounds rather suspicious.


I guess that there is no chance to find out where those connections lead to, since my system seems to be modified on such a deep level - There's nothing suspicious being visible in Wireshark and Comodo doesn't give any alert as well. But still I'm deeply interested in what the origin of all this might be - And since it seems like it all started with the ACPI code modifying the OS, this information must logically be stored in the ACPI code as well. Would there be any chance to find out some information on this?


I would highly appreciate any thoughts, comments and advices. Maybe someone having a Lenovo G710, too, could extract his ACPI tables, so that a comparison could give some hints about what has been modified.



Finally, I also did some information gathering using the Volatility Tools under Linux, and it seems like this code might affect Linux as well, but I still have to conduct further analysis in this regard to be sure that this is not just a false alert. In any case I have the strong impression that this code demonstrates very high technical skills.


Kind regards and thanks in advance

David