Ryzen Timing Checker help

Hardware
1

Hi all,
I need some help. I just stumbled upon the flame war over at the Overclock.net site regarding the swedish overlocker “The Stilt” releasing a simple timing checker app which seems to be a trojan horse malware.

Can someone with knowledge of these things look into this if it is something quick to do as I have installed that software on 10 different computers in last 2 months for my customers as I was getting them ready.

If someone had installed/downloaded that software in the last 2 months on a windows 8 or 10, please let me know if it is really malware. I appreciate this community <3

ps. Wendel your beard is the fountain of all linowledge!

2

Reading through that thread right now, this will take some time for me to come to a conclusion.

EDIT: I can’t find anything personally, so far it is looking like a false positive from my end, but I would take a second opinion as I could be wrong.

3

Huh. What is it supposed to be doing anyway? I haven’t noticed anything strange and I’ve run that program a dozen times easily.

4

It is not clear, it seems to be some AutoIt script that unpacks during run time. The Stilt is saying that is to protect some secret Zepellin registers, but I am not sure.

I called my customers, things seem to be fine, although a few had some problems with bluetooth and reboots.

Scary! Please keep me posted, oh the word we live in

5

Well I should have looked at this damn thing earlier.
Used it a few times on a testbench, but never on a working machine.

Certainly looks suspicious as all hell. All it should really need is WinRIng0 for reading hardware specific details.

Certainly includes AutoIT.

I just tested it after stripping out WINSOCK and all of the network code and the thing still works. Mind you I didn’t do It neatly. Just the sledgehammer approach.

6

Screw it.

I’m classifying this thing as Malware for now until I’ve found evidence to the contrary.

3 Likes
7

RTC is on the Windows 10 blocklist.

Lol Keng is on a roll now. Messing with ticks to cheat CB scores:

1 Like
8

Update: uhm guys… malware confirmed.
Ah shucks, gotta make some calls

9

Okay, thanks for the heads up!

10

Someone actually went and deleted 3 pages of forum history from that thread. What the actual.

Everything from page 65 on is removed. Extracting them from my Browser cache :smiley:

BTW this is stuff that was posted on a different tools thread. Ryzen DRAM Calculator is not the same as Ryzen TIming Checker.

I’ve actually reverse engineered Ryzen DRAM Calculator and it’s your basic .NET WIndows Metro UI application with some math. No Malware.

1 Like
11

Wow this is insane. The Stilt!!! Who knew, I swear I put one of his presets on one of our customers comps for Ram. Nuts

12

Sounds like he managed some great social engineering. I’m going to have a long evening now :dizzy_face:

13

@catsay can you detail more about the malware (if you know) at all?

I’d like to get this information out to a wider audience, I’d bet half the people on r/AMD used this “utility” in the last six months.

14

I haven’t got time to do a full analysis. Reversing this thing isn’t done in an afternoon. It’s essentially built like most malware, with a healthy amount of obfuscation.

Severla things about it stand out:

  1. Using AutoIt packed into an Exe. - Major Red Flag. This tool can do just about anything.
  2. VM Detection code.
  3. Using a mix of upx packer and some custom packing.
  4. The Handling of the matter by the Stilt such as threads and entire pages of content simply being deleted.

I’m not sure how deep it goes.
Everything about it stinks and I’m not willing to trust it implicitly.

It’s also been passed on to some Malware Researchers. Might pop in a writeup someplace soon.

I’ll see about extracting the AutoIT script from the binary.

This entire thread was also deleted instead of being handled/debunked in a normal way.

No explanation just escape and evade played by the stilt.

1 Like
16

Does someone have an LTT account? Someone needs to warn them.

To make matters worse, detection ratio is only 1/3 as of 14th december '17
https://www.virustotal.com/#/file/d2adfc3ebb0a4f60ebd9621ad892c4564d70baa504e6faac674edc761441d945/detection

17

Do these services manage to remove the malware or is format/reinstall necessary?

Been a long time since I caught anything, much less this bad.

18

As this is most likely a rootkit, I would strongly recommend reinstalling windows.

1 Like
19

Perfect timing, I wanted to get into Linux and VM’s, I guess this is just the impetus.

1 Like
20

The Stilt is responding (finally):

1 Like
21

PCI you say?
Because I have a bunch of bluescreen dumbs with PCI Id something something error