dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
2279

SweetNoob
@optonline.net

-1 recommendation

SweetNoob

Anon

Possible for malware to covertly hide on harddrive sector

i present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat.

I know about hardware malware being specifically designed for certain manufactures..

What i am asking in specific is do you think it can just hide on the hdd itself?

Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium Member
join:2001-04-19
1970 442 W30

Doctor Olds

Premium Member

No.
redwolfe_98
Premium Member
join:2001-06-11

redwolfe_98 to SweetNoob

Premium Member

to SweetNoob
i think it would depend on whether or not, as part of the "reformatting", you erased the "MBR" (master boot record)..

i have been told that is not necessary to completely erase the harddrive, but to only erase the "MBR".. on the other hand, i have heard of some strange cases with unusual circumstances.. i would have to go back and see if i could find those articles, again, to see exactly what the unusual circumstances were..

angussf
Premium Member
join:2002-01-11
Tucson, AZ

angussf

Premium Member

According to a paper presented at Blackhat in 2009, the Computrace Lojack for Laptops BIOS agent present on many brands of notebook and laptop computers resides in BIOS and reloads itself from an area of the HDD outside the formatted area. At least that's how I read this paragraph from the PDF linked to on this page:
Core Security Technologies: Deactivate the Rootkit
»www.coresecurity.com/con ··· -Rootkit
Black Hat USA 2009
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is the Computrace V 70.785 agent (this number may change with the BIOS version). This agent doesn’t contain any code except for a small stub used to load additional code from a sector on the hard disk located outside normal partitions. This is also documented on the public patent application US 2006/027220 A1.
The code on the hard-disk contains a small header that indicates the stub where to load the code in the memory, and carry out a CRC-16 check. We found the lack of code authentication in this particular case provides an easy way to build a BIOS- rootkit attack, as an unauthorized privileged user could put code on hard disk that will be executing directly on the BIOS.
dave
Premium Member
join:2000-05-04
not in ohio

dave to SweetNoob

Premium Member

to SweetNoob
Bits on a disk can't magically turn into running code. Some already-running code has to read those bits into memory and then execute the bits is has read it.

This means malware has to insinuate itself into somewhere that's going to get executed. The master boot record is one such place. The OS kernel file is another. Any frequently-executed program is yet another. However, the point is that simply being on the disk doesn't do a thing.

And whether it survives a "reformatting" depends on what that reformatting actually does. Certainly the malware bits will no longer be in any file in the OS's file system. If "reformatting" writes to any disk block then the malware bits aren't there either.

There might be some funky stuff possible with the host-protected-area (HAP), which logically doesn't exist as far as the OS is concerned. But the code still has to get executed somehow, so there would need to be a BIOS tie-in. Or at least the OS would need to be compromised by adding a loader program that would load the malware from the HPA.

JALevinworth
@embarqhsd.net

JALevinworth

Anon

said by dave:

And whether it survives a "reformatting" depends on what that reformatting actually does.

Also what OP means by "reformatting". Such as, dropping any/all partitions, if any, first and not just format C:/system with existing partitions (if any) still in place. I assume OP means the second but pointing that out in case.

-Jim

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold to SweetNoob

MVM

to SweetNoob
There are definitely ways to hide malicious data on a harddisk but as has already correctly been stated, that hidden malicious code would do nothing unless there is something else executing it.

That hiding place wouldn't be inside a sector: the data portion of the sector is visible to the OS and other parts of it are not very useful to hide information (sync, AM, ECC, gap).

A smarter place to hide malware on a harddisk would be the flash memory containing the drive firmware which would escape detection by most common malware detection means and would allow the malicious code to be executed by the harddrives internal microcontroller. It would allow intercepting/modifying data written to or read from the drive.

There are plenty of difficulties in attempting to do something like that (and any such malware would work for just one specific harddrive model) but it is at least theoretically possible.
dsilvers
join:2009-05-17
Canyon Lake, TX

1 recommendation

dsilvers to SweetNoob

Member

to SweetNoob
TDL4 was a sophisticated rootkit. It created a hidden partition at the end of the drive and marked it active/bootable. TDL4 modified the MBR but the code was basically in the hidden partition. GParted was capable of removing the partition but it was not visible from a running operating system.
said by ESET Blog :
The bootkit part of the malware has been changed since the previous modification of TDL4. In contrast to its previous incarnation, where the MBR (Master Boot Record) was overwritten and space was reserved at the end of the bootable hard drive for storing malicious components, this version of TDL4 employs rather a different approach in order to infect the system.

Bear in mind that the MBR contains a partition table at offset 0x1BE from its beginning in the first sector of the disk. This table consists of four 16-bytes entries, each describing a corresponding partition on the hard drive. Thus there are, at most 4 primary partitions on the hard drive and there is exactly one partition marked as active, which means that it is partition from which the OS will be booted. The malware overwrites an empty entry in the partition table with the parameters for the malicious partition, marks it as active and initializes the VBR (Volume Boot Record) of the newly created partition, as shown in this figure:


Anav
Sarcastic Llama? Naw, Just Acerbic
Premium Member
join:2001-07-16
Dartmouth, NS

Anav to SweetNoob

Premium Member

to SweetNoob
Lets not forget the fact that many IT and networking items are manufactured off-shore, so i would suspect that it is entirely plausible that we are all bugged to the hilt, and if need be anything can be ascertained about us or perhaps shut-down by such embedded hardware-software we are scoooped. I dont think we can afford Not to be paranoid. The borg is coming!! :-0

ashrc4
Premium Member
join:2009-02-06
australia

2 edits

ashrc4 to SweetNoob

Premium Member

to SweetNoob
said by SweetNoob :

I know about hardware malware being specifically designed for certain manufactures..

Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV.
Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size.
I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide.



O.k. forget d-ban for this job.

SweetNoob
@optonline.net

SweetNoob to SweetNoob

Anon

to SweetNoob
is there anyway to wipe hidden sectors without using proprietary software?

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

The only way I know of to erase all sectors, even those not exposed to the data interface at all (not only hidden data sectors) is using something like this hardware . This will brick the drive and render it unusable!

If you are looking for a non-destructive software solution it would have to be specific for every situation (how and where the data is hidden and on what kind of drive).

Dustyn
Premium Member
join:2003-02-26
Ontario, CAN
·Carry Telecom
·TekSavvy Cable
Asus GT-AX11000
Technicolor TC4400

Dustyn

Premium Member

said by leibold:

This will brick the drive and render it unusable!

I would think so at those prices.
Cheapest thing was the ERASED stickers... and those 'aint cheap either!

Cartel
Intel inside Your sensitive data outside
Premium Member
join:2006-09-13
Chilliwack, BC

Cartel to ashrc4

Premium Member

to ashrc4
said by ashrc4:

said by SweetNoob :

I know about hardware malware being specifically designed for certain manufactures..

Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV.
Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size.
I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide.
[att=1]

O.k. forget d-ban for this job.

Could that be dangerous for the drive?
I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to SweetNoob

Premium Member

to SweetNoob
said by SweetNoob :

is there anyway to wipe hidden sectors without using proprietary software?

HDtune pro trial
public
join:2002-01-19
Santa Clara, CA

public to SweetNoob

Member

to SweetNoob
said by SweetNoob :

i present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat.

Possible if the drive firmware is compromised.

ashrc4
Premium Member
join:2009-02-06
australia

ashrc4 to SweetNoob

Premium Member

to SweetNoob
said by SweetNoob :

is there anyway to wipe hidden sectors without using proprietary software?

Check what software is available for your hardrive from the manufacturer.
You should be safe if you re-install the MBR when re-installing windows.
said by Cartel:

Could that be dangerous for the drive?
I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones.

You would need to run a program if the OS install on that section of the disk before re-installing. The re-moving bad sectors option is just that, an option (usually reserved for pre-distruction).
Theoretically you could hide malware in a portion of disk that was re-mapped as damaged. Then use a MBR exploit that un-mapps it. It might just be possible.