-1 recommendation |
SweetNoob
Anon
2013-Jan-31 3:37 am
Possible for malware to covertly hide on harddrive sectori present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat.
I know about hardware malware being specifically designed for certain manufactures..
What i am asking in specific is do you think it can just hide on the hdd itself? |
|
Doctor OldsI Need A Remedy For What's Ailing Me. Premium Member join:2001-04-19 1970 442 W30 |
No. |
|
|
to SweetNoob
i think it would depend on whether or not, as part of the "reformatting", you erased the "MBR" (master boot record)..
i have been told that is not necessary to completely erase the harddrive, but to only erase the "MBR".. on the other hand, i have heard of some strange cases with unusual circumstances.. i would have to go back and see if i could find those articles, again, to see exactly what the unusual circumstances were.. |
|
angussf Premium Member join:2002-01-11 Tucson, AZ |
angussf
Premium Member
2013-Jan-31 9:21 am
According to a paper presented at Blackhat in 2009, the Computrace Lojack for Laptops BIOS agent present on many brands of notebook and laptop computers resides in BIOS and reloads itself from an area of the HDD outside the formatted area. At least that's how I read this paragraph from the PDF linked to on this page: Core Security Technologies: Deactivate the Rootkit »www.coresecurity.com/con ··· -Rootkit Black Hat USA 2009As we said on section 2, we found many incarnations of the persistent agent. One particular example , found on notebooks like Dell Vostro 1510, is the Computrace V 70.785 agent (this number may change with the BIOS version). This agent doesnt contain any code except for a small stub used to load additional code from a sector on the hard disk located outside normal partitions. This is also documented on the public patent application US 2006/027220 A1. The code on the hard-disk contains a small header that indicates the stub where to load the code in the memory, and carry out a CRC-16 check. We found the lack of code authentication in this particular case provides an easy way to build a BIOS- rootkit attack, as an unauthorized privileged user could put code on hard disk that will be executing directly on the BIOS. |
|
dave Premium Member join:2000-05-04 not in ohio |
to SweetNoob
Bits on a disk can't magically turn into running code. Some already-running code has to read those bits into memory and then execute the bits is has read it.
This means malware has to insinuate itself into somewhere that's going to get executed. The master boot record is one such place. The OS kernel file is another. Any frequently-executed program is yet another. However, the point is that simply being on the disk doesn't do a thing.
And whether it survives a "reformatting" depends on what that reformatting actually does. Certainly the malware bits will no longer be in any file in the OS's file system. If "reformatting" writes to any disk block then the malware bits aren't there either.
There might be some funky stuff possible with the host-protected-area (HAP), which logically doesn't exist as far as the OS is concerned. But the code still has to get executed somehow, so there would need to be a BIOS tie-in. Or at least the OS would need to be compromised by adding a loader program that would load the malware from the HPA. |
|
|
JALevinworth
Anon
2013-Jan-31 1:30 pm
said by dave:And whether it survives a "reformatting" depends on what that reformatting actually does. Also what OP means by "reformatting". Such as, dropping any/all partitions, if any, first and not just format C:/system with existing partitions (if any) still in place. I assume OP means the second but pointing that out in case. -Jim |
|
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
to SweetNoob
There are definitely ways to hide malicious data on a harddisk but as has already correctly been stated, that hidden malicious code would do nothing unless there is something else executing it.
That hiding place wouldn't be inside a sector: the data portion of the sector is visible to the OS and other parts of it are not very useful to hide information (sync, AM, ECC, gap).
A smarter place to hide malware on a harddisk would be the flash memory containing the drive firmware which would escape detection by most common malware detection means and would allow the malicious code to be executed by the harddrives internal microcontroller. It would allow intercepting/modifying data written to or read from the drive.
There are plenty of difficulties in attempting to do something like that (and any such malware would work for just one specific harddrive model) but it is at least theoretically possible. |
|
1 recommendation |
to SweetNoob
TDL4 was a sophisticated rootkit. It created a hidden partition at the end of the drive and marked it active/bootable. TDL4 modified the MBR but the code was basically in the hidden partition. GParted was capable of removing the partition but it was not visible from a running operating system. said by ESET Blog : The bootkit part of the malware has been changed since the previous modification of TDL4. In contrast to its previous incarnation, where the MBR (Master Boot Record) was overwritten and space was reserved at the end of the bootable hard drive for storing malicious components, this version of TDL4 employs rather a different approach in order to infect the system.
Bear in mind that the MBR contains a partition table at offset 0x1BE from its beginning in the first sector of the disk. This table consists of four 16-bytes entries, each describing a corresponding partition on the hard drive. Thus there are, at most 4 primary partitions on the hard drive and there is exactly one partition marked as active, which means that it is partition from which the OS will be booted. The malware overwrites an empty entry in the partition table with the parameters for the malicious partition, marks it as active and initializes the VBR (Volume Boot Record) of the newly created partition, as shown in this figure:
|
|
AnavSarcastic Llama? Naw, Just Acerbic Premium Member join:2001-07-16 Dartmouth, NS |
to SweetNoob
Lets not forget the fact that many IT and networking items are manufactured off-shore, so i would suspect that it is entirely plausible that we are all bugged to the hilt, and if need be anything can be ascertained about us or perhaps shut-down by such embedded hardware-software we are scoooped. I dont think we can afford Not to be paranoid. The borg is coming!! :-0 |
|
ashrc4 Premium Member join:2009-02-06 australia 2 edits |
to SweetNoob
said by SweetNoob :I know about hardware malware being specifically designed for certain manufactures.. Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV. Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size. I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide.
O.k. forget d-ban for this job.
|
|
|
SweetNoob to SweetNoob
Anon
2013-Feb-3 4:49 am
to SweetNoob
is there anyway to wipe hidden sectors without using proprietary software? |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
The only way I know of to erase all sectors, even those not exposed to the data interface at all (not only hidden data sectors) is using something like this hardware . This will brick the drive and render it unusable! If you are looking for a non-destructive software solution it would have to be specific for every situation (how and where the data is hidden and on what kind of drive). |
|
Dustyn Premium Member join:2003-02-26 Ontario, CAN ·Carry Telecom ·TekSavvy Cable Asus GT-AX11000 Technicolor TC4400
|
Dustyn
Premium Member
2013-Feb-3 3:57 pm
said by leibold:This will brick the drive and render it unusable! I would think so at those prices. Cheapest thing was the ERASED stickers... and those 'aint cheap either! |
|
CartelIntel inside Your sensitive data outside Premium Member join:2006-09-13 Chilliwack, BC |
to ashrc4
said by ashrc4:said by SweetNoob :I know about hardware malware being specifically designed for certain manufactures.. Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV. Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size. I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide. [att=1] O.k. forget d-ban for this job. Could that be dangerous for the drive? I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones. |
|
norwegian Premium Member join:2005-02-15 Outback |
to SweetNoob
said by SweetNoob :is there anyway to wipe hidden sectors without using proprietary software? HDtune pro trial |
|
public join:2002-01-19 Santa Clara, CA |
to SweetNoob
said by SweetNoob :i present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat. Possible if the drive firmware is compromised. |
|
ashrc4 Premium Member join:2009-02-06 australia |
to SweetNoob
said by SweetNoob :is there anyway to wipe hidden sectors without using proprietary software? Check what software is available for your hardrive from the manufacturer. You should be safe if you re-install the MBR when re-installing windows. said by Cartel:Could that be dangerous for the drive? I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones. You would need to run a program if the OS install on that section of the disk before re-installing. The re-moving bad sectors option is just that, an option (usually reserved for pre-distruction). Theoretically you could hide malware in a portion of disk that was re-mapped as damaged. Then use a MBR exploit that un-mapps it. It might just be possible. |
|