dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed

·Time Warner Cable
reply to SweetNoob

Re: Possible for malware to covertly hide on harddrive sector

i think it would depend on whether or not, as part of the "reformatting", you erased the "MBR" (master boot record)..

i have been told that is not necessary to completely erase the harddrive, but to only erase the "MBR".. on the other hand, i have heard of some strange cases with unusual circumstances.. i would have to go back and see if i could find those articles, again, to see exactly what the unusual circumstances were..

Tucson, AZ
According to a paper presented at Blackhat in 2009, the Computrace Lojack for Laptops BIOS agent present on many brands of notebook and laptop computers resides in BIOS and reloads itself from an area of the HDD outside the formatted area. At least that's how I read this paragraph from the PDF linked to on this page:
Core Security Technologies: Deactivate the Rootkit
»www.coresecurity.com/content/Dea ··· -Rootkit
Black Hat USA 2009
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is the Computrace V 70.785 agent (this number may change with the BIOS version). This agent doesn’t contain any code except for a small stub used to load additional code from a sector on the hard disk located outside normal partitions. This is also documented on the public patent application US 2006/027220 A1.
The code on the hard-disk contains a small header that indicates the stub where to load the code in the memory, and carry out a CRC-16 check. We found the lack of code authentication in this particular case provides an easy way to build a BIOS- rootkit attack, as an unauthorized privileged user could put code on hard disk that will be executing directly on the BIOS.
Angus S-F
GeoApps, Tucson, Arizona, USA