|reply to redwolfe_98 |
Re: Possible for malware to covertly hide on harddrive sector
According to a paper presented at Blackhat in 2009, the Computrace Lojack for Laptops BIOS agent present on many brands of notebook and laptop computers resides in BIOS and reloads itself from an area of the HDD outside the formatted area. At least that's how I read this paragraph from the PDF linked to on this page:
Core Security Technologies: Deactivate the Rootkit--
Black Hat USA 2009
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is the Computrace V 70.785 agent (this number may change with the BIOS version). This agent doesnt contain any code except for a small stub used to load additional code from a sector on the hard disk located outside normal partitions. This is also documented on the public patent application US 2006/027220 A1.
The code on the hard-disk contains a small header that indicates the stub where to load the code in the memory, and carry out a CRC-16 check. We found the lack of code authentication in this particular case provides an easy way to build a BIOS- rootkit attack, as an unauthorized privileged user could put code on hard disk that will be executing directly on the BIOS.
GeoApps, Tucson, Arizona, USA