|reply to SweetNoob |
Re: Possible for malware to covertly hide on harddrive sector
TDL4 was a sophisticated rootkit. It created a hidden partition at the end of the drive and marked it active/bootable. TDL4 modified the MBR but the code was basically in the hidden partition. GParted was capable of removing the partition but it was not visible from a running operating system.
said by ESET Blog :
The bootkit part of the malware has been changed since the previous modification of TDL4. In contrast to its previous incarnation, where the MBR (Master Boot Record) was overwritten and space was reserved at the end of the bootable hard drive for storing malicious components, this version of TDL4 employs rather a different approach in order to infect the system.
Bear in mind that the MBR contains a partition table at offset 0x1BE from its beginning in the first sector of the disk. This table consists of four 16-bytes entries, each describing a corresponding partition on the hard drive. Thus there are, at most 4 primary partitions on the hard drive and there is exactly one partition marked as active, which means that it is partition from which the OS will be booted. The malware overwrites an empty entry in the partition table with the parameters for the malicious partition, marks it as active and initializes the VBR (Volume Boot Record) of the newly created partition, as shown in this figure: