dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1621
share rss forum feed


SweetNoob

@optonline.net

-1 recommendation

Possible for malware to covertly hide on harddrive sector

i present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat.

I know about hardware malware being specifically designed for certain manufactures..

What i am asking in specific is do you think it can just hide on the hdd itself?



Doctor Olds
I Need A Remedy For What's Ailing Me.
Premium,VIP
join:2001-04-19
1970 442 W30
kudos:18

No.


redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to SweetNoob

i think it would depend on whether or not, as part of the "reformatting", you erased the "MBR" (master boot record)..

i have been told that is not necessary to completely erase the harddrive, but to only erase the "MBR".. on the other hand, i have heard of some strange cases with unusual circumstances.. i would have to go back and see if i could find those articles, again, to see exactly what the unusual circumstances were..



angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4

According to a paper presented at Blackhat in 2009, the Computrace Lojack for Laptops BIOS agent present on many brands of notebook and laptop computers resides in BIOS and reloads itself from an area of the HDD outside the formatted area. At least that's how I read this paragraph from the PDF linked to on this page:

Core Security Technologies: Deactivate the Rootkit
»www.coresecurity.com/content/Dea···-Rootkit
Black Hat USA 2009
As we said on section 2, we found many incarnations of the persistent agent.
One particular example , found on notebooks like Dell Vostro 1510, is the Computrace V 70.785 agent (this number may change with the BIOS version). This agent doesn’t contain any code except for a small stub used to load additional code from a sector on the hard disk located outside normal partitions. This is also documented on the public patent application US 2006/027220 A1.
The code on the hard-disk contains a small header that indicates the stub where to load the code in the memory, and carry out a CRC-16 check. We found the lack of code authentication in this particular case provides an easy way to build a BIOS- rootkit attack, as an unauthorized privileged user could put code on hard disk that will be executing directly on the BIOS.
--
Angus S-F
GeoApps, Tucson, Arizona, USA
»geoapps.com/
»www.linkedin.com/in/angussf
»geoapps.blogspot.com/

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS
reply to SweetNoob

Bits on a disk can't magically turn into running code. Some already-running code has to read those bits into memory and then execute the bits is has read it.

This means malware has to insinuate itself into somewhere that's going to get executed. The master boot record is one such place. The OS kernel file is another. Any frequently-executed program is yet another. However, the point is that simply being on the disk doesn't do a thing.

And whether it survives a "reformatting" depends on what that reformatting actually does. Certainly the malware bits will no longer be in any file in the OS's file system. If "reformatting" writes to any disk block then the malware bits aren't there either.

There might be some funky stuff possible with the host-protected-area (HAP), which logically doesn't exist as far as the OS is concerned. But the code still has to get executed somehow, so there would need to be a BIOS tie-in. Or at least the OS would need to be compromised by adding a loader program that would load the malware from the HPA.



JALevinworth

@embarqhsd.net

said by dave:

And whether it survives a "reformatting" depends on what that reformatting actually does.

Also what OP means by "reformatting". Such as, dropping any/all partitions, if any, first and not just format C:/system with existing partitions (if any) still in place. I assume OP means the second but pointing that out in case.

-Jim


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
reply to SweetNoob

There are definitely ways to hide malicious data on a harddisk but as has already correctly been stated, that hidden malicious code would do nothing unless there is something else executing it.

That hiding place wouldn't be inside a sector: the data portion of the sector is visible to the OS and other parts of it are not very useful to hide information (sync, AM, ECC, gap).

A smarter place to hide malware on a harddisk would be the flash memory containing the drive firmware which would escape detection by most common malware detection means and would allow the malicious code to be executed by the harddrives internal microcontroller. It would allow intercepting/modifying data written to or read from the drive.

There are plenty of difficulties in attempting to do something like that (and any such malware would work for just one specific harddrive model) but it is at least theoretically possible.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


dsilvers

join:2009-05-17
Canyon Lake, TX

1 recommendation

reply to SweetNoob

TDL4 was a sophisticated rootkit. It created a hidden partition at the end of the drive and marked it active/bootable. TDL4 modified the MBR but the code was basically in the hidden partition. GParted was capable of removing the partition but it was not visible from a running operating system.

said by ESET Blog :
The bootkit part of the malware has been changed since the previous modification of TDL4. In contrast to its previous incarnation, where the MBR (Master Boot Record) was overwritten and space was reserved at the end of the bootable hard drive for storing malicious components, this version of TDL4 employs rather a different approach in order to infect the system.

Bear in mind that the MBR contains a partition table at offset 0x1BE from its beginning in the first sector of the disk. This table consists of four 16-bytes entries, each describing a corresponding partition on the hard drive. Thus there are, at most 4 primary partitions on the hard drive and there is exactly one partition marked as active, which means that it is partition from which the OS will be booted. The malware overwrites an empty entry in the partition table with the parameters for the malicious partition, marks it as active and initializes the VBR (Volume Boot Record) of the newly created partition, as shown in this figure:



Anav
Sarcastic Llama? Naw, Just Acerbic
Premium
join:2001-07-16
Dartmouth, NS
kudos:5
reply to SweetNoob

Lets not forget the fact that many IT and networking items are manufactured off-shore, so i would suspect that it is entirely plausible that we are all bugged to the hilt, and if need be anything can be ascertained about us or perhaps shut-down by such embedded hardware-software we are scoooped. I dont think we can afford Not to be paranoid. The borg is coming!! :-0



ashrc4
Premium
join:2009-02-06
australia

2 edits
reply to SweetNoob

said by SweetNoob :

I know about hardware malware being specifically designed for certain manufactures..

Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV.
Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size.
I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide.



O.k. forget d-ban for this job.


SweetNoob

@optonline.net
reply to SweetNoob

is there anyway to wipe hidden sectors without using proprietary software?



leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

The only way I know of to erase all sectors, even those not exposed to the data interface at all (not only hidden data sectors) is using something like this hardware . This will brick the drive and render it unusable!

If you are looking for a non-destructive software solution it would have to be specific for every situation (how and where the data is hidden and on what kind of drive).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

said by leibold:

This will brick the drive and render it unusable!

I would think so at those prices.
Cheapest thing was the ERASED stickers... and those 'aint cheap either!


Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to ashrc4

said by ashrc4:

said by SweetNoob :

I know about hardware malware being specifically designed for certain manufactures..

Had a hardware supplier (motherboard or Hdd...forget) allow for a hidden partition for it's own recovery. It was not searchable on the OS and not formattable by standard methods. Combined with a simple MBR exploit i would have to guess whether any malware has been written to exploit it. The malware in a hidden partition may not be scanned by AV.
Checking for these partitions can usually be assumed by comparing harddrive space from actual Hdd size.
I have a non-OEM install for a non-laptop Hdd so using D-Ban or equivalent should suffice in wiping the total drive space that these could hide.
[att=1]

O.k. forget d-ban for this job.

Could that be dangerous for the drive?
I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones.


norwegian
Premium
join:2005-02-15
Outback
reply to SweetNoob

said by SweetNoob :

is there anyway to wipe hidden sectors without using proprietary software?

HDtune pro trial

public

join:2002-01-19
Santa Clara, CA
reply to SweetNoob

said by SweetNoob :

i present an extremely paranoid question. do you think it is possible for malware programmers to create something that lives on a harddrive sector and reinfects the os it was programmed for upon reinstall after a reformat.

Possible if the drive firmware is compromised.


ashrc4
Premium
join:2009-02-06
australia
reply to SweetNoob

said by SweetNoob :

is there anyway to wipe hidden sectors without using proprietary software?

Check what software is available for your hardrive from the manufacturer.
You should be safe if you re-install the MBR when re-installing windows.

said by Cartel:

Could that be dangerous for the drive?
I think some damaged sectors are remapped for a reason and sectors are reserved to replace damaged ones.

You would need to run a program if the OS install on that section of the disk before re-installing. The re-moving bad sectors option is just that, an option (usually reserved for pre-distruction).
Theoretically you could hide malware in a portion of disk that was re-mapped as damaged. Then use a MBR exploit that un-mapps it. It might just be possible.
--
Paradigm Shift beta test pilot. "Dying to defend one's small piece of suburb...Give me something global...STAT!