Is there malware that even a reformat of the hard drive can't remove?
-
OK, it looks like there is a type of virus that infects the Master Boot Record. So wouldn't that be wiped if I do a re-partition on the drive?
Not necessarily; it depends on what the repartitioning software actually updates. If it read the current MBR, updates only the partition size(s), and then writes it back, the virus code will still be there. If it rewrites the entire MBR, it will probably kill the virus. The best way to handle MBR viruses is to: 1. Backup your data from the partition(s) (not an image backup!) 2. Zero the disk using DBAN or any other convenient disk zapper that works on the ENTIRE disk (not on disk partitions) 3. Repartition the disk and reinstall all software (this will also be a good chance to get rid of any cruft that has accumulated over time - just don't reinstall it). 4. Perform a full anti-virus sweep (using your newly-reinstalled anti-virus software) on the disk. If all is OK, make an image backup of the disk. 5. Lastly, restore your data. There may be quicker methods, but none are more certain.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows. -- 6079 Smith W.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
As others pointed out already, the MBR is in the startup chain, selecting the needed (and more obviously named) bootsector on a partition of the disk. In the early nineties at least, we called this the partitionsector. In that time, people did not seem to be generally aware of this. Once I was home with a flue, I got a call from work for assistance from just such an impossibly recurring virus. I had to feel my way with debug calling int 13h but succeeded tracing the problem to the MBR and overwriting the sector with the normally formatted partition sector. Forgot all about my flue in the proces.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
Let me try a (speculative) answer along different lines: 1. If it's a QuickFormat, then virus data can still exist in sectors that are marked as clean of files. Of course, this virus is not active. I am just pointing out that a virus could use this to store its payload or stolen data for later use, if it was able to reactivate itself somehow. 2. Another vector would be a false format. If you format a disk (not the OS boot disk) from a computer that has malware, it could run a fake format that leaves things apparently blank, but in reality the disk is booby-trapped for the virus to reactivate itself. It would be quite tricky to pull this off, survive an OS reinstallation etc.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
I saw a proof-of-concept that a laptop battery firmware could be weaponized.
Outside of a dog, a book is a man's best friend; inside of a dog, it's too dark to read. -- Groucho Marx
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
This has been discussed as to WHY you SHOULD ONLY USE a charging USB Cable! The USB can be flashed from a public charging stand infected. And it is basically impossible to detect, because the virus LIES about being installed (imagine my shock!), and it adds itself on all future updates. Only possible if a Data Cable is used!
-
Let me try a (speculative) answer along different lines: 1. If it's a QuickFormat, then virus data can still exist in sectors that are marked as clean of files. Of course, this virus is not active. I am just pointing out that a virus could use this to store its payload or stolen data for later use, if it was able to reactivate itself somehow. 2. Another vector would be a false format. If you format a disk (not the OS boot disk) from a computer that has malware, it could run a fake format that leaves things apparently blank, but in reality the disk is booby-trapped for the virus to reactivate itself. It would be quite tricky to pull this off, survive an OS reinstallation etc.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
I remember the rootkit scandal with Sony many (15?) years ago. It was something that hid itself from the operating system, but I guess that could be removed by a complete format of the hard drive. As other have pointed, if your BIOS can be updated by software (my Dell computer every now and then updates its BIOS), you could definitely put a virus in there. It would be an interesting task for a weekend :)
Luis Alonso Ramos Intelectix Chihuahua, Mexico Follow me on Twitter (@luisalonsoramos) or on my blog (www.luisalonsoramos.com)!
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
I remember back in my early career (DOS, pre-Windows 3.1) where we had to do manufacturer specific low-level formats to remove certain infections. Getting the utilities from the manufacturers was like pulling teeth. I spent 3 days strait at one client's office rebuilding ALL of their computers, then another full day scanning all of their floppies. Virus coders have become even craftier since then. Now days, you can infect so many different parts of a computer to survive formatting. Just about every component has its own flash-able memory that can be infected. Money makes the world go round ... but documentation moves the money.
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
Yes. :( The firmware of hard drives can be updated and infected by a persistent virus. The same applies to USB thumb drives. Of cause there is very deep knowledge required to accomplish this. [Destroying your hard drive is the only way to stop the super-advanced Equation malware | PCWorld](https://www.pcworld.com/article/2884952/equation-cyberspies-use-unrivaled-nsastyle-techniques-to-hit-iran-russia.html) If the firmware of your ethernet network adapter or WLAN adapter gets infected your machine is lost. An attacker can send you secrect data packets over the network and gain direct access to your RAM. Your machine could also disconnected temporary or permanently from the internet ('internet kill switch').
-
I was reading this article where the author says this is possible: Espionage or Journalism? After the Snowden NSA Leaks - The Atlantic[^]
Quote:
I sent a forensic image of its working memory to a leading expert on the security of the Macintosh operating system. He found unexpected daemons running on my machine, serving functions he could not ascertain. (A daemon is a background computing process, and most of them are benign, but the satanic flavor of the term seemed fitting here.) Some software exploits burrow in and make themselves very hard to remove, even if you wipe and reinstall the operating system, so I decided to abandon the laptop.
Have a look at [this article](https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu/) - the Intel management engine (IME) is basically a very small computer running inside your PC that has pretty much unrestricted access to every part of your PC and is completely unmonitored by your human facing operating system. The IME is so low-level that it's said to operate at 'Ring -3', i.e. it has more privileged access than your main operating system in kernel mode. And it has its own space for firmware, which could hold malware that would survive a disk being reformatted (or even taking out the old disk and putting in a new one). And of course, vulnerabilities exist inside the IME - it's running software, so it's pretty much guaranteed it has bugs, and bugs lead to vulnerabilities - and [those have been demonstrated several times](https://en.wikipedia.org/wiki/Intel\_Management\_Engine#Security\_vulnerabilities)... The 'Ring -3 rootkit' is particularly scary - something that can monitor everything your PC does, lives outside of your ability to see it, and is very difficult to remove...
Java, Basic, who cares - it's all a bunch of tree-hugging hippy cr*p