Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

steps involved in repaving? can malware survive it?


  • Please log in to reply
11 replies to this topic

#1 anniyan

anniyan

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:03:54 AM

Posted 18 July 2014 - 05:37 PM

1. can malware like this:

 

http://www.f-secure.com/weblog/archives/00001393.html

survive repaving the harddisk with a new installation of the OS?

 

2. also what other malware are capable of such survival? example, by getting itself stored in the MBR, BIOS, modem-router firmware, and similar extraordinary possibilities.

 

3. how can one eradicate such malware completely? if yes, what are the steps to follow in chronological order, so as to delete EVERYTHING FULLY and reinstall the BIOS, OS, MBR, modem-router firmware, etc., and everything, IN DETAIL, so that there is no loophole by which any malware can survive the process (like a new pc); (in easy words please. coz i am no computer expert).



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

BC AdBot (Login to Remove)

 


#2 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:24 PM

Posted 19 July 2014 - 10:42 AM

anniyan

 

This thread  (at this forum) may provide some information that you are asking about here.

 

I posted in post #7 in the thread.

 

I read that link you provided several months ago, interesting article.

 

From what I've read here and elsewhere, most malicious intrusions won't survive a format and OS reinstall.

 

However, I'd recommend going further than a format and reinstall since there are some types of malware that will survive a high-level ("quick") format of the HDD.

 

I read elsewhere in this forum where one member had been affected by a "Cryptolocker" variant.  He formatted and reinstalled Windows (7, if I recall), and reloaded all of his programs/apps, customized his Windows environments, etc.  When he tried to use his PC the next morning, the Cryptolocker ransom screen had reappeared on his PC.

 

He then deleted the partitions on the affected HDD, then reinstalled the OS.  From reading that member's posts, that appeared to remove the malicious content.

 

One can boot from one of the various HDD/partition tools on bootable media, such as "Gparted", "Partition Wizard", etc.  Then you can delete the partitions on the HDD before reinstalling the OS.

 

I like to use the "Diskpart" utility that's accescable either from the CMD prompt within Windows, or from a Windows System Repair Disc which has several menu options, one of which is accessing the CMD prompt.

 

Within CMD, you can run the DIskpart utility and then use the "clean" command which marks all content for deletion, including hidden partitions on an MBR disc. The command renders the HDD as "unallocated" so it will be ready to be restored with an Image or re-cloned from a known good spare HDD.

 

Also available is the "clean all" command, which is a one-pass secure erase command, writing 1/0's to the HDD.

 

Regarding BIOS/firmware/MoBo intrusions, from all that I've read here and elsewhere, the chances of being affected in those areas of Windows PC's are rare.

 

In the thread link provided at the beginning of this post, there are some steps that could be done if one's PC was affected by a rare occurrence within those areas of the PC or Router.

 

I'm not familiar with Routers but the first thing I'd do if I suspected a Router being compromised, would be to power it down for a period of time, then do a Reset, usually done with a paper clip used to push a Reset button, etc, once the Router is powered back up.

 

BIOS intrusions, I'd try the steps mentioned in that linked thread.  Some MoBo's have a "write protect" jumper that prohibits access to the BIOS IC.  My ASUS MoBo doesn't have that jumper but my BIOS IC is socketed so it can be easily removed and replaced. 

 

There are online BIOS IC stores that sell BIOS IC's flashed with the MoBo's BIOS version of choice before shipping to the customer.

 

The CMOS IC (on the MoBo) can be cleared/reset by removing the battery on the MoBo.

 

It's possible for the PC's GPU BIOS or Optical Drive firmware to be affected, I suppose.  However, these possibilities appear to be rare, if not exceptionally rare occurrences with PC's.

 

 

The best advice I can offer with this topic is to maintain multiple versions of one's complete HDD, via Imaging or periodic cloning.

 

I clone my Desktop PC every 2 weeks in addition to running occasional full-HDD Images.

 

My cloned HDD and my Image storage HDD are disconnected from the PC except during cloning/imaging processing.

 

If one has multiple HDD backup versions available, that provides a fast recovery method from almost any undesirable scenario, including virtually all malicious incidences, HDD failures, bad downloads, or user mistakes.

 

I've been affected by a couple of malicious intrusions over the years.  In both cases, I deleted the partitions on my affected HDD, then cloned back to the same HDD using my cloned backup HDD from my shelf.

 

The first thing I did, when I was hit by malware, was to install my spare cloned HDD and booted up on it to insure the that malicious item[s] were confined to the HDD.  From what I've read over that last couple of years about the subject, this will be the case with virtually all malicious objects.

 

Once the PC is running normally, then one can decide on the method of sanitizing the affected HDD.

 

If a rare occurrence had occurred, and my PC still had a malicious presence after installing my cloned HDD (or after restoring the affected HDD with a full-HDD Image), I'd look at the MoBo next, ie BIOS/CMOS reset.

 

It may also be possible that a malicious item could remain present in the RAM sticks for a short period of time, after shutting down the PC.

 

I'd most likely shut down the PC, disconnect the rear AC power, then press the front panel Power button and leave it pressed for a minute or so, to discharge residual voltages from the PC (ie MoBo/RAM sticks, etc).

 

The thing that's most important, to me, with these scenarios, is to have redundant full HDD backups available.  That will allow flexibility when going thru various steps of malware removal from the PC.



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,591 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:24 PM

Posted 19 July 2014 - 05:44 PM

It is possible, but very rare. In general, as long as you reformat the hard drive prior to reinstalling the OS again, any malware on the system will be obliterated by the format process. However, researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of common systems so that it could survive a reformat and reinfect a clean disk. This type of malware exists in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS.

Fortunately, as the below articles note, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social networking where they can use sophisticated but less technical means than a BIOS virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:24 AM

Posted 20 July 2014 - 04:13 AM

1. can malware like this:

 

http://www.f-secure.com/weblog/archives/00001393.html

survive repaving the harddisk with a new installation of the OS?

 

2. also what other malware are capable of such survival? example, by getting itself stored in the MBR, BIOS, modem-router firmware, and similar extraordinary possibilities.

 

3. how can one eradicate such malware completely? if yes, what are the steps to follow in chronological order, so as to delete EVERYTHING FULLY and reinstall the BIOS, OS, MBR, modem-router firmware, etc., and everything, IN DETAIL, so that there is no loophole by which any malware can survive the process (like a new pc); (in easy words please. coz i am no computer expert).

 

1) not if you wipre/overwritte the MBR

2) yes, there is malware that achieves persistence by modifying the BIOS. But it can only do this for BIOSs from one particular vendor

3) that is very hard, because there are (almost) no tools to check firmwares.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:03:54 AM

Posted 26 July 2014 - 02:51 PM

@ scoop8, i am sorry but i did not get this:

I read elsewhere in this forum where one member had been affected by a "Cryptolocker" variant.  He formatted and reinstalled Windows (7, if I recall), and reloaded all of his programs/apps, customized his Windows environments, etc.  When he tried to use his PC the next morning, the Cryptolocker ransom screen had reappeared on his PC.

 

He then deleted the partitions on the affected HDD, then reinstalled the OS.  From reading that member's posts, that appeared to remove the malicious content.

 

One can boot from one of the various HDD/partition tools on bootable media, such as "Gparted", "Partition Wizard", etc.  Then you can delete the partitions on the HDD before reinstalling the OS.

 

 

1. what is the difference between the 2 methods? do you mean an extra step of deleting the partitions so that the entire hard disk shows up as "a single unformatted unpartitioned unallocated space" ?
2. cant that be done without using the tools you have mentioned like gparted? ie., using the windows-setup dvd? i remember seeing such option in it, if i am not wrong.

3. if that cannot be done using the windows-setup dvd, can you point some links about using the tools you have mentioned? sorry, i am not familiar with these.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

#6 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:24 PM

Posted 26 July 2014 - 05:40 PM

anniyan

 

1) Yes, when you delete the partitions from the HDD, it will appear as "unallocated".

 

2) Yes, if you have a Windows Install disc, you can access the CMD prompt in this way:

 

To open a CMD window at bootup:

- Install Windows Install CD and boot up onto CD
- At the "Language" screen, hold down the "shift" key and press F10

 

You can also access the CMD prompt from a Windows System Repair disc.  It's a good idea to have one available for your PC.

 

For Win 7, you can create the disc if you have a CD/DVD Burner, like this:

 

Open a "run" dialog window, with <win>r  (press and hold down the "win" key and press the "r" key)

 

In the Run dialog, enter   recdisc

 

Then follow the instructions in the dialog windows.

 

 

From the CMD prompt, you can use the format command or you can run the "diskpart" utility.  I prefer DIskpart since it's simpler for me.

 

When at the CMD prompt, enter "diskpart" (without the quotes)

 

Here's an example of how to use the "clean" command that I mentioned in my previous post.

 

When you enter "diskpart" at the CMD prompt, you'll see this information appear:

 

C:\>diskpart

Microsoft DiskPart version 6.1.7601
Copyright © 1999-2008 Microsoft Corporation.
On computer: your_name-PC

 

Then, enter "list disk"

 

DISKPART> list disk

 

You'll see something similar to this:

 

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          931 GB      0 B
  Disk 1    Online          465 GB      0 B
  Disk 2    Online          465 GB   100 MB

 

 

Then, select the disk that you want to delete all partitions and mark all content for deletion, like this:

 

DISKPART> select disk 0

Disk 0 is now the selected disk.

 

 

It's not necessary, but I recommend using the "list disk" command again, after selecting the HDD, to verify that you have selected the desired HDD.  Note the * symbol, verifying that disk 0 is the selected HDD:

 

 

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
* Disk 0    Online          931 GB      0 B
  Disk 1    Online          465 GB      0 B
  Disk 2    Online          465 GB   100 MB

 

 

Then, enter the "clean" command:

 

DISKPART> clean

 

 

That will prepare your HDD for a re-install or other purposes where you want to begin with an unallocated HDD.

 

 

Here's the Gparted link: Gparted

 

It's one of several HDD bootable utility tools.   I like it but there are some others that are popular, like Partition Wizard



#7 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:05:24 PM

Posted 26 July 2014 - 09:18 PM

If you want everything gone from the drive you use Darik's Boot and Nuke (DBAN) or KillDisk a format doesn't go as deep into wiping everything from the drive.

 

Where people end up reinfecting their machines is restoring data or reinstalling infected software.  If you download cracks and pirated copies of software you are just asking to be infected.

 

BIOS infections are mainly proof of concept as a BIOS infection has to be tailored for the specific BIOS.  So, if someone really wanted to infect your machine, think government sponsored, they may use a BIOS infection.  The average malware author wants the largest scope with the least effort.  A BIOS infection doesn't have the same reach as an OS or application infection.



#8 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:03:54 AM

Posted 01 August 2014 - 05:09 PM

@ scoop8 and kilroy,

 

i now read about the diskpart method by scoop8 and it is easy. will the 'clean all' command be enough to remove any stubborn malware from the HDD? also i have a doubt. the disk-0. disk-1, disk-2, etc., in your instructions are separate HDDs or partitions in the same HDD? coz i am looking to wipe clean, the entire of my only internal HDD, and so i guess i will see only disk-0 i guess?
 

BTW, i have no clue how to use gparted, partition wizard, dban or killdisk. are these easier and more reliably wipe the HDD that diskpart?

 

i agree with kilroy and quietman7, i am in no way gonna use pirated executables in future. to whomever reading this, in my personal experience with many people, the hazards outweigh the so-called benefits and most people have had enough trouble using them. it is better to use freeware or opensource alternatives from trusted websites.

 

last, but not the least, kudos to everyone in this thread.



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

#9 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:24 PM

Posted 01 August 2014 - 07:15 PM

anniyan

 

The "Clean all" command is a one-pass secure-erase tool.  It may be required to completely remove malicious content on a HDD but in most cases, the "clean" command should suffice since it marks all content for deletion, including hidden partitions on an MBR HDD.

 

Regarding the listing when using Diskpart,  the "list disk" command will return a list of all HDD's that are attached to the PC.

 

There are also "partition" list commands.

 

DISKPART> list disk

 

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          931 GB      0 B
  Disk 1    Online          465 GB      0 B
  Disk 2    Online          465 GB   100 MB

DISKPART> select disk 0

 

Disk 0 is now the selected disk.

 

Here's an example of the partitions on my "c" (boot) HDD:

 

 

DISKPART> list partition

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary            197 MB  1024 KB
  Partition 2    Primary            931 GB   198 MB

 

 

If you're wanting to wipe/sanitize a particular disk outside of Windows,  from a Windows System Repair CD, I would recommend disconnecting all other HDD's attached to the PC.  This eliminates any question about selecting the desired HDD for content deletion or erasing.

 

You're correct, if you only have 1 HDD attached to the PC and you are seeing "Disk  0" listed in Diskpart, that will be the HDD that you want to use the "clean" or "clean all" command to delete or sanitize the HDD.

 

Regarding Gparted, DBAN, and other tools, most of these are bootable utility tools, which can be downloaded in the form of an ISO file and then burned to a CD/DVD or installed on a Flash Drive.

 

Once that is done, you'll have a bootable media.  Then you can access the BIOS (or UEFI with newer PC's/Win 8x), and instruct the PC to boot up on the media via a CD/DVD

 

Once you have booted into the tool, you can access the HDD and perform numerous actions, deleting partitions, wiping the HDD, etc.

 

The Diskpart "clean all" command will do the same thing as other HDD-wipe tools but the Diskpart command is a one-pass erase tool.  Other tools provide multi-pass erase options where you are writing 1/0 patterns several times onto the HDD.

 

I'm not an expert but my opinion is that a multi-pass erase action shouldn't be necessary to eradicate malicious content on a HDD.

 

The multi-pass tools are primarily used to prepare a HDD for disposal, to insure that no personal data can be retrieved, excepting the use of forensic tools (ie, law enforcement software).

 

I've been reading about this topic during the past year and from all I've read to date, it's very rare where malicious content can survive a "clean" command, or deleting all partitions from a HDD.

 

I have restored one of my HDD's from malicious content twice during the last 3 years by deleting the partitions, then cloning back to the previously-affected HDD, with successful results.

 

Although I've not yet used DBAN to wipe a HDD, I have it available on a CD for future use.

 

One thing to keep in mind about DBAN, according to their FAQ page, DBAN won't access HPA's.  HPA is "Host Protected Area", a hidden partition that's present on some HDD's and is usually located at the end of the HDD.

 

According to the Admin at the Windows 7 forum, the "clean" command will mark all content for deletion, including hidden sectors of the HDD.

 

Whether or not malicious content can access HPA's and write content there, I've read articles with opposite point of views on this topic.



#10 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:03:54 AM

Posted 02 August 2014 - 01:53 PM

@ scoop8, thank you very much for the detailed explanation with examples. i got the difference :) you rock everytime :)



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security

#11 Kilroy

Kilroy

  • BC Advisor
  • 3,408 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:05:24 PM

Posted 02 August 2014 - 04:55 PM

DBAN is easy to use.  You download the ISO and burn to CD.  Boot with the CD and type in AUTONUKE at the prompt.  All attached drives will be wiped.  You can got with more custom wipes, but the AUTONUKE works fine for most people, provided they want to wipe all connected drives.



#12 anniyan

anniyan
  • Topic Starter

  • Members
  • 222 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Under your bed, mwahahahahaha!
  • Local time:03:54 AM

Posted 06 August 2014 - 02:35 PM

thanks a ton kilroy :)



Become a BleepingComputer fan on Facebook
Have you seen.....Select Real Security




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users