Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Petsistent Malware / Hackers


  • Please log in to reply
14 replies to this topic

#1 UppinRunnin

UppinRunnin

  • Members
  • 155 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 15 February 2015 - 06:20 PM

I read how people reformat their hard drives, but the malware persists. How is this possible?


Mod Edit: moved to General Security. ~`boopme

Edited by boopme, 15 February 2015 - 10:53 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 16 February 2015 - 08:13 AM

Hi Uppin :)

This is usually done because a third-party is infected, and re-infects Windows once the installation is complete. For example, if someone reinstall Windows on a hard drive that had many partitions, one of which hosts the malware, it could easily reinfect the Windows partition after the installation. This would be the case for anyone who have a hard drive with multiple partitions, or uses multiple hard drives. There's also a case where the MBR can be infected and keep on infecing Windows on every reboot, which means that you would have to rebuild the MBR (delete it and re-create it if needed) in order to get rid of the infection. Also, maybe that person is using an external storage media that hosts a malware which infects the computer he's on everytime he plugs it in, like a USB flash drive or external hard drive. Lastly, there's also some cases of "BIOS malware", or even "firmware malware", but these are extremely rare and are mainly targetting specific computers and laptops, so you don't get them really "in the wild".

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 16 February 2015 - 11:02 AM

Hello there,

Lastly, there's also some cases of "BIOS malware", or even "firmware malware", but these are extremely rare and are mainly targetting specific computers and laptops, so you don't get them really "in the wild".

I just want to clarify about something Aura said.

There is only one case of known BIOS malware in-the-wild - Mebromi - but it only infects Award BIOS (in other models it only infects the MBR, which can be taken care of with MBAR or TDSSKiller). As for firmware malware, there are no in-the-wild malware of that kind as far as I know, since infecting firmware is very impractical for malware writers.

To answer your question why malware persists after reinstallation, Aura has already given you the answer - it's due to reinfection from another storage medium after a clean install. No malware can truly survive a flatten-and-reinstall (it's one of the more common malware myths).

Hope this helps.

Regards,
Alex

#4 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:35 AM

Posted 17 February 2015 - 08:40 PM

Hello there,



Lastly, there's also some cases of "BIOS malware", or even "firmware malware", but these are extremely rare and are mainly targetting specific computers and laptops, so you don't get them really "in the wild".

I just want to clarify about something Aura said.There is only one case of known BIOS malware in-the-wild - Mebromi - but it only infects Award BIOS (in other models it only infects the MBR, which can be taken care of with MBAR or TDSSKiller). As for firmware malware, there are no in-the-wild malware of that kind as far as I know, since infecting firmware is very impractical for malware writers.To answer your question why malware persists after reinstallation, Aura has already given you the answer - it's due to reinfection from another storage medium after a clean install. No malware can truly survive a flatten-and-reinstall (it's one of the more common malware myths).Hope this helps.Regards,Alex
The level of NSA, and other government spy agencies, infiltration CAN NOT BE QUANTIFIED.

Jul 29, 2012. http://www.networkworld.com/article/2190166/security/researcher-creates-proof-of-concept-malware-that-infects-bios--network-cards.html

Hardware on the motherboard, including the BIOS and PCI firmware of devices such as network cards or CD-ROMs, can be infected by malware. Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.


July 31, 2012. http://www.fiercecio.com/techwatch/story/proof-concept-bios-malware-can-hide-pci-firmware/2012-07-31

The root of the problem has to do with how current computer architecture gives every peripheral device equal access to the RAM via the system bus. As such, redundant copies of Rakshasa could theoretically corrupt the low-level motherboard firmware even after it has been replaced by a vendor-supplied one.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:11:35 PM

Posted 17 February 2015 - 08:49 PM

The level of NSA, and other government spy agencies, infiltration CAN NOT BE QUANTIFIED.

Jul 29, 2012. http://www.networkworld.com/article/2190166/security/researcher-creates-proof-of-concept-malware-that-infects-bios--network-cards.html

Hardware on the motherboard, including the BIOS and PCI firmware of devices such as network cards or CD-ROMs, can be infected by malware. Rakshasa replaces the motherboard BIOS, but can also infect the PCI firmware of other peripheral devices like network cards or CD-ROMs, in order to achieve a high degree of redundancy.


July 31, 2012. http://www.fiercecio.com/techwatch/story/proof-concept-bios-malware-can-hide-pci-firmware/2012-07-31

The root of the problem has to do with how current computer architecture gives every peripheral device equal access to the RAM via the system bus. As such, redundant copies of Rakshasa could theoretically corrupt the low-level motherboard firmware even after it has been replaced by a vendor-supplied one.

I did say that not all proof-of-concept malware are successful as in-the-wild malware, no? :)

If firmware malware is profitable then we would have seen them all over the place by now... instead we got ransomware and botnets.

Alex

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 17 February 2015 - 09:11 PM

We should all keep in mind here that we are addressing a question that involves malware "found in the wild", and not malware that are "proof of concept" artificually created in testing environment just to show new discoveries and possibilities :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 PM

Posted 18 February 2015 - 07:15 AM

The OP's question did not specify in the wild or proof of concept...therefore, both are valid for purposes of discussion.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 18 February 2015 - 08:00 AM

Well in the situation described by the OP, we're most likely to be talking about in the wild malware rather than hyper sophisticated ones used against high value targets. Except if the OP has been reading these articles from Antivirus vendor blogs and other IT Security-related websites, then it could include these malware as well.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 PM

Posted 18 February 2015 - 08:19 AM

There was not enough information provided by the OP to conclude that. Again both are valid for purposes of discussion.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:35 PM

Posted 18 February 2015 - 10:51 AM

UppinRunnin

 

You bring up an interesting topic as there are some types of malicious content that won't be cleaned with a HDD format although I'd guess that the majority of malicious presences will be removed or rendered benign/inoperable by formatting a HDD and reinstalling the OS.

 

There are regions of the HDD that may not be cleaned or accessed by formatting or removing existing partitions.  Examples of such areas include:

 

- HPA  "Host Protected Area". 

 

- DCO "Device Configuration Overlay"

 

- LDM "Logical Disk Manager"

 

- Other areas of what's often referred to as the "metadata" sectors of the HDD

 

 

The question is, if one is interested in sanitizing an infected HDD locally (without seeking malware-removal  assistance or other paid service options, etc), what tool[s] will access such areas of the HDD in the event that they contain malicious content.

 

For example, one widely-known HDD wipe tool, "DBAN"  (Darik's Boot and Nuke), doesn't wipe the HPA of a HDD (stated on their FAQ page) for those HDD's that have the HPA enabled or present.

 

If one needs to access that region, Linux provides a method, using "HDparm", a command line program.

 

Here's an example of a malicious presence in the HPA.  Note member TsVk!'s post #36 on page 3 of this thread (at this forum) and the difficulty that can be encountered when removing the undesired content:

 

Your worst computer virus ever

 

 

One type of malware that's been posted about recently at numerous forums is "Regin".  Symantec published a White Paper article about the deployment of this type of malicious code and they mention that the Stage 2 path of the infection can be found in the "raw sector" areas of a HDD.

 

With that situation, formatting would probably not remove the malicious content from the HDD.

 

I read a post at my AV forum where the member was infected by "Poweliks" or one of its variants.  He wiped the HDD with one of the "nuke/wipe" tools available online, and reinstalled Windows.  The malware was still present on his HDD. 

 

Here's one HDD anatomy chart comparing dynamic "MBR" and "GPT" HDD's.  The arrow indicates the "metadata" areas of the HDD's.

 

111kmj5.jpg

 

 

To clarify my take on this topic :),  I'd say that it's safe to assume that most malicious presences will be removed/rendered harmless with formatting or deleting partitions on the affected HDD.

 

However, after reading member's posts elsewhere at this forum and in other 'net forums, formatting wouldn't be my first choice in cleaning an infected HDD.

 

An example of a member that posted in the "Cryptolocker" thread in this forum, relayed their experiences that are pertinent to this thread:

 

They were infected with Cryptolocker.  They formatted the infected HDD, then reinstalled the OS.  After going through the time required to customize their PC (OS personalized settings, etc), they checked their PC the next morning and the Cryptolocker ransom dialog display was still present.

 

They then deleted the partitions on the infected HDD and reinstalled the OS.  Their PC was working ok after that, according to the member's posts.

 

I'd be interested in reading an analysis report about the location of malware variants on HDD's and the percentage of such content that are located in easily-accessable regions of HDD's.



#11 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:35 AM

Posted 18 February 2015 - 02:41 PM

At Alexstrasza & Aura.
 
Dear Cyber-criminals,

We the people, respecfully request the following...

(1) do NOT use "proof of concept" or "hyper sophisticated government" stealth spyware, as we ARE NOT high value targets

(2) it's NOT "in-the-wild malware" so you can't use it

However redundant and arbitrary this request may sound, we believe you'll comply.

Yours Sincerely

THE PEOPLE.

:crazy:depositphotos_7615178-Straitjacket.jpg:crazy:
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 18 February 2015 - 02:52 PM

Read my reply there:

http://www.bleepingcomputer.com/forums/t/567420/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years/#entry3632173

You are being a bit too paranoid right now. The threat exists, but it's not "in the wild" for common users.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:35 PM

Posted 18 February 2015 - 05:25 PM

Crazy Cat is not a common user...he does his research and takes this topic seriously.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,544 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:35 PM

Posted 18 February 2015 - 05:28 PM

I mean, his Crazy Cat some kind of high value target like a governement official, company CEO or else? Or even a Military General? This is what I mean by "high value target", the common user like you and him aren't.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:35 AM

Posted 18 February 2015 - 05:55 PM

They were infected with Cryptolocker.  They formatted the infected HDD, then reinstalled the OS.  After going through the time required to customize their PC (OS personalized settings, etc), they checked their PC the next morning and the Cryptolocker ransom dialog display was still present.
 
They then deleted the partitions on the infected HDD and reinstalled the OS.  Their PC was working ok after that, according to the member's posts.
 

This is important. You write "they formatted the infected HDD" and "deleted the partitions on the infected HDD".
I believe this means they did the following:
First time they formatted the C: partition.
Second time they partitioned the disk (and formatted the partition(s)).

Edited by Didier Stevens, 18 February 2015 - 05:56 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users