Where can they hide?

[Sol]

Hi there.

Is it possible for malware to embed itself in the (real) low-level
format information of a PC hard disk? If so, how in the world would
you remove the malware?

Are there any other places in a PC that malware could reside other than
the hard disk?

Thanks in advance for all the help.

 

[Gabriela Salvisberg]

Is it possible for malware to embed itself in the (real) low-level
format information of a PC hard disk? If so, how in the world would
you remove the malware?

Never heard of that. If you format the disk (incl. boot sector) every
malware should be gone.

Are there any other places in a PC that malware could reside other than
the hard disk?

If the malware is on the harddrive, it could hide in a rootkit:
http://en.wikipedia.org/wiki/Rootkit

You could use F-Secure's BlackLight to spot it:
http://www.f-secure.com/exclude/blacklight/index.shtml

Malware can of course copy itself to removable devices like CD-RW, USB
sticks, external hard disks, floppy disks etc.

HTH
Gabriela

 

[Sol]

Never heard of that. If you format the disk (incl. boot sector) every
malware should be gone.

Okay. You're talking about high-level formatting. Low-level
formatting is defined here: http://webopedia.com/TERM/L/LLF.html

Malware can of course copy itself to removable devices like CD-RW, USB
sticks, external hard disks, floppy disks etc.

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Thanks for your input, though.

 

[Dave Cohen]

Okay. You're talking about high-level formatting. Low-level
formatting is defined here: http://webopedia.com/TERM/L/LLF.html


I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Thanks for your input, though.

It's possible for malware to store data on a hd such that the os would not
know it is there provided the malware can use Int 13 and it's extensions.
However, the malware would itself be normal malware and detectable so I
don't know what all this would buy you, but then I don't write viruses.
Dave Cohen

 

[Gabriela Salvisberg]

Okay. You're talking about high-level formatting. Low-level
formatting is defined here: http://webopedia.com/TERM/L/LLF.html

Someone might correct me if I'm wrong, but AFAIK a low-level format
isn't necessary to remove malware, even if they are rootkits.

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

The RAM, perhaps? I don't know if this is still the case (or ever
really was), but I could imagine that a virus could survive a reboot
of the PC by residing in the memory. Unless you turn the PC off.

The BIOS? There were some viruses that were able to overwrite the
Flash BIOS chip of some machines with garbage, so the PCs weren't able
to boot. See CIH http://www.f-secure.com/v-descs/cih.shtml. But this
only rendered the content of the Flash BIOS useless. It wasn't able to
spread out of the BIOS.

Other devices? Which ones are in your mind?

Gabriela

 

[Art]

Okay. You're talking about high-level formatting. Low-level
formatting is defined here: http://webopedia.com/TERM/L/LLF.html


I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Volatile memory, of course. Malware can also reside in the BIOS, but
that's extremely unusual. A small amount of code could hide in CMOS
but it wouldn't be directly executeable.

Art

http://home.epix.net/~artnpeg

 

[Mother's L'il Helper]

Someone might correct me if I'm wrong, but AFAIK a low-level format
isn't necessary to remove malware, even if they are rootkits.

Unless you're running a harddrive that is designated by the first letter R
or M <circa early 80's/ pre "I-anything>
you can't do a low level format without a tool from the manufacturer. We
don't even do a proper Hi Level format these days.... Format is just a wipe
and re-isssue the address bytes for what the OS needs.

 

[David H. Lipman]

From: "Mother's L'il Helper" <[email protected]>

|
|
| Unless you're running a harddrive that is designated by the first letter R
| or M <circa early 80's/ pre "I-anything>
| you can't do a low level format without a tool from the manufacturer. We
| don't even do a proper Hi Level format these days.... Format is just a wipe
| and re-isssue the address bytes for what the OS needs.
|


Do you remember the days of running DEBUG.EXE and issuing...

G=c800:8 ?

 

[Sol]

Someone might correct me if I'm wrong, but AFAIK a low-level format
isn't necessary to remove malware, even if they are rootkits.

It would be fruitless to perform an actual low-level format (unless
your intention is to destroy your HDD). It's normally done once (as
that webopedia definition I pointed you to said) at the factory by the
disk's maker. The process writes out the physical "geometry" of the
hard disk, that is, the actual tracks and sectors. Utilities that
claim to LLF a hard disk are invariably disk wiping programs (a.k.a.
zero-fill progs), that is, they fill the disk with all 0s (or what have
you) overwriting all the high-level data on the disk--but not the
low-level physical geometry data (wouldn't it stink if that happened
every time you ran FORMAT? =) .

My question, simply put, is whether or not the true physical geometry
data (the LLF) that's stored on the disk can somehow be modified by or
infected with malware (or if the HDD's BIOS can be infected/etc.)
rendering the disk "uncleanable" (heh). My guess would be no, but I'm
paranoid about malware infection and I don't know enough about the
low-level operations of hard disks to know if what I'm asking is
possible or laughable or what. I understand that any high-level data
(malware or otherwise) can be dealt with by means of a (normal)
high-level format and partitioning, or by a disk wiping/zero-fill

Other devices? Which ones are in your mind?

Anything that can hold data (especially nonvolatile/persistent data).

A small amount of code could hide in CMOS but it wouldn't be directly executeable.

Could it be removed/"cleaned" by clearing the CMOS? That is, would I
be able to use the "Clear CMOS Data" jumper on a motherboard (if
present) or would I have to remove the battery and let the contents
melt away? =)

Thanks very much for all the help and info.

 

[Virus Guy]

Do you remember the days of running DEBUG.EXE and issuing...

G=c800:8 ?

It was funny when my buddies were cracking Atari games and when they
did something wrong their screen filled up with lots of funny
characters - and when I did something wrong with my XT I got no
similar light show.

C800 was where the CGA/EGA display memory started I think.

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>


| It was funny when my buddies were cracking Atari games and when they
| did something wrong their screen filled up with lots of funny
| characters - and when I did something wrong with my XT I got no
| similar light show.

| C800 was where the CGA/EGA display memory started I think.

It was ROM on the hard disk (MFM/RLL).

I may have slipped, the entry point may have been; c800:5 not c800:8

 

[Art]

Could it be removed/"cleaned" by clearing the CMOS?

Sure.

Art

http://home.epix.net/~artnpeg

 

[Offbreed]

Never heard of that. If you format the disk (incl. boot sector) every
malware should be gone.

To be precise, it would still be there, but it would be harmless.

Better to wipe the disk as traces of previous code can cause problems
with poorly written programs.

 

[Dave Cohen]

Someone might correct me if I'm wrong, but AFAIK a low-level format
isn't necessary to remove malware, even if they are rootkits.


The RAM, perhaps? I don't know if this is still the case (or ever
really was), but I could imagine that a virus could survive a reboot
of the PC by residing in the memory. Unless you turn the PC off.

The BIOS? There were some viruses that were able to overwrite the
Flash BIOS chip of some machines with garbage, so the PCs weren't able
to boot. See CIH http://www.f-secure.com/v-descs/cih.shtml. But this
only rendered the content of the Flash BIOS useless. It wasn't able to
spread out of the BIOS.

Other devices? Which ones are in your mind?

Gabriela

Memory resident code was the preferred way to infect floppies in the old
days since swapping out floppies was a common operation. Not sure about
todays environment but virus checkers always do a memory scan anyway.
Dave Cohen

 

[edgewalker]

No. LLF is like the paint in a parking lot that indicates where you should park

[...]

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Yes. Flashable firmware - option ROM (EEPROM) and BIOS (EEPROM)

 

[Fenton]

Do you remember the days of running DEBUG.EXE and issuing...

G=c800:8 ?

I kind of miss the days of that much control. But only kind of, as now that
I'm a lot older, I don't really want to mess with anything any more.

 

[Dave Cohen]

No. LLF is like the paint in a parking lot that indicates where you should
park

[...]

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Yes. Flashable firmware - option ROM (EEPROM) and BIOS (EEPROM)

One doesn't hear of this being done. Not sure if bios would automatically
default to load bios defaults, if it didn't I think you're screwed. But the
question is, if it can be done, why don't we see it in the wild. Surely not
out of the kindness of the heart of would be perpetrators.
Dave Cohen

 

[edgewalker]

Is it possible for malware to embed itself in the (real) low-level
format information of a PC hard disk?

No. LLF is like the paint in a parking lot that indicates where you should
park

[...]

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Yes. Flashable firmware - option ROM (EEPROM) and BIOS (EEPROM)

One doesn't hear of this being done.

In the wild instances have been stated as fact by Hoglund the creator of rootkit.com
and implied by microsoft.com.

http://research.microsoft.com/rootkit

McGraw co-authored a book with Hoglund, and (t)here is yet another security
geek's take on the possibility.

http://www.desktoppipeline.com/showArticle.jhtml?articleID=56900483

"Particularly nasty rootkits have even been known to ensconce themselves in the very chips of a computer. Consider that many modern
PCs have around 2Mbytes of unused EEPROM space on the motherboard that can be accessed through software. If you're owned by one of
these rootkits, even completely reinstalling the OS won't clear things up. Short of reflashing your EEPROM, you're fresh out of
options. "

Not sure if bios would automatically
default to load bios defaults, if it didn't I think you're screwed. But the
question is, if it can be done, why don't we see it in the wild. Surely not
out of the kindness of the heart of would be perpetrators.

Such malware is very target specific.

 

[David H. Lipman]

From: "edgewalker" <[email protected]>

|

Is it possible for malware to embed itself in the (real) low-level
format information of a PC hard disk?

No. LLF is like the paint in a parking lot that indicates where you should
park

[...]

I should've been a little clearer. Let me try again. Are there any
places in the INTERNAL PC that malware can reside other than the hard
disk (and other than removable disks)?

Yes. Flashable firmware - option ROM (EEPROM) and BIOS (EEPROM)

One doesn't hear of this being done.

|
| In the wild instances have been stated as fact by Hoglund the creator of rootkit.com
| and implied by microsoft.com.
|
| http://research.microsoft.com/rootkit


It's all theory that has NOT been demonstrated to exist.


| McGraw co-authored a book with Hoglund, and (t)here is yet another security
| geek's take on the possibility.
|
| http://www.desktoppipeline.com/showArticle.jhtml?articleID=56900483
|
| "Particularly nasty rootkits have even been known to ensconce themselves in the very chips
| of a computer. Consider that many modern PCs have around 2Mbytes of unused EEPROM space on
| the motherboard that can be accessed through software. If you're owned by one of these
| rootkits, even completely reinstalling the OS won't clear things up. Short of reflashing
| your EEPROM, you're fresh out of options. "
|


This has been discussed numerous times and has each time been debunked. Just more FUD.

 

[Sol]

This has been discussed numerous times and has each time been debunked. Just more FUD.

Forgive me for questioning you, but isn't the overwriting of EEPROM
system BIOSs one of the capabilities of the CIH virus (mentioned
earlier in the thread)? I've also heard about a "Chernobyl" virus
(which may have been one and the same as CIH) that was also capable of
munching on EEPROM system BIOS. Or are you saying the overwriting of
option ROM etc. is FUD?

Prost.