Main Area and Open Discussion > Living Room
Destroying your hard drive is the only way to stop this super-advanced malware
mouser:
Long article on Wired about it:
http://www.wired.com/2015/02/nsa-firmware-hacking/
bit:
Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?
tomos:
Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?
-bit (February 25, 2015, 06:59 PM)
--- End quote ---
well, going by what's already been said...
Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.
--- End quote ---
It's not just that -- if the malware tampers with the HARD DRIVE FIRMWARE, it can essentially make the hard drive return fake data, etc. Even with the lowest level access to the hard drive, the hard drive firmware can hide any changes. The only way to fix would be to reflash the hard drive firmware -- and it may very well be that the firmware changes make reflashing impossible via software.
-mouser (February 18, 2015, 03:10 PM)
--- End quote ---
There is no defense against this.
Its like a rootkit- that once it gets into your hard drive the only way out is to replace the drive controller with a known-good version and then very carefully salvage data without letting the virus be reactivated.-SeraphimLabs (February 18, 2015, 03:33 PM)
--- End quote ---
MilesAhead:
Its like a rootkit
--- End quote ---
Seems like the countermeasure would need to be burned in code. Like the only way to update your controller code would be to physically change out a chip. I wonder if the military has some scheme already to get around the problem?
SeraphimLabs:
the task of delivering it to the target to infect the new hard drive without the OS noticing
-SeraphimLabs (February 18, 2015, 03:33 PM)
--- End quote ---
like... packaging it as a critical update from the drive manufacturer... which we regularly install on customer equipment...
-x16wda (February 18, 2015, 08:10 PM)
--- End quote ---
The best defense I've come up with so far is for the vendors to put a jumper on the drive that must be toggled to allow firmware writes.
Unfortunately this scenario defeats that type of defense, because the technician would move the jumper to install what is perceived to be a legitimate update and then unknowingly install the malicious version.
Having such a jumper would be a good first-line defense though to prevent automated deployment. The drive is wired such that with the jumper open the drive acts as hard drives currently do, but cannot install firmware. You would then shut the jumper to install a firmware update- but with the jumper shorted for firmware updates the drive would be prohibited from normal operation.
Once it gets into the drive its too late. You would have to access the drive's firmware without using the standard interface or letting the controller boot up, and compare the contents to a known-good version. If it starts running the infected firmware it could easily jump the gap and infect the known-good media as well, and would definitely attempt to hide itself.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version