topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 2:05 pm
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Destroying your hard drive is the only way to stop this super-advanced malware  (Read 25132 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?
« Last Edit: February 25, 2015, 09:53 PM by bit »

tomos

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 11,959
    • View Profile
    • Donate to Member
Now that it has been discovered, I should think antivirus software could be written to at least detect it in action, followed by some kind of 'fix', possibly involving a redesigning of the HD firmware?

well, going by what's already been said...

Because the OS normally doesn't provide low level access to drive hardware to even an administrative user.

It's not just that -- if the malware tampers with the HARD DRIVE FIRMWARE, it can essentially make the hard drive return fake data, etc.  Even with the lowest level access to the hard drive, the hard drive firmware can hide any changes.  The only way to fix would be to reflash the hard drive firmware -- and it may very well be that the firmware changes make reflashing impossible via software.
There is no defense against this.

Its like a rootkit- that once it gets into your hard drive the only way out is to replace the drive controller with a known-good version and then very carefully salvage data without letting the virus be reactivated.
Tom

MilesAhead

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 7,736
    • View Profile
    • Donate to Member
Its like a rootkit

Seems like the countermeasure would need to be burned in code.  Like the only way to update your controller code would be to physically change out a chip.  I wonder if the military has some scheme already to get around the problem?

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
the task of delivering it to the target to infect the new hard drive without the OS noticing

like... packaging it as a critical update from the drive manufacturer... which we regularly install on customer equipment...

The best defense I've come up with so far is for the vendors to put a jumper on the drive that must be toggled to allow firmware writes.

Unfortunately this scenario defeats that type of defense, because the technician would move the jumper to install what is perceived to be a legitimate update and then unknowingly install the malicious version.

Having such a jumper would be a good first-line defense though to prevent automated deployment. The drive is wired such that with the jumper open the drive acts as hard drives currently do, but cannot install firmware. You would then shut the jumper to install a firmware update- but with the jumper shorted for firmware updates the drive would be prohibited from normal operation.

Once it gets into the drive its too late. You would have to access the drive's firmware without using the standard interface or letting the controller boot up, and compare the contents to a known-good version. If it starts running the infected firmware it could easily jump the gap and infect the known-good media as well, and would definitely attempt to hide itself.

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Its like a rootkit

Seems like the countermeasure would need to be burned in code.  Like the only way to update your controller code would be to physically change out a chip.  I wonder if the military has some scheme already to get around the problem?


They probably do, but they like to play with a full deck of 52 cards and consumers only maybe the spades.


mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

superboyac

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 6,347
    • View Profile
    • Donate to Member
A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

hey!  I like that!

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

hey!  I like that!

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

hey!  I like that!

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

Class action lawsuit against the NSA to pay for all the technicians that would need to be hired! ;D Great make-work project!  :Thmbsup:

I know... ain't gonna happen, but it's worth a chuckle. I don't even know how many drives are affected. I don't even know what order of magnitude there would be. Billions? Hundreds or tens of millions? Good grief... A lot in any event.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
A hardware jumper to enable any firmware flashing seems like a great idea for all devices.

hey!  I like that!

I did too initially, but I don't think it will scale well for data centers that have (SAN) racks full of drives that would then need to be physically touched.

The way I learned IT stuff, you don't upgrade any sort of firmware unless you either have issues to be corrected or are trying to add new features.

A data center would probably not be upgrading hard drive firmware in the first place unless they had a bad batch of drives that came through bugged, and such machines would likely already have had their drives exchanged for bug-free versions to maintain uptime.

Having a jumper setting to enable/disable firmware updates would provide containment for such malware and would prevent fully automated malware from installing exploits at that level because the typical user would not ever open the case let alone move the jumper to install the update.

It would not protect against intentional sabotage or a technician unknowingly installing a bugged update.

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
^I reread and very much appreciate everyone's technical comments, what little I could understand.
Yes, it is very worrisome.
« Last Edit: February 28, 2015, 12:06 PM by bit »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
I've seen reports of firmware deliveries being intercepted en-route and physically modded with spyware.

I remember reading 2 reports, though I forget the exact details and links.

In one case, a security researcher (?) ordered a drive through Amazon (?), and tracked the shipping as it was routed across the country to some place in Virginia (?) (which has an army base or intelligence service), and then back over to the person. I'm fuzzy on the details, but that was the gist.

Does anyone have links? Or remember the details?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Historical political cartoon.
The headband of the woman says 'Press'.
Today it might say 'Internet'.
I fully appreciate comments about the technical difficulty of rooting out the implanted malware.
This addresses the political side of the same situation.
This historic political cartoon shows that this kind of corruption and shady deals in high places is nothing new, and highlights the efficacy of (then) the Press, and (now) the Internet, to expose it to the light of day.
It also ennobles those exposing ethical wrongdoing as a just and time-honored pursuit, and shows that the miscreants involved do not like being exposed, and fear exposure for good reason.
(gets off soap box)
Press 2.jpg
« Last Edit: February 28, 2015, 11:33 PM by bit »

bit

  • Supporting Member
  • Joined in 2013
  • **
  • Posts: 686
    • View Profile
    • Donate to Member
Are Your Computer Devices Hardwired for Betrayal?
"How Do We Fix It?
1. Firmware must be properly audited.....
2. Firmware updates must be signed......
3. We need a mechanism for verifying the integrity of installed firmware......."

SeraphimLabs

  • Participant
  • Joined in 2012
  • *
  • Posts: 497
  • Be Ready
    • View Profile
    • SeraphimLabs
    • Donate to Member
Are Your Computer Devices Hardwired for Betrayal?
"How Do We Fix It?
1. Firmware must be properly audited.....
2. Firmware updates must be signed......
3. We need a mechanism for verifying the integrity of installed firmware......."

Or simply making it so that you don't update the firmware in the field. Build it right the first time, and stop shipping software with serious defects in it.

The jumper idea works though because it prevents firmware from being changed with someone doing so intentionally, any more restrictive than that and you might as well not allow firmware updates at all.