The Naked Scientists

The Naked Scientists Forum

Author Topic: Virus/malware that eludes hard disk format and operating system reinstall  (Read 6854 times)

Offline DrQuincy

  • First timers
  • *
  • Posts: 5
    • View Profile
Hello

I'm researching a novel and I'm trying to find out if I can make the following possible: a computer malware agent that can still initiate itself even if the hard drive is formatted or the operating system is reinstalled. I am doing this for a Unix/Linux platform including Darwin-based Mac OS X.

I know in the real world this may be very difficult to do but I am writing fiction so if there is any way no matter how improbable it sounds I'd like to know.

I am into computers by profession by this kind of thing is not my forte. However, if someone could give me the gist I know enough to go away and research it further.

Thanks in advance!


 

another_someone

  • Guest
I suppose the obvious way to approach it, given that most motherboards these days come with reprogrammable BIOS chips (to allow for BOID updates), is therefore to reprogram the motherboard BIOS to include a virus - then no matter what you do to the hard disk, the virus remains.

How you get the virus into the BIOS (particularly in an operating system like Linux), is another matter.  The only way you could do it is with root authority, so you would have to somehow manage to get root authority, identify the motherboard, and infect the BIOS, then probably reboot the system.

I suspect the reason nobody has tried this yet is because there are too many types of motherboards around, and it would not be practical to try and code for each type.  The reason so many viruses infect Windows (apart from the poor security design, although I believe Vista is addressing that), is simply the monopoly position the Windows holds in the marketplace means that once you have invested the time in finding a way to infect Windows, you then have the vast majority of computers in the world as potential victims.

If you were to have a scenario where one or two designs of motherboard were to dominate the marketplace (or where the motherboard manufacturers had adopted a common standard for BIOS upgrades), then it becomes profitable to try and attack the BIOS.

In the old days ofcourse, it was quite common to have viruses in the master boot record, and a virus here would not be removed by simply reformatting the single partition on the hard disk, or simply by reloading the operating system; but these days, master boot records are checked by most anti-virus software, and are commonly replaced (whenever you install a new boot loader, you would rewrite the master boot record).  A low level reformat would also remove the master boot record, but modern disks cannot be low level formatted because the internal electronics of the disk deal with the native format, which the software never sees.
« Last Edit: 27/02/2008 15:50:03 by another_someone »
 

Offline DrQuincy

  • First timers
  • *
  • Posts: 5
    • View Profile
Thanks a lot for this. I guess this would not include Macs. They probably use a limited number of motherboards but they don't used BIOS do they?

Is it at all possible a hard drive manufacturer could put one on a "hidden" sector on the drive. Again forgive my ignorance.
 

another_someone

  • Guest
Macs must have something equivalent to a BIOS (when you start up a machine, all you have is the hardware, and there needs to be some hardware process that loads the operating system).  What I have no idea of is whether the Mac's have reprogrammable motherboards.

If you have access to hardware manufacturing, ofcourse there are many things you can do.  This is particularly true if you have access to motherboard manufacture.  The problem here is the same problem as with rewriting the BIOS - you need an almost monopoly position of one manufacturer in order to achieve this.

I suppose the one are where we do have an almost monopoly position is with CPU's (there are only two suppliers that supply almost the entire PC/Mac market - Intel and AMD - now that Apple have stopped using PowerPC).

The more complex issue is that while we still have a large number of brands of hardware products, there is not always a one-to-one correlation between brand and manufacturer - often the same manufacturer supplies several brands, but the same brand could source from several different manufacturers - so working out who actually manufactured a given component is not easy.
 

another_someone

  • Guest
Have a look at http://www.kernelthread.com/mac/osx/arch_boot.html for how an Apple Mac boots.
 

another_someone

  • Guest
In fact, looking at Apple Mac's (and possibly where PCs will be going in the future), the situation seems to become worse rather than better.

The Apple Mac hardware seems to be starting up using a Intel protocol called EFI :

http://en.wikipedia.org/wiki/Extensible_Firmware_Interface#Extensions
Quote
Extensions to EFI can be loaded from virtually any non-volatile storage device attached to the computer. For example, an original equipment manufacturer (OEM) can sell systems with an EFI partition on the hard drive which would add additional functions to the standard EFI firmware stored on the motherboard’s ROM.

In some ways this is not unlike the way PC boards can extend the BIOS (designed into the original PC architecture, when things like video cards were driven from the BIOS), but if, as appears, it is even more flexible, that very flexibility provides more opportunities for intrusion.

The fact that PC's and Macs are also converging on the way the will start their boot processes will also make them more vulnerable to common attacks on the boot process.

We are not ofcourse there yet (in the PC world), and with the billions of PC's out there, it now takes a very long time for the PC community to migrate from one paradigm to another.  Ofcourse, the big corporates tend to lead the way in such technology shifts, so if you are limiting yourself to them, then they are always on the leading edge; but typically they are also the ones who are more disciplined (note that I say more disciplined, not that they are adequately disciplined) in matters of PC security.
 

another_someone

  • Guest
Is it at all possible a hard drive manufacturer could put one on a "hidden" sector on the drive. Again forgive my ignorance.

The other issue with infections introduced in the hardware fabrication stage is that they are not technically viruses, merely trojans.  They can still be dangerous, but the cannot be infectious.

What I mean is that if you introduce a trojan in a piece of hardware (e.g. a hard disk), it will compromise whoever uses that piece of hardware, but it will only spread as fast as people are buying that particular piece of hardware.

A conventional virus depends on reprogramming something in the machine (usually altering an existing program), so that it can infect machines which have not in any way introduced any new hardware (although they may have, and often do, require the introduction of new software - but what constitutes software can be very broad, from a word document with an embedded macro, to a JPEG image with a carefully constructed buffer overrun).  The point is that computer users are constantly introducing new software onto their computers, and so constantly risking new virus attacks; but they only very rarely add new hardware, so the spread of malicious code embedded in hardware is always going to be very very slow in comparison to the spread of malicious code embedded in software.  Also, hardware embedded code cannot infect other hardware, whereas software embedded code can infect other software (hence the difference between a virus and a trojan).
 

The Naked Scientists Forum


 

SMF 2.0.10 | SMF © 2015, Simple Machines
SMFAds for Free Forums