Going beyond erasure – Malware that persists HD formatting

Just the title of this post might be scary. Suppose you have caught computer malware, and it has shown evidence. You do a clean install of your system. You formatted your whole hard drive, and did a clean install of your Operating System. You didn’t even open a single program, and you haven’t even connected to the internet, and there it still is – It turns out the malware is still on your system.

WHAT!?!?! How is that logically possible? You’ve erased your hard drive. How did the malware reappear?

Theoretically, and practically, this scenario is still possible. It’s not that easy to pull off, but it is possible. When it would be really bad is if the malware shows no evidence, but you are still being spied on. Probably the average user doesn’t have to worry about this, because it would likely have to be an attack targeted especially for your computer, especially if it is silent – but here is how it’s possible:

Computers have what is known as BIOS. This stands for Basic Input/Output System. The BIOS is a special, slimmed down, fixed set of software code that is intended to control other hardware on your system at a very low level (such software is usually known as “firmware”) and it allows your computer to do basic functions, like actually boot up. Without a BIOS, your computer cannot even boot, let alone load your operating system.

The BIOS is stored on what’s known as non volatile memory on a special motherboard chip. Non volatile memory means the stored software code or data is retained even if power is not supplied to the computer. Think about it, if BIOS was stored on volatile (requiring electrical power) memory, such as your regular computer RAM, how would you be able to power down your computer and then turn it back on again and expect it to still boot up? It’s because the BIOS is stored in special, non volatile memory. Your hard drive happens to also be another example of non-volatile memory, but the BIOS on a motherboard chip is essential for the computer to even boot up let alone load the Operating System from your hard drive.

Here’s how malware that goes beyond erasure works. Did you know that sometimes you can actually modify your BIOS yourself? This is called “flashing the BIOS” and it means overwriting the BIOS code with a new one. By the way never do this unless you really have to and understand what you are doing. You can sometimes download a BIOS flashing tool directly from the manufacturer’s website, that will even flash your BIOS while the computer is still on. Think about it – if you can do it yourself, what would stop a malware program from doing it? A malware can easily infect your current Operating System, but also implant itself into the BIOS, and infect your system again even after clearing the hard drive! The malware does have to be targeted towards your BIOS version – but it is possible to carry out such an attack.

Despite some claims that physical access to your computer is required to carry out the attack, this actually isn’t necessary at all(scary)! The only way to be 100% sure to remove such an attack is to format the hard drive by connecting it to a completely different computer (and using boot disks, not booting into the OS of the infected hard drive in case the other computer also gets infected) and to re-flash the infected computer’s BIOS with boot disks containing flashing tools and uninfected firmware.

The days are gone when malware used to be nothing more than code that injects itself into your startup folder and caused annoying slowdowns and popup ads but nothing really serious. The best way to avoid this happening to you is to always install software from trusted sources only.


About tricksoflife

My name is Robert Florescu and I'll be posting random observations about interesting "tricks" I've found in general.
This entry was posted in Tricks. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s