7

This question is related to a computer where users other than the owner have had access for periods of several hours at a time. The following steps have been taken to clean the computer:

  1. Used partition assistant to erase both the main partition and the recovery partition.

  2. Initiated a clean install of Windows using a recovery disk purchased from the manufacturer.

If one performs the following steps, will it remove all malware from a compromised computer? If not, are there any further steps that should be taken to protect the computer against malware in the firmware or other hard-to-access locations?

MM1926
  • 79
  • 1
  • 2

3 Answers3

6

Yes, and there have been cases of this being stored in different areas on the computer one classic example can be found at the following URL:

http://www.pcworld.com/article/2948092/security/hacking-teams-malware-uses-uefi-rootkit-to-survive-os-reinstalls.html

This article goes into a little more detail on how this works

http://arstechnica.com/security/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/

Another interesting area is having malware stored in video cards, although this may not be persistent in the future this type of attack may become very interesting.

http://arstechnica.com/security/2015/05/gpu-based-rootkit-and-keylogger-offer-superior-stealth-and-computing-power/

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
5

In general and at the moment (2016), wipe and reinstall is usually enough for an ordinary user. But notice the qualifiers; malware authors are often quite clever and adapt quickly to new ideas.

The issue underlying the question is, where can code that runs automatically, exist on a computer. The current answer to that is, in any device or component that has firmware (or has circuitry that facilitates secret firmware or code) - and unfortunately that's almost all of them. Most viruses are stored in normal disk spaces that antivirus programs routinely check. But beyond this is a realm of other locations, often completely uncheckable at the moment. Some are known to have been exploited but only by nation-states (NSA etc) and others have been demoed by security researchers (bad-usb is one). The good thing is that at present these aren't common vectors for malware for ordinary users.

That said, here are some examples of malware vectors and snooping/logging abilities that won't be fixed by reinstalling or wiping, to give you nightmares.......

  • Computer bios (or uefi) - the main computer firmware

  • In the hard drive firmware (and hidden sections of the HD accessible to it) - what can't be seen can't be wiped and the HD firmware has total control over what data is sent to the computer when a disk read is requested, and whetherthe real data is modified or not. This ones been used by NSA etc already.

  • In input devices or devices used to connect input devices - keyboard dongles, mouse dongles, hardware keyloggers, USB and Bluetooth devices that silently present themselves as a fake mouse/keyboard to execute commands, touchscreen devices that log or fake input by the user,...

  • Cards and other pluggable devices (graphics, network, WiFi, you name it) which present interfaces at a hardware or software level or have direct access to ram, in their firmware.

  • Potentially the CPU itself, in its microcode.

  • Output devices (a dongle or fake ferrite core on a monitor cable that can log the rgb signal and decode or onward transmit the screen elsewhere).

  • Hidden network connections - devices that contain a secret networking capability that isn't a virus but can be used to get covert access....

  • Malicious accessories - fake apple chargers at one time contained a malwaring capability.

  • in the OS itself (bad or faked install media, covert code in the source code or added to it in an unauthorised manner by an insider, third party or distributor, unknown to the authors).

  • In trusted code you redownload or reinstall almost "as standard" after wiping the disk (think Microsoft office or MySQL offline media, or web download installers)...

  • In standard libraries and trusted software "hidden in plain view". Google the competitions for the underhanded C and underhanded crypto competitions where apparently clean code must secretly achieve a malicious outcome.

Yes its scary, and no nobody is really clear what to do about protecting against it, except to trust that its rare and targeted. Which, so far, it is.

Stilez
  • 1,664
  • 8
  • 13
  • Actually, microcode is not persistent. It must be loaded by either the BIOS or off the hard drive by the OS at every boot. If malware installs itself via microcode, it will be lost as soon as the system powers off. – forest Apr 04 '16 at 23:35
  • Technically it doesn't persist, well spotted. Thats not much comfort - it may be that a cpu variant does persist microcode in future if not now, or in coprocessors that persist if not the main cpu (crypto accelerator, GPU, numeric copro), and uses don't audit ucode updates which are trusted once in place (no a/v on CPUs!) making it perhaps more likely it can get reinstalled right back after wiping by the same route. But yes you're right in principle. – Stilez Apr 05 '16 at 06:40
0

The answer is yes and no.

While most of the manufacturers won't supply a recovery disk containing malwares, recently there was news about manufacturer shipping malware pre-installed and its likely that the recovery disk contains the same malware.

Also, there are boot sector viruses that can withstand re-installing of the OS.

The last thing I would like to add, don't insert USB memory sticks after fresh install unless you are very sure they are safe and clean.

To make sure you don't have any malware, download OS from original developer for example Microsoft. And use some live boot tools to check boot sector after wiping clean your hard disk drive.

techraf
  • 9,141
  • 11
  • 44
  • 62
JonDoe
  • 1
  • 1