0

I found the worm rammit on one of my windows computers so I'm a bit paranoid now about all my dated usb, hdds, etc. Does malware commonly affect devices lower than the mbr. For instance is 

shred /dev/sda
fdisk -u /dev/sda
mkfs /dev/sda1

going to take care of all common malware?

JimiMyFr13nd
  • 27
  • 1
  • 3
    The MBR isn't a device, it's data on your hard disk just like any file you have. And yes, there is malware that goes "lower", eg. to hard disk areas that are not normally accessible (just with vendor-specific diagnostics stuff), to the Bios memory, etc. – user155462 Jun 13 '18 at 13:09
  • How do i detect something like that? Would wireshark work for listening to the disk? – JimiMyFr13nd Jun 13 '18 at 14:04
  • 1
    No, of course not. (Where this idea comes from?). A sure way to say "infected yes/no" does not exist, so the only reliable solution is to get rid of the device if you think there is something. That's because even as expert, checking "everything" is completely impossible for one human. And as layperson, don't even try, it's wasted time. – user155462 Jun 13 '18 at 15:08

1 Answers1

2

Can malware affect storage devices lower than MBR

Yes, it can. Infection of firmware has been part of several APT (nation-state level) hacks, such as Stuxnet and Equation Group tools.

Does malware commonly affect devices lower than the MBR

Commonly? No, not yet, probably because targeting specific hardware is not as generic as targeting higher-level operating systems, and "common" malware wants to run widely. You probably do not have to worry about it.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Thanks a ton, your right; that malware would have been a botnet and it would not make any sense to have hacked tons of unique firmware. So a usb stick exploit with metasploit can't accomplish this, usb sticks seam much more generic? – JimiMyFr13nd Jun 13 '18 at 14:09
  • Such a payload certainly *could* be delivered by USB, but you're right, a botnet malware is unlikely to go for that sort of complexity. – gowenfawr Jun 13 '18 at 14:11