How to detect malware on an HDD from scratch

Question

I am wondering how to detect a virus or malware or anything that exists on an HDD (I am thinking of external hard drives). Doing a quick search led to these which aren't quite related:

• Virus checking and cleaning an external hdd
• Knowing if a malware infected something else than the hdd or ssd
• Cleaning a virus by mounting the infected hard disk on another machine?
• Can a computer virus be stored somewhere else than on the hard drive?

This is closer to what I'm talking about:

• https://www.cnet.com/forums/discussions/can-any-virus-survive-reformatting-the-hard-drive-49909/
• https://www.quora.com/Will-totally-wiping-a-computer-get-rid-of-viruses-malware-and-such

Quora states:

It depends on the malware. Reformatting will remove most malware, but there are exceptions. Just make sure to blow away the recovery partition and install from known good media.... Some malware can modify the BIOS or other parts of the computer that will survive a reformat of the hard drive. This type of malware is rare because it is specific to hardware.

For this question I am not interested in non-HDD viruses, only on HDD ones (for external hard drives, just to keep the question not too broad). I don't quite understand how hard drives work other than that they use magnetic material to store the data.

In programming (I am just a programmer, not really much security stuff), I just think "I store files on the hard drive". Some of those files can be "executable files". But if you don't execute those files you won't get a virus (ignoring other ways to get viruses outside of HDDs here). If you do run the file, and it "has a virus", I don't see how just turning your computer off and on again won't just stop the program from running. I know there are startup daemons, so maybe it would be a startup daemon, but if you just looked at ps ax I would assume you would see the process listed. But this just goes to show I don't know much about how viruses work. Not directly related to the question, just wanted to add some context to the main question.

So the main question is, how to check there is a virus on the HDD. More generally, how to check that there might be any software or malware installed on the HDD. Wondering what needs to be done at a tool/software-independent level (i.e. at a theoretical level). Knowing of some standard tools would be helpful in some sense too, might make it easier to understand by example.

My knowledge basically is limited to "just type ps ax and check the processes". But maybe the virus either isn't listed there, or it changes its name. Also, this is just 1 unix command, I don't know if there is anything else to do. Maybe you can manually scan the drive's contents and look for some feature of some sort. Or I don't know, that's what I'm wondering.

By "from scratch" in the title, I mean without relying on some tool like "just run antivirus software X". What if you wanted to just write some C code or some Assembly, wondering at that level (not specific implementations necessarily) what you would be writing code for in order to solve the problem.

Answer 1

On a theoretical level you need to first compare the layout of the electronics of the device with the intended schematic (you probably don't have) or another known good version of exactly the same drive. If it differs, find out what differs and what are the consequences? Are there any new "smart" parts like a micro-controller? What is it connected to?

Then you take a look at all the programmable electronics on there and dump the binary code in there. (using JTAG, SPI, whatever you need).

Then you compare this binary code with the known-good version (you probably don't have) or versions dumped from known-good versions of this drive.

You then exactly analyze the differences by disassembling the code and understanding what it does. Is it just a bugfix/update by the manufacturer or malicious code?

You can look at this blog for some nice potographs and a description how changing the drive firmware works.

If you determined that the hardware and firmware hasn't been tampered with, you can continue with the data on the drive.

Data on the drive isn't executed unless the UEFI/BIOS/... or operating system does so.

So first you need to check the bootloader on there. Does the drive contain a bootloader? if yes, see if it is a known good bootloader (e.g. WindowsBootloader, default grub, ...). If not, disassemble the code and analyze it.

If you are sure that the hardware, firmware and bootloader are not malicious, the only way to execute code would be your operating system.

Find out if your OS automatically loads and executes code from connected drives (it shouldn't) and if so, from where exactly. See if there is code in this locations on your drive. Analyze it.

If you came this far, there is no malicious code on the drive that is automatically executed. Of course, there still could be malicious code that doesn't run automatically.

Answer 2

Your chief problem seems to be that you're trusting ps ax. That is to say, you enter the two words, and assume that they are executed as you intended. With malware running this assumption is flawed.

Practically the answer is, don't run anything off that HDD then. Put it in a USB enclosure, and connect it to a known-good system that doesn't automatically start executing content from USB storage. For even more security, on Linux you can mount the dsk as noexec.

You can now inspect all the bits accessible to ordinary malware. There's still the risk of state-level actors who have replaced the very firmware of the disk itself, though. But if you're dealing with that level of threats, you shouldn't be asking this sort of questions.