Background
For a long time now, I've been working to remove a persistent, if not permanent, malware presence on my computers and phones. Every attempt at removal has been unsuccessful to date, by me and many others. I've seen over time, indications of a "hidden" UDF file system on the machines, which was finally confirmed (to an extent) yesterday, when I began looking for UDF filesystem application tools to investigate my suspicions and found udfclient and udftools for Linux. Running the udfdump application included with the udftools package, gave the output shown below but simply put, I am not a professional in this field and need help with interpretation, understanding and resolution.
My interpretation of the information is that there is a binding connection between my PC, Android devices and a remote server under the control of whoever is behind the attack. From my previous experiences, I believe I am either being reinfected every time I connect to the internet after a clean OS re-install (due to the remote connection), or I have not been successful in any attempt at removal and have been infected since day one.
Questions
Can someone briefly explain the general networking concept of how this network connection is ever present, even after formatting the hard drive and reinstalling the OS? The behavior of the malware and network connection resembles the characteristics of a firmware virus, which I have not ruled out, and I'm not certain what I've posted below is enough information to make a conclusion.
Are the "tags" I see mentioned in the output below, enabling the persistence of the malware, or is there not enough information to answer that question with certainty?
The third line of the output has me a little hung up on what is being referenced by the 'disk' device; is this just meaning the main hard drive and not a reference to some other storage disk such as a virtual drive for example?
How do I permanently remove the connections and tags seen from the output of the udfdump application?
FYI.... I have removed the large majority of the mappings to condense the length and if there is a request to see the full version, I wil update the post accordingly upon request.
ubuntu@ubuntu:~$ sudo udfdump -S -s -t -u 5 /dev/sda
Opening disc:
UDF: warning... reading/writing on 'disc' device
Sequential dump of device/file (sector size 512)
00005206 5206 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp ( 256 00 00 at 00:00:00.01.00.00)
Interchange level 65280
Max interchange level 0
Charset lists 0
Max charset lists 0
Fileset number 16812048
Fileset descriptor number 0
Logical volume id (roughly) `�`
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) `0`
DomainId `` (UDFv 30fe; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for 16814354 bytes
Next extend for fileset at sector 0 within partion space 256 for 16832274 bytes
Streamdir ICB found at sector 0 within partion space 65042 for 12542 bytes
00011115 11115 TAG: descriptor 0, serial_num 0 at sector 33562667, crc length 0 bytes
Sparing table descriptor
Sparing table Id `` (UDFv 7269; unknown OS (102, 110) ) (flags=0)
Relocation table entries 17605
Sequence number 512
Mappings :
[00000300 -> b7270000] [802b0000 -> 04000200] [03000000 -> 00000000] [0000c927 -> 0200402c]
[00000400 -> 00000300] [de270000 -> 80da0000] [04000000 -> 03000000] [00000000 -> 0000eb27]
[0200e02c -> 00000400] [00000300 -> fb270000] [e0da0000 -> 04000000] [03000000 -> 00000000]
[00000928 -> 0200602d] [00000400 -> 78350300] [5f633039 -> 80c76200] [02000300 -> 03000000]
[30395835 -> 75785f61] [0200c02f -> 00000400] [00000300 -> 1a280000] [002f0000 -> 04000200]
[03000000 -> 00000000] [00002628 -> 0300f2ca] [00000200 -> 00000300] [3c280000 -> 29cd0000]
[02000300 -> 03000000] [00000000 -> 00005428] [030034cd -> 00000200] [00000300 -> 68280000]
[59cd0000 -> 02000300] [03000000 -> 00000000] [00008028 -> 02004030] [00000400 -> 61750300]
[6765785f -> 38ce7400] [02000300 -> 03000000] [00000000 -> 00009528] [0300b2d3 -> 00000200]
[00000300 -> a7280000] [ccd30000 -> 02000300] [03000000 -> 00000000] [0000bb28 -> 0300eed3]
-> 00537370] [4554584e -> 5f694944] [504b7400 -> 375f4353] [474e5349 -> 5f694544]
[41537400 -> 5f554e31] [56454e49 -> 414c5253] [52495354 -> 5f694e47] [504b7400 -> 31324353]
[41465f53 -> 41474542] [6974535f -> 4353004f] [5245505f -> 4e465149] [69744f5f -> 534e0041]
[5052315f -> 5441494e] [455f424c -> 004f6974] [505f4353 -> 52565345] [454c4943 -> 5f694f43]
[4f437400 -> 5f535350] [474c494e -> 45534552] [6974505f -> 4b430050] [5f455337 -> 5f434e43]
[54454f4e -> 5f694e54] [76337400 -> 65795f6b] [73615f75 -> 00506765] [53314b43 -> 4d41325f]
[4441435f -> 5f695441] [504b7400 -> 375f4353] [5645454e -> 50454c4f] [74005f69 -> 4e454745]
[4c5f5241 -> 4d454e41] [74005f69 -> 4353504b] [4154375f -> 5f565452] [49464552 -> 6974595f]
[46490045 -> 45525f43] [5253545f -> 30344132] [4755385f -> 004f4944] [45525448 -> 4d454e41]
[74005f69 -> 6163636d] [6b655f70 -> 6d65795f] [00457468 -> 5f434649] [545f4552 -> 41355348]
[5f473132 -> 44005549] [495f4546 -> 4e53434f] [455f4f4c -> 4e54434f] [4c5f524f -> 49444755]
[335f0076 -> 735f746c] [61746665 -> 65007572] [495f4546 -> 41444c4f] [5f494544 -> 47454d41]
[55495f47 -> 45464400]
06151999 6151999 TAG: descriptor 242, serial_num 1327 at sector -1, crc length 0 bytes
06405538 6405538 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (55043 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number -687621991
Fileset descriptor number 0
Logical volume id (roughly) `��`
Fileset id (roughly) `��`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for -670873468 bytes
Next extend for fileset at sector 0 within partion space 256 for -670832508 bytes
Streamdir ICB found at sector 0 within partion space 22668 for 4096 bytes
06405541 6405541 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (55811 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number -637302650
Fileset descriptor number 0
Logical volume id (roughly) `��`
Fileset id (roughly) `p�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for -620531642 bytes
Next extend for fileset at sector 0 within partion space 256 for -620523450 bytes
Streamdir ICB found at sector 0 within partion space 41030 for 4096 bytes
06405544 6405544 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (58115 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number -452761461
Fileset descriptor number 0
Logical volume id (roughly) `P�`
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for -435951613 bytes
Next extend for fileset at sector 0 within partion space 256 for -435961788 bytes
Streamdir ICB found at sector 0 within partion space 47308 for 4096 bytes
06405547 6405547 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (59395 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number -402442163
Fileset descriptor number 0
Logical volume id (roughly) �`
Fileset id (roughly) `��`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for -385638366 bytes
Next extend for fileset at sector 0 within partion space 256 for -385642247 bytes
Streamdir ICB found at sector 0 within partion space 8442 for 4096 bytes
06405550 6405550 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (63235 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number -150765387
Fileset descriptor number 0
Logical volume id (roughly) `@�`
Fileset id (roughly) `H�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for -100429784 bytes
Next extend for fileset at sector 0 within partion space 256 for -100431812 bytes
Streamdir ICB found at sector 0 within partion space 16500 for 4096 bytes
06405553 6405553 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp ( 260 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number 33820753
Fileset descriptor number 0
Logical volume id (roughly) `@`
Fileset id (roughly) `x`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for 50657380 bytes
Next extend for fileset at sector 0 within partion space 256 for 50640997 bytes
Streamdir ICB found at sector 0 within partion space 6246 for 4096 bytes
06405556 6405556 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (2052 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number 134510821
Fileset descriptor number 0
Logical volume id (roughly) `�
`
Fileset id (roughly) `�
`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for 218390625 bytes
Next extend for fileset at sector 0 within partion space 256 for 218415306 bytes
Streamdir ICB found at sector 0 within partion space 53450 for 4096 bytes
06405559 6405559 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp (3844 00 00 at 00:00:00.01.00.00)
Interchange level 61955
Max interchange level 0
Charset lists 4096
Max charset lists 0
Fileset number 251953284
Fileset descriptor number 0
Logical volume id (roughly) ```
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 1000; no write protect ) (flags=0)
Rootdir ICB found at sector 0 within partion space 256 for 251977912 bytes
Next extend for fileset at sector 0 within partion space 256 for 251920569 bytes
Streamdir ICB found at sector 0 within partion space 4281 for 4096 bytes
06657853 6657853 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 01 at 00:00:218.218.00.00)
Interchange level 0
Max interchange level 0
Charset lists 0
Max charset lists 0
Fileset number 256
Fileset descriptor number 56282
Logical volume id (roughly) ``
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 60890 within partion space 0 for 256 bytes
Next extend for fileset at sector 0 within partion space 0 for 0 bytes
Streamdir ICB found at sector 0 within partion space 0 for 61658 bytes
06658744 6658744 TAG: descriptor 256, serial_num 0 at sector 50701, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 29 at 00:00:00.01.00.00)
Interchange level 512
Max interchange level 0
Charset lists 256
Max charset lists 6781
Fileset number 0
Fileset descriptor number 256
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 22367 within partion space 256 for 256 bytes
Next extend for fileset at sector 7424 within partion space 256 for 256 bytes
Streamdir ICB found at sector 5472 within partion space 256 for 256 bytes
06658874 6658874 TAG: descriptor 256, serial_num 0 at sector 7424, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 02 at 00:00:00.01.00.00)
Interchange level 25508
Max interchange level 0
Charset lists 256
Max charset lists 4913
Fileset number 256
Fileset descriptor number 7424
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 512 within partion space 256 for 256 bytes
Next extend for fileset at sector 8241 within partion space 256 for 256 bytes
Streamdir ICB found at sector 512 within partion space 256 for 256 bytes
06662434 6662434 TAG: descriptor 256, serial_num 0 at sector 27024, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 30 24 at 00:00:00.01.00.00)
Interchange level 7680
Max interchange level 0
Charset lists 256
Max charset lists 1280
Fileset number 256
Fileset descriptor number 15759
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 3614 within partion space 256 for 256 bytes
Next extend for fileset at sector 1280 within partion space 256 for 256 bytes
Streamdir ICB found at sector 4126 within partion space 256 for 256 bytes
06663083 6663083 TAG: descriptor 256, serial_num 0 at sector 0, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 01 at 00:00:234.234.00.00)
Interchange level 0
Max interchange level 0
Charset lists 0
Max charset lists 0
Fileset number 256
Fileset descriptor number 60394
Logical volume id (roughly) ``
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 65002 within partion space 0 for 256 bytes
Next extend for fileset at sector 0 within partion space 0 for 0 bytes
Streamdir ICB found at sector 0 within partion space 0 for 235 bytes
06663713 6663713 TAG: descriptor 256, serial_num 0 at sector 23966, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 43 18 at 00:00:00.01.00.00)
Interchange level 7680
Max interchange level 0
Charset lists 256
Max charset lists 768
Fileset number 256
Fileset descriptor number 24222
Logical volume id (roughly) ``
Fileset id (roughly) `�`
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 7680 within partion space 256 for 256 bytes
Next extend for fileset at sector 926 within partion space 256 for 256 bytes
Streamdir ICB found at sector 7680 within partion space 256 for 256 bytes
06663927 6663927 TAG: descriptor 256, serial_num 0 at sector 7680, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 03 at 00:00:00.01.00.00)
Interchange level 23971
Max interchange level 0
Charset lists 256
Max charset lists 4400
Fileset number 256
Fileset descriptor number 7680
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 768 within partion space 256 for 256 bytes
Next extend for fileset at sector 7728 within partion space 256 for 256 bytes
Streamdir ICB found at sector 768 within partion space 256 for 256 bytes
06664149 6664149 TAG: descriptor 256, serial_num 0 at sector 7680, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 06 at 00:00:00.01.00.00)
Interchange level 1379
Max interchange level 0
Charset lists 256
Max charset lists 62977
Fileset number 256
Fileset descriptor number 7680
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 1536 within partion space 256 for 256 bytes
Next extend for fileset at sector 43522 within partion space 256 for 256 bytes
Streamdir ICB found at sector 1536 within partion space 256 for 256 bytes
06664162 6664162 TAG: descriptor 256, serial_num 0 at sector 7680, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 06 at 00:00:00.01.00.00)
Interchange level 2403
Max interchange level 0
Charset lists 256
Max charset lists 62977
Fileset number 256
Fileset descriptor number 7680
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 1536 within partion space 256 for 256 bytes
Next extend for fileset at sector 43522 within partion space 256 for 256 bytes
Streamdir ICB found at sector 1536 within partion space 256 for 256 bytes
06664218 6664218 TAG: descriptor 256, serial_num 0 at sector 27165, crc length 0 bytes
Fileset descriptor
Timestamp ( 0 00 30 at 00:00:00.01.00.00)
Interchange level 768
Max interchange level 0
Charset lists 256
Max charset lists 1678
Fileset number 256
Fileset descriptor number 27421
Logical volume id (roughly) ``
Fileset id (roughly) ``
Copyright file id (roughly) ``
Abstract file id (roughly) ``
DomainId `` (UDFv 100; no write protect ) (flags=0)
Rootdir ICB found at sector 7680 within partion space 256 for 256 bytes
Next extend for fileset at sector 5006 within partion space 256 for 256 bytes
Streamdir ICB found at sector 7680 within partion space 256 for 256 bytes
06838156 Segmentation fault
