Malware That Can Survive OS Reinstalls

dustymars said:

I forgot all that; I got started in computers only 60 years ago.

!!! I don't think the Users though seem to have got more savvy over the years

Anyway the mechanics of boot strap are quite simple --

1) at power on computer via hardware executes 1 instruction stored at a specific address in the computers ROM / EPROM / FIRMWARE

2) This instruction simply says "Load block of code at address xxxx and then start executing it

3) this block of code starts loading the rest the the BIOS which can initialize screen, keyboard detect any user input etc and then loads the boot disc etc -

Loading the OS is the point at which theoretically hacking is possible as this proceeds similarly -- sector 0 on the relevant HDD is read which then tells the computer to read a chunk of code from another part of the HDD and start executing -- this loads the rest of the OS into the system including in the case of UEFI machines the EFI partition , OS boot code etc etc.

on older systems the BIOS was in the firmware so almost impossible to be hacked from the outside
on modern systems the BIOS is stored in flash memory which is hackable (with difficulty) from the outside but any sensible OS will protect this area from being written to except by authorised code - such as at boot if the user wants to alter the boot sequence - then those changes will be written by the BIOS program to the Bios CMOS -- It's not worth the hackers time or effort to exploit anything here on typical home computers. The cost of doing so would be far more than the "supposed" reward.

In fact this is far from a "Blind us with science" reply - it should re-assure most people that there's almost zero chance of your BIOS on a Home computer from being compromised.

Sometimes if people were a slightly bit more knowlegeable they wouldn't get scammed by obvious scams or being sold useless products that even snake oil would be preferable to.


Cheers
jimbo

dencal said:

The usual "trying to blind us with science" reply.
If Kaspersky state as explained in first post successfully infiltrated you can take it pretty well as fact.
Quote from your above post....So almost impossible to hack the power on "boot" -- even if the HDD boot sectors can be hacked....Emphasis on the word "ALMOST".

As for being worried personally on my home computers....no chance....nothing on them of any importance to any government.

...and for the record, my nuclear codes are not kept online...I keep them in cold storage...in the refrigerator...which is not IOT connected...

galileo said:

...and for the record, my nuclear codes are not kept online...I keep them in cold storage...in the refrigerator...which is not IOT connected...

Haha
I reserve the right for preemptive strike!

According to the article on the first post, to remove the malware, Kaspersky Lab said a victim would need to update a motherboard's firmware to a legitimate version.

Doesn't sound very hard.

The malware has an Intel executable file. Not sure it would run on AMD?

Highly suspicious of it being a CSME exploit. Looks like people who have a PC with a 9th-gen Core i-series or earlier and the motherboard manufacturer EOL'ed your model, then you're doomed.

To hack the uefi with malicious code from distance in window, you need the device manager to expose this device:


If its not they cant.
For example my asrock z97 is full in uefi mode but dont expose this device in manager, because you can only update your bios from within uefi with a USB stick.

Steve C said:

Is that why we referred to the Cold War?

Indeed...it was a "hot" time in the old icebox...LOL

- - - Updated - - -

zebal said:

Haha
I reserve the right for preemptive strike!

Well, my wife is an expert at the preemptive strike...every time it looks as though I might not agree with her plans...

- - - Updated - - -

MikeMecanic said:

According to the article on the first post, to remove the malware, Kaspersky Lab said a victim would need to update a motherboard's firmware to a legitimate version.

Doesn't sound very hard.

The malware has an Intel executable file. Not sure it would run on AMD?

...and just how believable would it be that a "malware" package would "only" run on what the malware file name suggests...

dencal said:

If it can infiltrate the original legitimate firmware....what would be the point of updating the firmware to the original legitimate version?....back to square one....

"If" - and note the "if" - flashing the firmware EPROM from a boot key "replaces" rather than updates the firmware, then you will have flushed the malware...again note the "if"...of course this assumes that the malware did not also reside on the hard drive as well...