How to install undetectable malware on a hard drive

Short and simple:  How to install undetectable malware on a computer.

In 2012, I started giving public presentations on how to hide data in hard drives in ways which are undetectable with state of the art forensic software. I did this at computer forensic conferences.  You may read a sample abstract from one of these conferences here:

http://www.usacybercrime.com/agenda/presentation_detail?show_id=81&id=5757

and I tweeted about it here, for another event:

Nobody really cared, at least no one I knew about.

Basically, what I said in those presentations is that a variety of hooks and tools exist which allow a very technical team to install data (or programs) on computers in ways which will survive a reboot, a cold start, an OS installation, or a complete reformatting of the hard drive.

You can see my concluding slide here, where I predicted the underpinnings of the hack which is just now making news:

Service Area Hacking

Sophisticated Service Area Hacking

For the following to make sense, you have to have a rudimentary understanding of sectors, partitions, and so forth.  Assuming you pass that test, in a nutshell, here’s the explanation of how it is done:

1)  Hard drives are composed of areas which may be accessed by the computer, and another area which is inaccessible by the user.    Your data, programs, partitions, and slack area all reside in the accessible area.

2)  The drive manufacturer reserves a special area, which is often called the service area.  It is inaccessible except by the specially priviliged; and that area is used to maintain spare sectors (when some magnetic media flakes off, and the hard drive automatically repairs itself, by substituting a replacement sector from the service area).

3)  That service area also usually contains the firmware which the hard drive processor literally boots from.  In other words, before your computer can boot off the hard drive, the hard drive must boot itself and start working.  It boots off the service area.

4)  If you hack the boot code, you can make the hard drive behave in any manner you want.

5)  The boot code is just another computer program.  You never see it, because it is hidden in the service area, and proprietary to Seagate, Western Digital, Hitachi, et al… all the major hard drive manufacturers.

6)  But if you can dig into the service area, and figure out how the code works, you can maliciously change it.

Data Hiding 2

The Service Area Contains Microcode for the HDD processor.

Just about everything in my presentations was culled from existing web resources.  I made a list of them and included them in a list at the end of the presentation.  Here it is, kind of heavily redacted:

Resources

up to 3 year old list of web resources on service area hacking — not really news

The bottom line is that anyone who knows the deep basics of hard drives has already done stuff you don’t know about, you can’t detect, and you can’t fix.  Feeling small?

About James Wiebe:

James Wiebe is a digital forensic pioneer and an expert on hardware utilized in the forensic acquisition of hard drive data.  He started WiebeTech in the year 2000 and was soon designing forensic write-blocking hardware and highly portable, rugged storage systems.  He developed a list of federal, state and local customers who were among the forefront of digital investigations.  James (along with his wife, Kathy) sold the business in 2008 to CRU but has remained active within the field, and is a popular speaker and lecturer on digital forensics, especially on storage systems.  James is a 1979 graduate of Tabor College (Hillsboro, KS) and has a degree in mathematics with an emphasis on computer science.  James and Kathy have two children, and live in Wichita, KS.  James loves to fly, fly-fish, and camp in the wilderness.  In his spare time, he is developing an aerospace company, Belite Aircraft.

2 thoughts on “How to install undetectable malware on a hard drive

  1. This article is well beyond my level. but I am concerned that with the increasing power of computers and their still human masters, most of us cannot detect when we are being manipulated against our interests. A recent piece on ‘On the media on telemarketing ‘cyborgs’ comes to mind. Much of the talk about privacy or noting how when you shop for something, you start to notice ads for the thing everywhere seem to miss that point. Still, these things are indeed something of a problem, perhaps, but what we don’t see or notice may hurt us much more. I appreciate your work. The misusers are out there. bert

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s