Forensic level hard drive tools?

Forensic level hard drive tools?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Forensic level hard drive tools? Gregg Hill 04-20-2006
Posted by Gregg Hill on April 20, 2006, 2:27 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello!

I have heard that some virus writers are now able to write their files into
a part of the hard drive that antivirus software cannot detect. It is
supposedly the part of the drive where the manufacturers store their
information. Even reformatting the drive does not get rid of the infection.

Are these claims even true? If so, do you know of any utilities to detect
and/or repair this type of virus or Trojan infection?

Thank you!

Gregg M. Hill



Posted by Ted Zieglar on April 20, 2006, 2:49 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
You may be referring to something called a rootkit. While a full explanation
is beyond the scope of a news post, a rootkit makes itself part of the
operating system. This characteristic makes the rootkit invisible to
currently available antivirus and anti-malware software. In fact, any
software running on the operating system is unable to distinguish the
rootkit from the rest of the operating system.

As you can imagine, this is a most serious threat.

At present, there is no software available that can positively identify a
rootkit. There are a handful of programs that can identify abnormalities
that may be rootkits, but it's left to the user to decide whether or not the
findings are indeed rootkits. Since rootkits are invisible to software
running on the operating system, these programs examine the logical
structure of the hard disk. It takes a highly sophisticated knowledge of
file systems to do this. Fortunately, the same level of sophistication is
needed to create a rootkit in the first place, but you can bet it's only a
matter of time before this knowledge is assembled into a package that your
typical script-kiddie will try.

To my knowledge, rootkits cannot be removed -- unless the rootkit creator
provides specific instructions. The only way out is a clean install.


--
Ted Zieglar
"Backup is a computer user's best friend."

> Hello!
>
> I have heard that some virus writers are now able to write their files
into
> a part of the hard drive that antivirus software cannot detect. It is
> supposedly the part of the drive where the manufacturers store their
> information. Even reformatting the drive does not get rid of the
infection.
>
> Are these claims even true? If so, do you know of any utilities to detect
> and/or repair this type of virus or Trojan infection?
>
> Thank you!
>
> Gregg M. Hill
>
>


Posted by Gregg Hill on April 20, 2006, 3:17 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Ted,

I have been looking at http://research.microsoft.com/rootkit/ and
http://www.sysinternals.com/Utilities/RootkitRevealer.html to check the
system (I am going there Monday).

The guy who is sending me out has a brother who works for Homeland Security,
but he (his brother) will not reveal the name of the tools he uses. He
claims that the software is written to the drive and will survive fdisk and
even unconditional formatting.

Scary stuff!

Gregg Hill




> You may be referring to something called a rootkit. While a full
> explanation
> is beyond the scope of a news post, a rootkit makes itself part of the
> operating system. This characteristic makes the rootkit invisible to
> currently available antivirus and anti-malware software. In fact, any
> software running on the operating system is unable to distinguish the
> rootkit from the rest of the operating system.
>
> As you can imagine, this is a most serious threat.
>
> At present, there is no software available that can positively identify a
> rootkit. There are a handful of programs that can identify abnormalities
> that may be rootkits, but it's left to the user to decide whether or not
> the
> findings are indeed rootkits. Since rootkits are invisible to software
> running on the operating system, these programs examine the logical
> structure of the hard disk. It takes a highly sophisticated knowledge of
> file systems to do this. Fortunately, the same level of sophistication is
> needed to create a rootkit in the first place, but you can bet it's only a
> matter of time before this knowledge is assembled into a package that your
> typical script-kiddie will try.
>
> To my knowledge, rootkits cannot be removed -- unless the rootkit creator
> provides specific instructions. The only way out is a clean install.
>
>
> --
> Ted Zieglar
> "Backup is a computer user's best friend."
>
>> Hello!
>>
>> I have heard that some virus writers are now able to write their files
> into
>> a part of the hard drive that antivirus software cannot detect. It is
>> supposedly the part of the drive where the manufacturers store their
>> information. Even reformatting the drive does not get rid of the
> infection.
>>
>> Are these claims even true? If so, do you know of any utilities to detect
>> and/or repair this type of virus or Trojan infection?
>>
>> Thank you!
>>
>> Gregg M. Hill
>>
>>
>



Posted by Mark Randall on April 20, 2006, 6:05 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Ted,
> The guy who is sending me out has a brother who works for Homeland
> Security, but he (his brother) will not reveal the name of the tools he
> uses. He claims that the software is written to the drive and will survive
> fdisk and even unconditional formatting.

I think its maybe a little bit of spin - Most high secure systems will use a
combination of tools administered by an expert who knows the ins and outs of
both the software running and the kernel.

--
- Mark Randall
http://www.temporal-solutions.co.uk

"We're Systems and Networks..."
"It's our job to know..."




Posted by Kerry Brown on April 20, 2006, 3:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
It is theoretically possible for a virus to update the firmware on a hard
drive so that the area of the drive where the virus exists can't be read by
Windows. It's unlikely because to the best of my knowledge each manufacturer
and probably most models would need custom code to do this. The virus would
only work on drives that it knew about which would severely limit how the
virus spreads. A more likely scenario is an already compromised computer is
accessed remotely and then the drive firmware is updated. Although this is
slightly more likely even this probably wouldn't be done. It would be much
easier to just install a rootkit once you had remote access. So, yes it's
possible. Is it likely? Probably not but who knows. Malware is getting very
creative.

--
Kerry
MS-MVP Windows - Shell/User

Gregg Hill wrote:
> Hello!
>
> I have heard that some virus writers are now able to write their
> files into a part of the hard drive that antivirus software cannot
> detect. It is supposedly the part of the drive where the
> manufacturers store their information. Even reformatting the drive
> does not get rid of the infection.
> Are these claims even true? If so, do you know of any utilities to
> detect and/or repair this type of virus or Trojan infection?
>
> Thank you!
>
> Gregg M. Hill



Similar ThreadsPosted
Re: Erase Hard Drive July 28, 2005, 6:08 am
2nd hard drive passwords January 7, 2006, 4:17 pm
My hard drive has gone crazy! April 19, 2006, 10:54 pm
Lock Hard Drive April 19, 2007, 9:54 am
Lost hard drive........ July 31, 2007, 12:46 pm
Re: Removing viruses from another hard drive. August 13, 2007, 6:12 am
Removing viruses from another hard drive. August 13, 2007, 4:10 am
Re: someone has direct access to my hard drive ,how to remove it? April 11, 2006, 6:43 pm
Re: someone has direct access to my hard drive ,how to remove it? April 11, 2006, 7:53 pm
RE: someone has direct access to my hard drive ,how to remove it? April 12, 2006, 3:43 am

The site map in XML format XML site map

Contact Us | Privacy Policy