Results 1 to 11 of 11
  1. #1
    jwoods
    Guest

    MalwareTech SBK: A bootkit capable of surviving reformat

    On Steve Gibson's Security Now! podcast on June 9th, he and Leo Laporte discussed a 20 year-old developer in the UK who has built a proof-of-concept HDD firmware rootkit that will survive OS re-installs and full disk formats.

    He has stated he will not release it.

    If this is true, it's a whole new ballgame in attack vectors.

    https://www.grc.com/securitynow.htm

    Excerpt from the podcast notes...

    http://www.malwaretech.com/2015/06/h...surviving.html
    ● <paraphrased> Since I got into firmware hacking, I've been working on a little project
    behind the scenes: A hard disk firmware based rootkit which allows malware to survive an
    operating system re-install or full disk format. Unfortunately I can't post a proof of
    concept for many reasons (people have even contacted me just to tell me not to post it),
    so instead I've written a presentation overviewing and explaining the rootkit, which I've
    dubbed MT-SBK (Superpersistent Boot Kit.)

    The general purpose of MT-SBK is to provide a "framework" for my previous project,
    TinyXPB, A demonstration bootkit. This new firmware framework enables my TinyXPB to
    be stored and loaded from within the hard disk firmware, preventing it from being
    removed by: antiviruses, operating system re-installs, or even full disk reformats.

    This rootkit is designed for a major brand of hard disk and can infect the firmware from
    within the operating system (no physical access required), it's also completely
    undetectable to software running on the host computer.

    Once it's installed, the only way to remove MT-SBK is by replacing that hard disk's PCB or
    connecting an EEPROM programmer directly to the flash chip and flashing it with the
    original firmware.
    http://malwaretech.net/MTSBK.pdf
    Last edited by jwoods; 2015-06-14 at 03:17.

  2. The Following 3 Users Say Thank You to jwoods For This Useful Post:

    brino (2015-06-18),Fascist Nation (2015-06-15),wavy (2015-06-14)

  3. #2
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,383
    Thanks
    235
    Thanked 147 Times in 136 Posts
    I was kinda expecting something like this
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  4. #3
    4 Star Lounger
    Join Date
    Dec 2009
    Location
    Paducah, Kentucky
    Posts
    430
    Thanks
    40
    Thanked 69 Times in 66 Posts
    Well, I'm not very surprised. I thought I'd read somewhere that the NSA already uses this technique.

  5. #4
    5 Star Lounger
    Join Date
    Oct 2013
    Location
    Phoenix, AZ
    Posts
    926
    Thanks
    554
    Thanked 137 Times in 128 Posts
    The NSA is already doing this. This is what they were caught at doing setting up a factory to intercept Dell, HP, Lenovo shipments going outside the USA, install their firmware onto the boot drive (or BIOS) and continue the shipment. Of course they would never do that to laptops like mine coming into the USA from China. Pinky swear. Why would anyone EVER want to buy anything made in the USA.

  6. The Following User Says Thank You to Fascist Nation For This Useful Post:

    brino (2015-06-18)

  7. #5
    jwoods
    Guest
    The area of concern for me is not that a government organization knew how to do this, but an individual, completely on the outside of any state-sponsored organization, pulled it off.

    As mentioned in the podcast, signing firmware may need to be included in the next iteration of drive technology.

    However, there will be a gazillion legacy drives that can't be protected.

    There is no current way to defend against it.
    Last edited by jwoods; 2015-06-15 at 01:52.

  8. #6
    Silver Lounger wavy's Avatar
    Join Date
    Dec 2009
    Location
    ny
    Posts
    2,383
    Thanks
    235
    Thanked 147 Times in 136 Posts
    Why would anyone EVER want to buy anything made in the USA.
    Maybe because we live here, do you want a prehacked Chinese firmware in your Box?? I am not a total fan of the NSA but the alternative is scary too.
    David

    Just because you don't know where you are going doesn't mean any road will get you there.

  9. #7
    Star Lounger
    Join Date
    Sep 2011
    Posts
    97
    Thanks
    15
    Thanked 10 Times in 10 Posts
    Might want to rename title to say ROOTkit instead of BOOTkit...unless it was intentional

  10. #8
    jwoods
    Guest
    Quote Originally Posted by miztrniceguy View Post
    Might want to rename title to say ROOTkit instead of BOOTkit...unless it was intentional
    It was.

    See the excerpt from the podcast in post #1.

  11. #9
    Star Lounger
    Join Date
    Sep 2011
    Posts
    97
    Thanks
    15
    Thanked 10 Times in 10 Posts
    Quote Originally Posted by jwoods View Post
    It was.

    See the excerpt from the podcast in post #1.
    Ooops...I missed that!

  12. #10
    New Lounger
    Join Date
    Jun 2014
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Fascist Nation View Post
    The NSA is already doing this. Why would anyone EVER want to buy anything made in the USA.
    Because it's not China?

  13. #11
    New Lounger
    Join Date
    Apr 2015
    Posts
    7
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Mikef12 View Post
    Because it's not China?
    You're still making stuff in the USA? I thought it was all made in China anyway (or Korea).

    The only reason to be unsurprised is that humans are using and making and playing with these things and if they can do something they will, just because.

    The only reason to be surprised is that we have not already died in a nuclear self-immolation.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •