49

Is formatting the disk and reinstalling the system from scratch (to Ubuntu) enough to remove any potential hidden software spyware, keyloggers etc.?

Or can something still persist installed in the bios or something like that? What to do then?

To be clear, not concerned about common malware. The question is more specific about a machine to which people other than the user had physical access for many hours. So when the user returns cannot be sure that nothing changed, so the user makes a fresh install after some weeks. Is that enough to "clean" it?

Hardware keyloggers are not part of this question as they should continue after software reinstallation.

Strapakowsky
  • 3,049
  • 8
  • 26
  • 31
  • What is the sophistication level of the people who had physical access for several hours? – this.josh Sep 18 '11 at 04:06
  • *"The NSA has figured out how to [hide spying software](http://www.reuters.com/article/2015/02/17/us-usa-cyberspying-idUSKBN0LK1QV20150217) deep within hard drives."* – Daniel Feb 18 '15 at 01:24
  • I know this is an old post but this is now relevant: http://www.zdnet.com/article/new-security-vulnerability-discovered-in-old-intel-chips/ – MonkeyZeus Aug 17 '15 at 15:44

9 Answers9

44

It is possible for malware to persist across a re-format and re-install, if it is sufficiently ingenious and sophisticated: e.g., it can persist in the bios, in the firmware for peripherals (some hardware devices have firmware that can be updated, and thus could be updated with malicious firmware), or with a virus infecting data files on removable storage or on your backups.

However, most malware doesn't do anything quite this nasty. Therefore, while there are no guarantees, re-formatting and re-installing should get rid of almost all malware you're likely to encounter in the wild.

Personally, I would be happy with re-formatting and re-installing. It's probably good enough in practice.

D.W.
  • 98,860
  • 33
  • 271
  • 588
  • 17
    Most importantly; none of those things are consistent between machines. Malware would not only have to be that nasty, it would also be limited to a specific set of hardware. – Billy ONeal Sep 16 '11 at 15:43
  • 2
    Like... macs? (EFI bios seems like a ripe target for this sort of thing) – Ori Aug 03 '12 at 03:40
  • 4
    It's worth adding that in light of the Snowden leaks, such malware may not be as uncommon as once thought. – Jon Bentley Apr 28 '15 at 17:11
30

It is definitely possible for a slightly sophisticated attacker to leave malware outside the direct reach of the operating system. Reinstalling the operating system means a disk wipe at most. Even there, you need to be careful if you restore any data that may have been compromised.

Malware can be stored in one of the many rewritable memories that lurk in just about every component of a modern computer. These memories store that component's firmware and are usually rewritable; all it takes is knowing the right address to it, and manufacturers usually provide tools to upgrade the firmware, so all the attacker to do is substitute his own code (there is almost never any cryptography).

For example, there is a known (and fairly simple) exploit for Apple keyboards, found by K. Chen. Chen's presentation shows how to take advantage of the available memory (only about 1kB to spare) to open a shell on a TCP port by injecting keystrokes, or log keystrokes in a context where a passphrase is expected and replay them.

For another example of a firmware vulnerability in the wild, try CVE-2010-0104: Broadcom NetXtreme management firmware ASF buffer overflow. This is a bug in some Ethernet firmware that allows a remote attacker to take control of the network firmware (and so at the very least actively attack all network traffic), and potentially of the whole computer (I don't know if there's an exploit for that, but once you have access to the PCI bus, I doubt that much is barred). Interestingly, this vulnerability is easiest to exploit on a computer that's switched off, since the bug is in a remote management protocol parser, which in particular handles wake-on-LAN.

Yet another example is reflashing a hard disk controller (presented at OHM 2013).

This question asks for firmware on video cards. As I write, no one has given an example of a malware in the wild, but the possibility is definitely there.

There is no real protection against compromised firmware on a typical PC. You'd need to keep track of every single piece of flash memory in the computer. There are efforts to require firmware to be authenticated; on PCs, the most advanced such effort is the TPM, which currently can check the integrity of the BIOS and the OS bootloader, if you have the required hardware and a BIOS that supports it. I'm not aware of a PC where all components have their firmware checked for integrity (at least, before they're allowed to access the PCI bus). There are similar efforts in the smartphone world leveraging security features of ARM chips, but again it's a far cry from the existence of security feature to the inclusion of all firmware in the trusted base.

In practice, if you aren't a high-profile target, you don't need to worry much. There aren't any exploits in the wild at script kiddie level. But the possibilities are rife for your attacker with technical skills (or the means to hire a skilled hacker).

Firmware attacks are becoming easier over time. At Black Hat USA 2012, Jonathan Brossard presented “a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards”. The proof-of-concept (not publicly released) infects many BIOSes and common peripherals including network chips. It's only a matter of time until such firmware infection frameworks appear in the wild. The NSA has been reported to favor planting spyware in the BIOS.

Gilles 'SO- stop being evil'
  • 51,415
  • 13
  • 121
  • 180
  • 10
    The reason Firmware exploitation isn't common is that firmware is hardware-configuration specific. Malware authors don't want to spend that much time developing an exploit which targets that small of a minority of users. – Billy ONeal Sep 16 '11 at 15:44
  • Hard disks. http://spritesmods.com/?art=hddhack – ike Jan 06 '15 at 19:30
  • "I'm not aware of a PC where all components have their firmware checked for integrity" And even if all components were to be checked like that, it's likely there are ways to subvert this verification process. For example: for security, firmware should be updateable, so the values to verify against should also be updateable. A malicious firmware update could also swap the verification values at the same time as the update. – Nzall Sep 28 '20 at 09:38
  • @Nzall If the firmware is covered by some form of secure boot, it's based on signatures, plus versions for freshness. A malicious firmware update that injected bad verification values would be detected (assuming the malicious update is injected after the verification process — if the code signer has accepted the malicious code, all bets are off). The problem in 2011, and still true in 2020, is that a lot of firmware isn't signed or isn't verified. The good or bad news (depending on how you look at it) is that apps are a lot easier than firmware to exploit, so firmware hacks are rare. – Gilles 'SO- stop being evil' Sep 28 '20 at 10:35
  • @Gilles'SO-stopbeingevil' It's also not really possible to verify firmware images. The problem is that you can't conceivably code all potential firmware versions and signatures for every potential piece of hardware, even if it is signed and verified. Well, I guess you can, technically, but that list would need to stay updated, and on machines without internet that can be quite a problem. – Nzall Sep 28 '20 at 20:43
  • @Nzall The shipped code doesn't need to know about all versions and signatures. It only needs to verify that the signatures were made by a trusted party. Of course, you have to trust the party that signed it: but this trust doesn't have to be validated on the device, it's enough to validate it once and for all. Practically, though, it's really difficult to trust every entity that made some piece of the software in a PC. There are a lot of them. – Gilles 'SO- stop being evil' Sep 28 '20 at 21:13
8

In addition to hiding your code amongst various and sundry peripherals, an old technique that is making a comeback is the boot sector virus. Torpig/Sinowal/Anserin is the most recent example of judicious use of this technique. In short, once infected the virus will load some bootstrapping code into the MBR. If this technique is used, one can expect the code loaded into the MBR to do the following:

  1. Check to see if the virus is present
  2. If not, then download and re-infect

The only way to reliably clean something like this up to clean up the MBR. Either through re-partitioning, or using a tool like fixmbr. As such, simply doing a reinstall, and sometimes a format/reinstall, is not enough.

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
  • 1
    Reformatting the entire disk should remove this from the MBR, shouldn't it? Am I missing something? – D.W. Sep 16 '11 at 22:56
  • 2
    Reformatting, no, repartitioning, yes. By default fdisk doesn't fiddling with the MBR unless it has to, or you specifically tell it to. – Scott Pack Sep 18 '11 at 16:07
  • Thanks for the explanation, Scott. Can you help me understand better? If I reformat and install a new operating system, I would expect the MBR to get overwritten. (I would expect the OS installer to install the bootloader onto the MBR, and potentially to write a new partition table. For instance, on Linux I believe `grub-install` overwrites the MBR, and `grub-install` is run by the standard OS install process. I would expect something similar from the Windows install process.) Is my expectation inaccurate? – D.W. Sep 18 '11 at 23:49
  • Hard disk firmware malware can persist even when entire drive is wiped http://spritesmods.com/?art=hddhack – ike Jan 06 '15 at 19:30
7

Depends on what you consider to be "a clean install".

Besides what D.W. mentioned, some stuff could remain in for example "System Volume Information" and/or recycler directories (system restore and recycle bin directories) on any additional partitions you might have. That could easily reactivate on a fresh Windows installation but it most probably won't work on Ubuntu. Anyway, if all these other partitions do not get desinfected, it means there still might be some malware somewhere in these directories - probably not doing anything, just waiting for better days, for Windows to get reinstalled ]:-> but still there.. What I would suggest you do after installing Ubuntu is installing clamav, updating it and rescaning everything you have..

If you really do format everything, there are still the points D.W. made.

tkit
  • 3,332
  • 6
  • 29
  • 36
2

Malicious code inside BIOS/firmware it's possible, but many more realistic threats are often overlooked. Two examples off the top of my head:

OS Repos/Images: They may be compromised, so you are essentially reinstalling a backdoored OS or Software every time you reimage your systems.

Out of band management: HP's ILO, Dell's IDRAC or IPMI. Even reinstalling your system, whoever has compromised it may already know that there is out of band management with console access available.

1

I think the answer to this depends on the nature of the threats (and attackers) that you consider within scope to act against your PC.

IN GENERAL -- If you do a "real" re-format of the computer's hard drive (including, as some other posters have mentioned, the boot sectors), and then install a new operating system (something other than Microsoft Windows, hopefully... but even Windows will do, as long as you are installing it from a DVD as opposed to just "restoring" from the manufacturer's "restore partition", which of course could easily have been compromised by the same malware as is the reason for re-creating the O/S in the first place), then for MOST use cases under MOST conditions, doing this should provide an acceptable level of confidence that the computer will not be "pre-compromised" by the time that you first use it.

Now having said that, please be aware, as earlier posters have correctly pointed out, there very definitely are a series of advanced malware and physical / BIOS tampering attacks, that can so badly compromise the computer's basic infrastructure, so that really the only 100% safe course of action is just to junk it and go on to another PC.

In my experience, these types of attacks are very rare, but if (for example) you are in a high-threat environment (e.g. you are a Chinese or Iranian dissident, you are Edward Snowden, etc.) you are best off not taking a chance... particularly if it is likely that an attacker may, at some point, have had physical access to the PC in question. (The NSA is expert in planting BIOS and hardware compromises that are virtually impossible for anyone except another nation-state-level intelligence agency, to detect or remove.)

Incidentally, I would like to note another threat that too many people forget about, when initializing a "new" PC : namely, "using the same local access password, particularly the administrator account password, as I used on the last PC". The logic behind this is straight-forward : "I put a backdoor on your 'old' PC and intercepted your password; so when I see your 'new' PC show up on the Internet... guess which password is the first one that I'm going to try, when I attempt to break in to the 'new' PC?"

Here's a dirty trick, by the way : set up a "dummy" account, with zero privileges and have it carefully monitored, using the "old" password... and wait to see what happens. In effect you are setting up a local "honeypot" to lure the miscreants who compromised your "old" PC. There is always a chance of a privilege elevation exploit, of course, so you should be really careful to lock the "dummy" account down so even if someone successfully authenticates to it, they can't go anywhere or do anything.

The point is, change all your passwords, immediately, if you think you have been compromised. And don't trust anything that may have been physically compromised. Do that and you should be safe from (almost) all likely threats.

user53510
  • 800
  • 5
  • 3
0

While flagging another question as duplicated, I was also writing the reply, so I'll leave this here just in case is useful for someone:

To be realistic, that will get rid of mostly all kind of malware.

But.

< paranoid mode >

Bootkits: https://macpablodesigns.wordpress.com/2009/10/01/bootkits-what-is-bootkit-and-why-should-it-concern-you/

Hiding data in "unreachable" HDD areas: https://jameswiebe.wordpress.com/2015/02/18/how-to-install-undetectable-malware-on-a-hard-drive/

Others that I might be missing.

< /paranoid mode >

To summarize. There are ways of infection that will remain after doing those reinstallation procedures, but to keep it "real", with that you will get rid of almost all the standard malware infections.

(as soon as you don't get infected during the installation again of course. OS installers with malware/adware such as those "activators" and such...)

BBerastegui
  • 525
  • 3
  • 9
0

I have had my BIOS infected with a rootkit before. HP machines have an easy process to first reflash the BIOS, and then perform a clean install of OS.

The key is to do the BIOS reflash first and then perform the clean install of the OS.

https://m.youtube.com/watch?v=qpiGUojtr3E

0

It is my habit to zero the boot sector and update (or just reflash) the BIOS in such cases as well, just to guard against particularly resilient persistence. It's unnecessary almost all the time, as usually viruses persist either in the network or in the OS, but if you want to be sure you should take precautions against other types of persistence too.

Falcon Momot
  • 1,248
  • 7
  • 17