Knowing if a malware infected something else than the hdd or ssd

Question

I saw a very interesting answer stating that something else than hdd or ssd can be infected : Can a computer virus be stored somewhere else than on the hard drive?

It is very important for me to be sure that I'm in a secured environnement, especially when I'm making a system image.

As for my question, I'd like to know the most effective way to determine if a firmware/hardware other than hdd/ssd is infected (and how to secure it if it is). I currently use Avira Antivirus + Malwarebytes Anti Malware. I want to be sure that my computer, when plugged offline, is secured after restoring my system image.

This includes:

• Bios / Uefi
• System Management Mode (SMM)
• GPUs
• Network cards
• And possibly others I'm not aware of.

I know it is very difficult for someone to infect those elements, and unlikely to happen, but it is still in the realm of possibilities hence we should have the needed knowledge required to know if we are infected and to protect us against those.

Answer 1

In theory you computer contains several critical devices with software writeable firmware. We know that there are a couple of bad guys infecting firmware (https://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/).

Pretty much any device connected to your PCI bus could take over your system for example by reading / writing memory.

In theory your hardware could even have been backdoored at the factory.

But to my knowledge so far we have not seen this stuff in the wild. So if you are not being specifically targeted by nation state actors you are not in danger.

Your Avira AV (one of the better AVs out there) would probably not help you since it doesn´t look at your firmware and I I would guess Avira has close to 0 samples of backdoored firmware so far. But yes, if your firmware later drops cheap malware into userspace the malware could get detected.

Answer 2

Reverse Engineer your system!

One thing that you can do is watch the network traffic of your pc using an IDS (like snort), since it is probably sure that the malware will eventually contact the mother-ship through internet.

I advise you to read the practical malware analysis book, there you can find how such a thing is achieved in detail.

If after multiple reinstallations of OS'es you still catch network signatures of malware , then try installing an alternative OS other than windows , since the malware may not be able to spread on OS'es other than windows

Getting rid of the virus once and forever!

If you are sure that you found something try starting your pc with different parts in it , while monitoring your network. You will eventually find the problematic part.

Answer 3

I'm pretty sure any non-volatile, writeable storage can be tampered with if the hacker has enough skills. We know for a fact that there's malware created by state actors and non that infects HDD controllers, UEFI, router firmware, and so forth, basically a rootkit so that it keeps injecting code into the the main drive space even if you reinstall the OS or upgrade the firmware. I don't think there's a realistic way to scan all the components in your computer. Commercial anti-virus software will probably not do anything even if it comes with "rootkit protection". But maybe if you search for how to protect against rootkits, you may find some commercial software I suppose.

But at the same time, these kinds of malware/rootkit are pretty rare I think, as there's plenty of attack vectors that users interact with. Other users may know much more, but typically these things come out of the NSA or some big organization for targeted attacks.

Edit: Maybe heuristic AV might be better suited to detect these, but that completely depends on what the rootkit/malware does. If it repeatedly injects some payload onto the main drive upon boot, something like that could be easier to detect, although it may not be able to tell exactly where it's coming from.