42

If there are places on a laptop malicious programs can leave elements, hooks, backdoors etc, in locations such as BIOS, device controllers, firmware etc - what confidence can one have in wiping the disk and installing a fresh OS image.

If I were to first use data destruction software to overwrite every individually addressable location on the hard disk, before secondly installing a freshly downloaded Windows image, this presumably isn’t much of a solution.

Surely, binning and buying a replacement is the only option? (Which would be dire, since the machine is new.)

forest
  • 65,613
  • 20
  • 208
  • 262
CompCat
  • 379
  • 3
  • 6
  • 10
    Related: [Search for military installed backdoors on laptop](https://security.stackexchange.com/q/199971/165253) – forest May 22 '19 at 20:11

4 Answers4

66

You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.

If you don't have any reason to think you're being targeted, just format and re-install.

forest
  • 65,613
  • 20
  • 208
  • 262
  • 14
    *Sophisticated, firmware-resident malware is extremely rare* Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's *extremely* common. – Federico Poloni May 23 '19 at 07:23
  • 9
    @FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it _malware_. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system. – forest May 23 '19 at 07:28
  • 4
    The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. https://en.m.wikipedia.org/wiki/Intel_Management_Engine – Pedro Lobito May 23 '19 at 12:17
  • 9
    @Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access. – barbecue May 23 '19 at 19:30
  • 1
    @barbecue Thank you for the explanation. – Pedro Lobito May 23 '19 at 21:17
  • 1
    @PedroLobito Like with networking, it only receives power on certain server-class hardware. – forest May 23 '19 at 22:42
  • 2
    @forest When a computer is turned off it still gets 5V "standby" power through the 24 pin connector, it's how the startup button is powered. That can be enough to power the ME and listen to the network. – ratchet freak May 24 '19 at 11:36
  • You can re-flash the BIOS, and intel has ME updates you can re-flash. Other devices you might be able to download and re-flash. While it might be possible to survive this, even less malware can. – cybernard May 24 '19 at 19:09
  • 4
    If you *have* been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware. – Johnny May 24 '19 at 20:21
  • 1
    @Johnny Not entirely true. You can buy hardware from any old store where you pick the hardware from the shelf. That way, there is never a point where your adversary knows which individual hardware you are buying and has the opportunity to do something to it. – forest May 25 '19 at 03:19
  • @ratchetfreak Perhaps, but it doesn't do that. Its ability to remain on and powered by only mains power is an officially supported and documented capability, and is only available on server-class hardware. – forest May 25 '19 at 03:20
  • @forest event consumer grade hardware has wake on lan support. This requires that the IME is running while powered down. – ratchet freak May 25 '19 at 09:06
  • @ratchetfreak I don't believe standard WoL is implemented using the CSME. After all, laptops can support that and they explicitly do not support running AMT modules on mains power while the system is off. It is true that AMT has a WoL feature, but most of the time, it's entirely done by the NIC. – forest May 25 '19 at 09:07
12

While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.

I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.

tschumann
  • 103
  • 3
dandavis
  • 2,693
  • 10
  • 16
0

If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.

George M Reinstate Monica
  • 452
  • 2
  • 6
  • 6
    If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM. – forest May 24 '19 at 02:05
  • @forest how about this procedure? https://www.techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason? – George M Reinstate Monica May 24 '19 at 20:50
  • 2
    @GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS. – Xcali May 24 '19 at 21:19
  • @forest But if you get a clean copy of the BIOS from the manufacturer, and flash that, how is it compromised? – George M Reinstate Monica May 24 '19 at 22:09
  • 2
    @GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip. – DarthFennec May 24 '19 at 23:52
  • 1
    @DarthFennec It's not that it's performed _by_ the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from _within_ that compromised OS is futile. – forest May 25 '19 at 03:18
-1

The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.

I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.

If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!

I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.

Neal
  • 1
  • 1
  • 6
    MBR is not part of the hardware, it's the first sector of the drive. `dd if=/dev/zero of=/dev/infected bs=512 count=1` will wipe the MBR with zeroes. –  May 24 '19 at 08:41