26

I'm just about to switch to a new SSD drive, so I figured it's a good occasion for a really, really fresh start. I reconsidered every installed piece of software, uninstalled lots of crap (surprisingly, my system started to be more responsive ;]), and checked for viruses and stuff (since I didn't want to transfer any malware to my brand new shiny system).

During the virus scan, one file popped as suspected, and then I started to wonder... Though I haven't any direct proof that I ever encountered a serious infection, like really weird acts of rebooting/bsods/problems with apps, and I took lots of precautions (always kept my software updated, used firefox's "noscript" extension, kept java turned off, used sandboxes, AV, and so on), maybe something slipped.

And if something slipped - all is compromised. All hope is gone... ;]

I started to wonder about the current state of malware. Is it capable of

  • spreading on connected USB drives (in that case, all my backups are compromised);
  • spreading through the local network (in which case all my other PCs are compromised too);
  • infecting my restore partition (yay! this is getting scary);
  • infecting my BIOS/UEFI (just enough so it could redownload it's full package and start spreading again)...

Are malware authors capable of making viruses such as these? That is, viruses that can spread through all possible devices in such a way to always remain hidden from users and spread unchallenged. Eventually, every machine would be infected; even fresh new ones, machines currently in the factory would be infected, and so on, and so on...

Maybe it's already happened. Are our computers living in their own "virus matrix?" The Vitrix? ;]

Ok, jokes aside. It's probably impossible to create such software, so let's go back to my original, simpler question, involving only one infected machine:

Could any machine, once infected, ever be trusted again?

vandalizmo
  • 511
  • 4
  • 11
  • 2
    Thanks for edits, but some changes are not like I wanted to express my thoughts. And I really can't see the point of such changes... Sorry but need to revert some of them. – vandalizmo Mar 07 '13 at 00:59

2 Answers2

30

Theoretically, no, an infected machine cannot be trusted anymore. In practice, wiping out the hard disk (or just removing it and inserting a new one) is often sufficient, although some virus have been known to reflash part of the BIOS, for pure wanton devastation, or to make the virus resistant to disk formatting. Some motherboards will not allow reflashing unless a specific jumper is physically plugged in, which at least protects against hostile reflashing; if unsure, consult the documentation of your motherboard (if you use a laptop, you are probably out of luck).

Apart from the BIOS, other devices can have flashable firmwares. A demonstration has been made in the case of some Apple keyboards.

While all of this means that a once-corrupted machine can never be really trusted again, it begs the sister question, which is: how come you could trust the machine in the first place ? You don't really know where it has been (at least not with more precision than "some factory in south China"). A possible answer is that if the attacker managed to plant some malware which resisted a complete machine reinstall, then he probably deserves to stay there. At least, this piece of malware has been written by someone who is technically competent, which is refreshing. It would be a great day if you could say the same of a majority of the other software you run on your machine.

Tom Leek
  • 170,038
  • 29
  • 342
  • 480
  • 7
    +1 for rephrasing 'the vitrix' idea to one simple question 'how come you could trust the machine in the first place?'. It's just like that. All our nowadays experience with computers begins with trust... in China ;] – vandalizmo Mar 06 '13 at 17:59
  • 1
    Regarding the last two sentences - While I totally get the point, I'm not sure that's fair; the whole point of modern computer/OS design is that you don't *have* to know the bits and bytes at the hardware layer in order to write quality end-user software. Saying that anyone who doesn't know how to store a virus on a keyboard's EEPROM shouldn't write software is like saying that anyone who can't pick a deadbolt shouldn't be replacing the exterior door of a house. Two *completely* different skillsets are required, and while one person may possess both, one does not require the other. – KeithS Mar 06 '13 at 18:20
  • @KeithS - I more took those last two lines to be that the majority of software shows glaring issues that really shouldn't be there in the first place. It's one thing when bugs sneak by. It's another when a large percentage of software is simply poorly designed because computers no longer need it. The house building example would be like saying it isn't a problem to build houses out of cardboard if it doesn't rain very often. – AJ Henderson Mar 06 '13 at 18:23
  • 1
    @KeithS: I totally agree that writing a good virus and writing, say, a good word processor, use distinct skill sets. I do claim, however, that a majority of commonly used software has been written by people who lacked both skill sets (that's rather unavoidable, since there is a lot more programming to be done than available programmers). – Tom Leek Mar 06 '13 at 18:39
  • Its really interesting reading the discussion on this topic. I'm little confused about the gravity of this question? Should the answer correspond to hardware Trojans or i don't know perhaps a classification ; as certainly you cannot make it as a general rule for just ANY kind of traffic. At places like where I live in (computing hardware) is still not as cheap as in USA or UK and other developed countries. – Saladin Mar 06 '13 at 19:34
  • Also on china part for a country like usa which has stopped big china companies names like zte or huweai to operate ; are there any applicable laws that checks on purchase of such equipment from countries like china?Is someone regulating that too. – Saladin Mar 06 '13 at 19:45
  • What are the chances of infection remaining in the HDD after lets say a low level 7 pass DoD format? – Saladin Mar 06 '13 at 19:48
  • There have been recent demonstrations of infecting HDD firmware, which would survive full reformatting of it and everything done to other hardware. Likewise, firmware of network and video cards would survive OS+BIOS cleaning, and has enough direct access to reinfect the computer afterwards. – Peteris Feb 22 '14 at 20:00
4

A once infected computer that has since been "disinfected" by several different antivirus/antimalware scanners should be classified into a category somewhere between "Trusted" and "Untrusted" devices - maybe something like "Distrusted", in order to remember that it is known to have been "disinfected" and therefore cannot be reliably determined to be absolutely "trusted" again. For example, I would not perform any high security transactions on a distrusted system: banking, credit card purchases, sensitive personally identifiable information, network infrastructure administration, remote administrative access, etc. I actually put an icon on each computer desktop that indicates whether the computer is Trusted, Untrusted, or Distrusted so that its security status is staring me right in face every time I go to use it. And, I use SD chips rather than USB thumbdrives for mobile storage precisely because because they can be write-protected, and I segregate removable media by a Trusted or Untrusted symbol so that I don't put an Untrusted SD chip into a Trusted computer. Better to be as safe as possible rather than play Russian Roulette with questionnable devices that can propagate hidden malware.

Alan
  • 41
  • 1
  • 1
    Upvote for the principle idea of labeling it as "cleaned up" instead of "trusted" after infection, but I wouldn't just run a virus scanner. A complete wipe of the harddrive is required, and depending on the circumstances you may want to flash the harddrive's, motherboard's and other firmware (or replace certain parts with new parts). This is not required after your little brother got a virus from illegal software, but it might be when the CIA discovers an infection in their systems. – Luc Jan 18 '14 at 18:17
  • 1
    SD cards do not have write protection. That sliding tab is merely a polite request to the host system to not write, with no enforcement whatsoever,.. and not all host systems even have the circuit for reading the position of the write protect tab. – Ben Voigt Nov 20 '15 at 14:52