I do have a problem, how do I remove a persistent MBR malware? probably the malware hides itself in HDD sector that an OS couldn't even access. Already tried to format it and remove clean all partitions. And also tried to change OS type from windows to linux. Got infected from an office PC. Symtoms are whenever I'm online the mouse moves by itself probably a RAT type. Tried to analyze traffic but couldn't see any (e.g. somewhat like a Pushed Microsoft Security Update traffic).
Update:
My Malware Analyzation:
- probably its much more beyond OS rootkits somewhat like BluePill (firmware rootkit) but not hardware dependent
- it adapts on what OS you are using (injects and download over ethernet specific type of malware for different OS)
- actively listens and sends outgoing connections (can't be blocked by firewall) on low-level
- and also the fact that I know its a mbr malware is because, my office pc have a different type of board (logically it's not somewhat bios malware where it is hardware dependent and mostly this type of malware only attacks intel motherboards) using amd on my laptop
- somewhat like a malware that was recently demo'ed at DEFCON (forgot the name of malware) but that is bios type of malware using openbios + seabios. It is fully undetectable so much low-level type of attack malware.
- and on the malware that infects me seems like --- it embeds itself on removable flash disk on low level firmware so it could infect other systems.
Update:
Here are some symptoms why I know it's a malware:
- High peek of network usage even no process is accessing any network connections. (already check the process through netstat and process explorer).
- Check md5 sums of files before and after has change. Probably the malware spreads itself and changing everything like a root kit.
I know the symptoms are very few because I've just recently check and observed it. And the malware is fully undetectable. Hard to distinguish between a normal process. Very low memory process consumption. And I assume it also hides itself also on volatile RAM. That's why whenever I try to format the HDD it would still be there after the boot.
Additional info why I won't contact my employer regarding this is because our company has a rule that is never put any removable device on any of our workstation.
And if you think this is some type of advance malware probably you're thinking back way 90's there is already a gap between open source and close source funded projects. You are probably just observing some open source malware projects. Just like microsoft before google had apply some 3d rendering engine on Chrome. I think there is a 10 - 15 years difference in an open source and closed source research project. And not only the military and or government could deploy this.