Re: Forensic level hard drive tools?



It is theoretically possible for a virus to update the firmware on a hard
drive so that the area of the drive where the virus exists can't be read by
Windows. It's unlikely because to the best of my knowledge each manufacturer
and probably most models would need custom code to do this. The virus would
only work on drives that it knew about which would severely limit how the
virus spreads. A more likely scenario is an already compromised computer is
accessed remotely and then the drive firmware is updated. Although this is
slightly more likely even this probably wouldn't be done. It would be much
easier to just install a rootkit once you had remote access. So, yes it's
possible. Is it likely? Probably not but who knows. Malware is getting very
creative.

--
Kerry
MS-MVP Windows - Shell/User

Gregg Hill wrote:
Hello!

I have heard that some virus writers are now able to write their
files into a part of the hard drive that antivirus software cannot
detect. It is supposedly the part of the drive where the
manufacturers store their information. Even reformatting the drive
does not get rid of the infection.
Are these claims even true? If so, do you know of any utilities to
detect and/or repair this type of virus or Trojan infection?

Thank you!

Gregg M. Hill


.



Relevant Pages

  • Re: Zero Memory?
    ... I'm glad to hear you don't think all children are perverts but jumping ... mp3s or by a virus is flawed and lazy analysis and rude to assume ... Do you have kids? ... > | total size is the drives capacity regardless of how much ...
    (microsoft.public.windowsxp.hardware)
  • Re: Hacker Help
    ... Try cleaners you can get from the major AV vendors, ... files it is likely indicating what virus is involved, ... That your firewall is on is good, ... Both these drives can be ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Windows Script Host "Can not find script file "C: tidr.vbs".
    ... Our area recently got hit with a funky virus; ... full scan of two of my drives and McAfee didn't notice a thing. ... "Windows Script Host" title. ... IE to be disturbed I had to get rid of the Radz file so that meant also ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: Warning!
    ... I believe the "anti-virus" industry is full of virus writers. ... Gone in 5 minutes with an image restore. ... cloning drives and manipulating partitions. ...
    (rec.boats)
  • Re: The most infected machne youve ever cleaned for friends/family
    ... NAS drives and my own PC before connecting it to my router for ... downloading updates. ... not fully protected by an up to date virus checker and active firewall you ...
    (uk.comp.homebuilt)