HD plus Motherboard rootkit infection

sfeg · 05 Mar 2012

If both a HD and the motherboard firmware are infected by a trojan virus, how does one go about disinfecting? For the Mobo, does a Bios flash with updates take care of it?

But which one to do first? It seems that upon wipe/reinstall, the HD could get infected immediately again by the Mobo, and vice versa for the Mobo.

I'm thinking HD wipe, then Mobo flash, then HD format/reinstall... still not completely foolproof, but does that make sense or not?

profdlp · 05 Mar 2012

You might try to first remove the hard drive, then flash the BIOS from a USB stick. Then attach the hard drive, boot from a DVD and wipe the drive. As for the BIOS flash, I've heard mixed results from ridding yourself of an infection that way. I'd try it, though, since the alternative is to order a brand new BIOS chip - and that's assuming it is of the "pop-out chip" type. :)

sfeg · 05 Mar 2012

But wouldn't the HD just re-infect the flashed Mobo? I don't suppose there is any way to wipe/reformat the HD without being connected to the Mobo. Unless you pay for services at a place which has "immune" Mobos, if that exists. So I'm thinking wipe then quickly PULL that HD's SATA plug (and risk crashing?!)

This Tom's Hardware article, especially the final comment on 2/4/12, makes me feel very pessimistic about getting rid of rootkits

Webroot Discovers BIOS Rootkit

The scary thing is, how would one even know if one was still infected and being keylogged/spied upon silently?

sfeg · 05 Mar 2012

If I use Diskpart or another utility (such as KillDisk or DBAN), is it possible to wipe the HD first but don't format it yet? (Or do all wipes also format?)

While still unformatted, will the HD be un-writable, and thus un-infectable?

Then I would do the HD format to NTFS later, after flashing Mobo. By the way, FYI my Mobo's updates can be flashed via a USB drive only (CD/DVD isn't an option).

profdlp · 05 Mar 2012

Booting from a DVD should allow you to wipe the HD without the HD having a chance to run anything. I'll hedge that a bit by saying that without knowing the nature of the worm in question I would hate to bet everything I own on that.

I haven't been in this situation myself so I can't offer any kind of precise "here's what I did and it worked" advice. Thinking by the seat of my pants, it seems your best option would be to give it a shot. If it doesn't work you'll be no worse off. The only 100% foolproof alternative I can think of would be to replace both the MB and the HD and toss the old ones in the trash.

You sound quite sure of the fact that the BIOS EEPROM is infected. I'm not doubting you, but I am curious as to how you came to this conclusion. I guess one of my worst fears when it comes to a MB would be something like this where it may be difficult to know that the patient has indeed been cured after treatment.

profdlp · 05 Mar 2012

Sorry, I'm a slow typist and hadn't seen your reply when i posted back. :)

sfeg said:

If I wipe the HD first but don't format it yet, will it be un-writable, and thus un-infectable?

That sounds very wise. I think that's an excellent way to go.

By the way, my Mobo's updates can be flashed via a USB drive only (CD/DVD isn't an option).

That's fine. I was just suggesting you isolate the two devices while cleaning things up. Otherwise it would be like getting the flu and being admitted to the hospital, then sharing a room with another flu patient. You'd just end up passing it back and forth.

sfeg · 05 Mar 2012

No problem, thanks :)

So then the question becomes, are there any wipe programs which will simply wipe but hold off on the formatting?

If not, do I maybe need to use Linux OS CD to do the wiping... and reformat it to FAT32 temporarily?

Golden · 05 Mar 2012

Hi,

You seem sure you have a rootkit. Do you know the name, and how did you uncover it?

Also, what is the make/name of your BIOS?

Regards,
Golden