Should one buy new hardware after a system compromise?Search for military installed backdoors on laptopHow can a novice find proof of a system compromise?Regedit shows strange chinese characters in my system - should I be worried?Preventing Active System Compromise in IranMitigating forensic memory acquisition when an attacker has physical access to a workstationCreating a system to try new software outCompromised system AFTER formatting?Attaching new device in linux only after passwordVulnerabilities of IT system due to hardware?Malwarebytes found bitcoin miners after I installed a new drive. Is my system screwed?What hardware components in a laptop should be removed in order to prevent it from wirelessly communicating with other devices?
Strange math syntax in old basic listing
How to detach yourself from a character you're going to kill?
How to properly maintain eye contact with people that have distinctive facial features?
Why do Russians call their women expensive ("дорогая")?
How to capture more stars?
How can I offer a test ride while selling a bike?
If Sweden was to magically float away, at what altitude would it be visible from the southern hemisphere?
Infinitely many hats
What does "Marchentalender" on the front of a postcard mean?
Thousands and thousands of words
Is having a hidden directory under /etc safe?
Do creatures all have the same statistics upon being reanimated via the Animate Dead spell?
Is there an evolutionary advantage to having two heads?
Points within polygons in different projections
Rotated Position of Integers
What is game ban VS VAC ban in steam?
Are UK pensions taxed twice?
Mother abusing my finances
When a current flow in an inductor is interrupted, what limits the voltage rise?
Creating Fictional Slavic Place Names
How should I push back against my job assigning "homework"?
Windows 10 Programs start without visual Interface
What caused the tendency for conservatives to not support climate change regulations?
Can an old DSLR be upgraded to match modern smartphone image quality
Should one buy new hardware after a system compromise?
Search for military installed backdoors on laptopHow can a novice find proof of a system compromise?Regedit shows strange chinese characters in my system - should I be worried?Preventing Active System Compromise in IranMitigating forensic memory acquisition when an attacker has physical access to a workstationCreating a system to try new software outCompromised system AFTER formatting?Attaching new device in linux only after passwordVulnerabilities of IT system due to hardware?Malwarebytes found bitcoin miners after I installed a new drive. Is my system screwed?What hardware components in a laptop should be removed in order to prevent it from wirelessly communicating with other devices?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
If there are places on a laptop malicious programs can leave elements, hooks, backdoors etc, in locations such as BIOS, device controllers, firmware etc - what confidence can one have in wiping the disk and installing a fresh OS image.
If I were to first use data destruction software to overwrite every individually addressable location on the hard disk, before secondly installing a freshly downloaded Windows image, this presumably isn’t much of a solution.
Surely, binning and buying a replacement is the only option? (Which would be dire, since the machine is new.)
malware windows hardware
edited May 23 at 23:56
forest
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
If there are places on a laptop malicious programs can leave elements, hooks, backdoors etc, in locations such as BIOS, device controllers, firmware etc - what confidence can one have in wiping the disk and installing a fresh OS image.
If I were to first use data destruction software to overwrite every individually addressable location on the hard disk, before secondly installing a freshly downloaded Windows image, this presumably isn’t much of a solution.
Surely, binning and buying a replacement is the only option? (Which would be dire, since the machine is new.)
malware windows hardware
edited May 23 at 23:56
forest
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11
add a comment |
If there are places on a laptop malicious programs can leave elements, hooks, backdoors etc, in locations such as BIOS, device controllers, firmware etc - what confidence can one have in wiping the disk and installing a fresh OS image.
If I were to first use data destruction software to overwrite every individually addressable location on the hard disk, before secondly installing a freshly downloaded Windows image, this presumably isn’t much of a solution.
Surely, binning and buying a replacement is the only option? (Which would be dire, since the machine is new.)
malware windows hardware
edited May 23 at 23:56
forest
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If there are places on a laptop malicious programs can leave elements, hooks, backdoors etc, in locations such as BIOS, device controllers, firmware etc - what confidence can one have in wiping the disk and installing a fresh OS image.
If I were to first use data destruction software to overwrite every individually addressable location on the hard disk, before secondly installing a freshly downloaded Windows image, this presumably isn’t much of a solution.
Surely, binning and buying a replacement is the only option? (Which would be dire, since the machine is new.)
malware windows hardware
malware windows hardware
edited May 23 at 23:56
forest
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 23 at 23:56
forest
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited May 23 at 23:56
forest
43.3k18144160
edited May 23 at 23:56
forest
43.3k18144160
edited May 23 at 23:56
forest
43.3k18144160
43.3k18144160
asked May 22 at 19:54
CompCatCompCat
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked May 22 at 19:54
CompCatCompCat
23225
asked May 22 at 19:54
CompCatCompCat
23225
23225
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
CompCat is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
10
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11
add a comment |
10
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11
10
10
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11
add a comment |
4 Answers
4
active
oldest
votes
You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.
If you don't have any reason to think you're being targeted, just format and re-install.
answered May 22 at 20:02
forestforest
43.3k18144160
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
|
show 8 more comments
While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.
I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.
edited May 24 at 4:35
tschumann
31
answered May 23 at 17:14
dandavisdandavis
2,117715
add a comment |
If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.
answered May 24 at 1:38
George MGeorge M
35515
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
|
show 1 more comment
The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.
I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.
If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!
I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
6
MBR is not part of the hardware, it's the first sector of the drive.dd if=/dev/zero of=/dev/infected bs=512 count=1will wipe the MBR with zeroes.
– MechMK1
May 24 at 8:41
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
CompCat is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210629%2fshould-one-buy-new-hardware-after-a-system-compromise%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.
If you don't have any reason to think you're being targeted, just format and re-install.
answered May 22 at 20:02
forestforest
43.3k18144160
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
|
show 8 more comments
You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.
If you don't have any reason to think you're being targeted, just format and re-install.
answered May 22 at 20:02
forestforest
43.3k18144160
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
|
show 8 more comments
You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.
If you don't have any reason to think you're being targeted, just format and re-install.
answered May 22 at 20:02
forestforest
43.3k18144160
You must do risk management. How likely it is that you and your laptop have been personally targeted? The vast majority of persistent malware operates entirely in software, and formatting the disk is more than enough to remove all traces of it. Sophisticated, firmware-resident malware is extremely rare and unlikely to be a threat unless you have particular reason to think that you are at risk. It is possible to check for firmware-level malware, but it requires a good understanding of common x86 architecture, and access to hardware to read from the flash chips. At a minimum, you'd need SPI readers for the BIOS/UEFI, and JTAG probes for the hard drive firmware and related.
If you don't have any reason to think you're being targeted, just format and re-install.
answered May 22 at 20:02
forestforest
43.3k18144160
answered May 22 at 20:02
forestforest
43.3k18144160
answered May 22 at 20:02
forestforest
43.3k18144160
answered May 22 at 20:02
forestforest
43.3k18144160
43.3k18144160
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
|
show 8 more comments
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
14
14
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
Sophisticated, firmware-resident malware is extremely rare Unless (mentioned just for completeness) you consider things like Intel ME to fit inside the category, in which case it's extremely common.
– Federico Poloni
May 23 at 7:23
9
9
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
@FedericoPoloni The CSME is definitely an ugly black box, but I wouldn't quite consider it malware. It needs to have AMT modules loaded (which is only true for some server hardware) and be provisioned for remote access before it's able to do anything harmful like remotely controlling a system.
– forest
May 23 at 7:28
4
4
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
The Intel Management Engine always runs as long as the motherboard is receiving power, even when the computer is turned off. System administrators can use it to turn the computer on and off, and they can login remotely into the computer regardless of whether or not an operating system is installed. en.m.wikipedia.org/wiki/Intel_Management_Engine
– Pedro Lobito
May 23 at 12:17
9
9
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
@Pedro all of that is true, but only after going through the initial firmware setup to set a password, configure networking, and enable the service. Out of the box it does nothing. Initial provisioning requires physical access.
– barbecue
May 23 at 19:30
4
4
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
If you have been personally targeted, buying new hardware is no assurance of getting unaltered hardware unless you have good control over the supply chain since someone could install a backdoor before you have possession of the hardware.
– Johnny
May 24 at 20:21
|
show 8 more comments
While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.
I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.
edited May 24 at 4:35
tschumann
31
answered May 23 at 17:14
dandavisdandavis
2,117715
add a comment |
While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.
I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.
edited May 24 at 4:35
tschumann
31
answered May 23 at 17:14
dandavisdandavis
2,117715
add a comment |
While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.
I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.
edited May 24 at 4:35
tschumann
31
answered May 23 at 17:14
dandavisdandavis
2,117715
While you are right to note some of the more esoteric attack vectors, you need to remember that they are not typically the kind of things a rogue employee or corporate competitor would utilize.
I would (pessimistically) suggest that if your attackers are capable of undetectable custom BIOS and controller mods, then replacing the hardware isn't likely to be a sure-fire remedy anyway. They got to you once, and they are a powerful adversary, so it doesn't stand to reason they don't have other compromises or aren't capable of a repeat "visit". Being pro-active is great, but be realistic as well, and appreciate the capabilities of your threats.
edited May 24 at 4:35
tschumann
31
answered May 23 at 17:14
dandavisdandavis
2,117715
edited May 24 at 4:35
tschumann
31
edited May 24 at 4:35
tschumann
31
edited May 24 at 4:35
tschumann
31
31
answered May 23 at 17:14
dandavisdandavis
2,117715
answered May 23 at 17:14
dandavisdandavis
2,117715
answered May 23 at 17:14
dandavisdandavis
2,117715
2,117715
add a comment |
add a comment |
If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.
answered May 24 at 1:38
George MGeorge M
35515
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
|
show 1 more comment
If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.
answered May 24 at 1:38
George MGeorge M
35515
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
|
show 1 more comment
If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.
answered May 24 at 1:38
George MGeorge M
35515
If you flash your BIOS with the latest/best copy you can find at the manufacturer's site, wipe and reformat your hard drive, re-install/upgrade all the device drivers (which you'd normally have to do anyway), there's little chance of anything going wrong.
answered May 24 at 1:38
George MGeorge M
35515
answered May 24 at 1:38
George MGeorge M
35515
answered May 24 at 1:38
George MGeorge M
35515
answered May 24 at 1:38
George MGeorge M
35515
35515
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
|
show 1 more comment
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
6
6
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
If you have an already compromised BIOS, you can't just flash a new BIOS via software. You have to use an SPI programmer and directly connect it to the chip that holds the firmware in flash/EEPROM.
– forest
May 24 at 2:05
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
@forest how about this procedure? techwalla.com/articles/removing-bios-virus do you think that wouldn't work for some reason?
– George M
May 24 at 20:50
2
2
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
@GeorgeM in that case, you're using a potentially corrupted BIOS to boot the system in order to clean it. If it needs to be flashed because you don't trust that it hasn't been compromised, you can't use it as part of your restoration procedure. For example, it could just put the same compromise back in the newly flashed BIOS.
– Xcali
May 24 at 21:19
2
2
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
@GeorgeM As far as I can tell, flashing the BIOS is an activity performed by the BIOS itself. An infected BIOS might have a modified flashing routine that pretends to perform the flash but really does nothing, or alternatively performs the flash and then reinstalls the compromise on the new BIOS. Using an SPI programmer would be the only way to bypass that compromised firmware layer, and write the new BIOS directly to the chip.
– DarthFennec
May 24 at 23:52
1
1
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
@DarthFennec It's not that it's performed by the BIOS, but the BIOS does have control over the operating system which performs it. Compromised firmware implies a compromised OS, so trying to flash clean firmware from within that compromised OS is futile.
– forest
May 25 at 3:18
|
show 1 more comment
The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.
I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.
If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!
I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
6
MBR is not part of the hardware, it's the first sector of the drive.dd if=/dev/zero of=/dev/infected bs=512 count=1will wipe the MBR with zeroes.
– MechMK1
May 24 at 8:41
add a comment |
The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.
I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.
If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!
I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
6
MBR is not part of the hardware, it's the first sector of the drive.dd if=/dev/zero of=/dev/infected bs=512 count=1will wipe the MBR with zeroes.
– MechMK1
May 24 at 8:41
add a comment |
The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.
I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.
If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!
I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
The main example I can find is from 2011 called Trojan.Mebromi. Symantec wrote up a bunch on this and similar viruses in 2011.
I do find one forum post from Jan 2019 where someone hard an MBR infection. It sure didn't hide itself and want to stay persistent. It's objective seems to have been destruction.
If something is sophisticated enough to infect your hardware in the way you mention, keep itself quietly persistent without any symptoms, I don't think you'll be patient zero! It will be all over the news!
I run Malwarebytes on my MacBookPro regularly just to make sure nothing has found its ware onto my system.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered May 23 at 22:43
NealNeal
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered May 23 at 22:43
NealNeal
11
answered May 23 at 22:43
NealNeal
11
11
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Neal is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
6
MBR is not part of the hardware, it's the first sector of the drive.dd if=/dev/zero of=/dev/infected bs=512 count=1will wipe the MBR with zeroes.
– MechMK1
May 24 at 8:41
add a comment |
6
MBR is not part of the hardware, it's the first sector of the drive.dd if=/dev/zero of=/dev/infected bs=512 count=1will wipe the MBR with zeroes.
– MechMK1
May 24 at 8:41
6
6
MBR is not part of the hardware, it's the first sector of the drive.
dd if=/dev/zero of=/dev/infected bs=512 count=1 will wipe the MBR with zeroes.– MechMK1
May 24 at 8:41
MBR is not part of the hardware, it's the first sector of the drive.
dd if=/dev/zero of=/dev/infected bs=512 count=1 will wipe the MBR with zeroes.– MechMK1
May 24 at 8:41
add a comment |
CompCat is a new contributor. Be nice, and check out our Code of Conduct.
CompCat is a new contributor. Be nice, and check out our Code of Conduct.
CompCat is a new contributor. Be nice, and check out our Code of Conduct.
CompCat is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f210629%2fshould-one-buy-new-hardware-after-a-system-compromise%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
10
Related: Search for military installed backdoors on laptop
– forest
May 22 at 20:11