Malware found in hard drive firmware!
have been teaching clean room data recovery, digital forensics, and system exploitation for many years. It has recently come to light that many different hard drives from multiple vendors have been found with malware or malicious logic installed in the firmware. Infecting a drive before it goes out is nothing new and has been done against many nation states and companies alike. What is new is that the hard to access firmware was infected.
This may not sound like a big deal, but firmware is special code that not only tells the hardware how to act, it tells the Operating system how to interact with the hardware. Firmware on a hard drive tells the headstack or moving arms in a spinning platter drive how to read the analog data off the magnetic disk. It tells the motor how fast to spin. It controls everything about the hard drive before the motherboard or operating system can recognize the drive as a drive. The firmware is stored in two places on traditional hard drives. The first is the Printed Circuit Board (PBC) on the bottom of the drive. The next area is called the System Area or “S.A.” for short. This area is also called the negative cylinders, maintenance tracks, reserved cylinders, calibration area, initialization area, and diskware. The name depends on the manufacturer. Think of the SA as a database stored in a special area of the drive that only the hard drive was designed to access. This database contains the serial number, SMART data, the bad block lists, and other information, including the firmware overlays/executable code/updates. It was designed this way because it is easier to update the drive than it is the PCB hardware.
Unfortunately, just like the inability to even standardize a name, vendors have different methods of implementing the SA. Different sizes of the SA to different sizes of the fields in the database to different items stored. This adds too many variables to even bother with for most data recovery experts let alone hackers. Another issue is that the data is written in a physically different format called Utility Block Addressing or UBA modules.
What does this mean for forensics? Well, besides the likelihood of this code running with root or system privileges, this negative space cannot be natively seen by even the operating system. As far as the computer is concerned, the hard drive starts at sector 0 and the negative space is before this. Sector 0 has generally contained the Master Boot Record or MBR. This is the code that tells the motherboard how to handle the data on the drive starting at sector 1. Even the “government used gold standard” in forensic tools can only see sector 0 to the last sector, thus making them ineffective at finding this threat.
Data recovery tools on the other hand can see this area since many drive failures are caused by the firmware being corrupted. Tools like the PC3000 from DeepSpar cans see this area and even backup and replace it. The other option is you can write your own tool to access this area like the actors of this malware have done. Remember though, that each drive family and manufacturer will most likely be different. This means that the malware was customized for many different drive configurations. This alone makes it an Advanced Persistent Threat.
Are your forensic tools useless? No. Not completely. Even though your traditional post mortem or dead box forensic methods cannot see this threat, there are other forensic vectors such as memory analysis and network monitoring. Every network connection leaves a fingerprint. You just have to find it.
Now, before anyone claims that a 14 year old perpetrated this attack, use common sense. Is it possible? Yes. Is it Likely? Not in a long shot. Like in Law Enforcement, you should talk to M.O.M. Explain Means, Operandi, and Motive. This took a lot of skill. This took a lot of knowledge. Whoever wrote this had an extensive budget to fund the research and purchase new drives as they came out. This was likely a team that had the wherewithal to test and keep up to date with the different SA parameters and the patience to wait for the “Profit”…