Suddenly, Connection Issues

For tech wizards and n00bs alike. Questions, answers, or just general hoo-haa.

Moderator: Moderators

Message
Author
User avatar
puredeathly
Master
Posts: 249
Joined: Sun Mar 08, 2015 7:03 pm
Location: ::1
Fav. Twokinds Character: Flora

Re: Suddenly, Connection Issues

#16 Post by puredeathly »

Warning! a bit of off-topic! :grin:
asphere8 wrote:(and the only way to be completely sure it's gone) is to nuke it by completely reformatting the hard drive.
You can never be sure. Some recent leaks (looking at you HackingTeam :x ) prooved that the proof-of-concepts about infected HDD firmware and infected PC BIOS are used in some rare cases...
You would have to write-lock the BIOS flash and the HDD firmware flash ( and really any other storage with runable code inside your PC...) to be sure...

-Jakob

User avatar
asphere8
Master
Posts: 296
Joined: Sun Mar 22, 2015 2:52 pm
Location: Great White North
Contact:

Re: Suddenly, Connection Issues

#17 Post by asphere8 »

puredeathly wrote:Warning! a bit of off-topic! :grin:
asphere8 wrote:(and the only way to be completely sure it's gone) is to nuke it by completely reformatting the hard drive.
You can never be sure. Some recent leaks (looking at you HackingTeam :x ) prooved that the proof-of-concepts about infected HDD firmware and infected PC BIOS are used in some rare cases...
You would have to write-lock the BIOS flash and the HDD firmware flash ( and really any other storage with runable code inside your PC...) to be sure...

-Jakob
Reformatting is one step further than that. Reformatting is resetting the entire hard drive to factory settings and writing a new filesystem over it. Files that used to be on the disk could potentially be recovered with special software, but in most cases would be corrupted beyond repair. Old files are otherwise completely inaccessible. Any virus that might be on the system is entirely incapacitated by a reformatting. Keeping any files (even the BIOS) on an infected PC can lead to re-infection. That's why reformatting is the only way to be 100% sure a virus is destroyed.
Sometimes, I wish I could art.

User avatar
avwolf
Templar Inner Circle
Posts: 7006
Joined: Wed Jan 17, 2007 5:33 pm
Location: Nebraska, USA
Contact:

Re: Suddenly, Connection Issues

#18 Post by avwolf »

If they're infecting your firmware, they really want you. That's an awful lot of work and awfully specific work. I can easily imagine that it's possible, but outside of true cyberwarfare, I don't think it'll be common in the wild. Your average attacker isn't going to want to mess with something that in-depth and expensive. I'd keep it in the back of your mind, but a reformat would almost certainly deal with any malware you're going to actually see and deal with. Technically, a reformat's the only robust way to deal with any infection, as once a computer's been compromised, you can never actually trust that computer again. But unless you're working Systems (I'm Systems in my real life), you can probably get away with just trying to do a good solid virus scan or two and then determining if the system is still behaving outside of expectations before you burn it all down.
SperoWolf wrote:I did, but it brought up a ton of (seemingly) random numbers and such, and it won't let me copy and paste from there
Those "seemingly random" numbers are the thing I'm interested in. :P Once you know what they mean, they won't seem so random. The IPv4 DNS entry was the one I really wanted to see. That's the location of the computer that tells your computer what domain names mean. Essentially, the DNS server turns "www.google.com" into the address of the Google server; it works a little bit like a phone book, turning a person's name into the phone number you need to call that person. If a malicious server has taken over, it'll give you the wrong answer as for where to find Google (for instance) and insert itself in the middle (hence a man-in-the-middle attack) and spy on everything you tell Google (or whoever).

If you think that you can get by with the situation as it stands, so be it. If you're still interested in getting it solved, we're still here to offer advice.

-- Reformatting --
Your hard drive is a much more complicated topic than it appears at first glance. There are several ways to destroy your data, of varying "effectiveness", but if you just wanted to kill a virus, pretty much any would work. You might even be able to get away with just reinstalling the operating system and not reformatting anything at all. A reformat can be anything from a "quick reformat" to a multiple pass "full reformat." A quick format just destroys the internal record-keeping system (the inode table) in your computer's file system. Technically, the files are still there (until they're overwritten), but the computer doesn't know where to find them anymore and will treat everything like it's free space. A full reformat overwrites the entire drive with values (usually just all '0's or all '1's, but sometimes you'll see randomized value passes if you're doing a multiple-pass format). For a consumer, a single 0-pass is probably fine. Governments commonly format with multiple passes of different values (generally five to seven passes), to make it more difficult for a data forensics team to recover the data.
Image

User avatar
puredeathly
Master
Posts: 249
Joined: Sun Mar 08, 2015 7:03 pm
Location: ::1
Fav. Twokinds Character: Flora

Re: Suddenly, Connection Issues

#19 Post by puredeathly »

asphere8 wrote: Reformatting is one step further than that. Reformatting is resetting the entire hard drive to factory settings and writing a new filesystem over it. Files that used to be on the disk could potentially be recovered with special software, but in most cases would be corrupted beyond repair. Old files are otherwise completely inaccessible. Any virus that might be on the system is entirely incapacitated by a reformatting. Keeping any files (even the BIOS) on an infected PC can lead to re-infection. That's why reformatting is the only way to be 100% sure a virus is destroyed.
You do know that the BIOS is kept on an 1-4MB EEPROM on your motherboard (and your HDD has a small firmware storage too with about 1-8MB for the software that makes your HDD work as a HDD)?
There is (now confirmed) malware that infects this storages too and reinfects the OS after reinstalling it.
The only way you could get rid of it is by programming both of these storages using an external programmer (the leaked malware simulates successful programming if programmed using on-board tools).
avwolf wrote: -- Reformatting --
Your hard drive is a much more complicated topic than it appears at first glance. There are several ways to destroy your data, of varying "effectiveness", but if you just wanted to kill a virus, pretty much any would work. You might even be able to get away with just reinstalling the operating system and not reformatting anything at all. A reformat can be anything from a "quick reformat" to a multiple pass "full reformat." A quick format just destroys the internal record-keeping system (the inode table) in your computer's file system. Technically, the files are still there (until they're overwritten), but the computer doesn't know where to find them anymore and will treat everything like it's free space. A full reformat overwrites the entire drive with values (usually just all '0's or all '1's, but sometimes you'll see randomized value passes if you're doing a multiple-pass format). For a consumer, a single 0-pass is probably fine. Governments commonly format with multiple passes of different values (generally five to seven passes), to make it more difficult for a data forensics team to recover the data.
I know someone who worked in a bank.
They write multiple passes of random data (using dd if=/dev/random) over old HDDs before they get destroyed in a shredder (this things are funny to watch :P).
avwolf wrote:If they're infecting your firmware, they really want you. That's an awful lot of work and awfully specific work. I can easily imagine that it's possible, but outside of true cyberwarfare, I don't think it'll be common in the wild. Your average attacker isn't going to want to mess with something that in-depth and expensive. I'd keep it in the back of your mind, but a reformat would almost certainly deal with any malware you're going to actually see and deal with. Technically, a reformat's the only robust way to deal with any infection, as once a computer's been compromised, you can never actually trust that computer again. But unless you're working Systems (I'm Systems in my real life), you can probably get away with just trying to do a good solid virus scan or two and then determining if the system is still behaving outside of expectations before you burn it all down.
I agree to you that it is extremely uncommon (no cases are known yet) for a virus to dig that deep into the system as it is a lot of work to code (basically different for each motherboard) but it is possible.
The average virus goes for easy targets such as one of many Windows exploits of unpatched systems :P

I really hope this is not too much offtopic... I just love to discuss IT security stuff (and I'm really interested in pentesting (mostly for friends for now) :3)
-Jakob

Post Reply