Hacker News new | ask | show | jobs
by kw71 4146 days ago
> if you don't boot from it

The malware might remain quiescent unless the examination techniques mimic a computer that is booting.

I might prefer to use an analyzer to monitor the disk channel of a machine that is booting and running.

Building an SATA probe/analyzer is within hobbyist knowledge and skill levels now. If you have money you can simply buy it from LeCroy and many others, or rent it by the month/week.
1 comments
AlyssaRowan 4145 days ago
There's a specific reason I said to send an ATA reset first! IRATEMONK (for it is that) isn't that smart. Doesn't need to be.

If you want to test more thoroughly, or actually dump the object for analysis, as wongarsu says below, the JTAG port or the serial port is the way to go. That's how they get it in there.

link
kw71 4145 days ago
Usually a booting PC will issue several identify commands and try a SMART health check, and if there is a RAID option ROM then specific series of READ will be issued. If it would really disclose itself with simple RESET, READ interrogation then I must be a better malware author than those players. I don't think I am, and I feel that if it would give itself away without ensuring that the OS is really booting, this is a big flaw. If it were my project, it would be a showstopper. I'm a noob in the sense that I have never considered malware before, so probably the developers (who are smarter than me) thought about it long before I did.

This flaw would also make it much simpler to write a script for MHDD that would reveal the infection on the infected target itself after booting from a floppy.

I think a JTAG probe is not especially useful to analyze a hard disk. The flash on the board is usually only a bootstrap and "physical driver" of sorts. The rest of the firmware is stored on the media - you can see that many disks do not even know what they are if you disconnect the heads and try to identify.

I think JTAG is not commonly in the toolbox of the data recovery guys who dump firmware modules and trade them. DR sometimes involves replacing corrupted firmware that is on the disk, or reprogramming a controller board to match one that's failed. They have bought software and serial port cables, and this seems to handle it for them, so I concluded that there must be a way to dump all of the firmware - on chips and disks - with ATA commands or the serial port, and we know from field-service tools that there is usually a way to update it all with only ATA commands.

link