Can sophos detect firmware rootkits?

jmonge · Mar 9, 2009

Searching_ _ _ said:

If you want to read more about firmware and bios malware methods with links to how to's, Award Bios Code Injection, pay attention to Pincakko's posts. (How to's at his website) He has spent a lot of time to do just these things.

Basically he says it's not possible to get an entire rootkit into a bios, but you could fit a jump or starter code in the bios, which means a persistence somewhere else along with the bios. That means a Hidden Partition Area on the HDD or modification of the nic firmware, which would be a PXE boot situation.

If there is this type of infection it would most likely be Bios/HPA-HDD.
1. Average wiping doesn't remove the HPA from the HDD.
2. If you fix only one, the infection can return.

To fix you must wipe the HDD with a program capable of wiping all partitions including HPA/DCO. Then while the HDD is dorment and free of any code, flash the bios.
Click to expand...

can a clean fresh format wipe out this type of rootkit?or maybe using killdisk?thanks

Searching_ _ _ · Mar 9, 2009

Formating is done by the OS and the OS can't see the Hidden Partition Area/ Device Configuration Overlay. Formatting only gets rid of directory entries, data can persist.

Killdisk is an average wiping program. In my case it showed some issues with unallocated space but could not wipe them.

To wipe the HPA/DCO you need a program that specifically states that it wipes these areas. The amount of programs that do this you can probably count on one hand. Neither OSX nor Linux do it either.

This may help the KB.
Data Sanitization Tutorial

jmonge · Mar 9, 2009

Searching_ _ _ said:

Formating is done by the OS and the OS can't see the Hidden Partition Area/ Device Configuration Overlay. Formatting only gets rid of directory entries, data can persist.

Killdisk is an average wiping program. In my case it showed some issues with unallocated space but could not wipe them.

To wipe the HPA/DCO you need a program that specifically states that it wipes these areas. The amount of programs that do this you can probably count on one hand. Neither OSX nor Linux do it either.

This may help the KB.
Data Sanitization Tutorial
Click to expand...

thanks for info

andyman35 · Mar 10, 2009

Searching_ _ _ said:

Formating is done by the OS and the OS can't see the Hidden Partition Area/ Device Configuration Overlay. Formatting only gets rid of directory entries, data can persist.

Killdisk is an average wiping program. In my case it showed some issues with unallocated space but could not wipe them.

To wipe the HPA/DCO you need a program that specifically states that it wipes these areas. The amount of programs that do this you can probably count on one hand. Neither OSX nor Linux do it either.

This may help the KB.
Data Sanitization Tutorial
Click to expand...

I think that this util might fit the bill:

http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml

Log in or Sign up

Can sophos detect firmware rootkits?

jmonge Registered Member

Searching_ _ _ Registered Member

jmonge Registered Member

andyman35 Registered Member

Log in or Sign up

Can sophos detect firmware rootkits?

jmonge Registered Member

Searching_ _ _ Registered Member

jmonge Registered Member

andyman35 Registered Member

Useful Searches