Unknown random (possibly encrypted) data in Track 0

Discussion in 'malware problems & news' started by dantz, May 13, 2014.

Thread Status:
Not open for further replies.
  1. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    I recently used a hex editor to examine Track 0 of my newly-built PC and I discovered that the 7 sectors directly following Sector 0 are filled with what appears to be random data.

    These sectors would normally be zero-filled on an MBR-initialized disk, so the presence of any sort of data here is quite unexpected. It seems to be random data (I tested the byte distributions, which are fairly equal), and thus it could be encrypted.

    I am aware that certain forms of malware are known to exhibit this type of behavior, which is why I am posting in this particular forum.

    I just built this PC in March and I've been creating Macrium Reflect images on a regular basis. I compared all of my images back to day 1 and saw that the unknown data was present on the very first image. At that point I had merely installed the various motherboard drivers, Windows 7 Premium SP1 64-bit, and a few utility programs such as Macrium Reflect, Samsung Magician (for the Samsung SSD), and stuff like that. Nothing fancy, and certainly nothing that is known to store a copy-protection mechanism in Track 0. I did connect various other disks, though, in order to copy over data.

    At this point I'm fairly uncertain as to whether or not this code might represent a malware infection. My guess is, probably not. However, I would still like to know what its purpose is.

    Just for the heck of it I ran a couple of bootable antimalware disks, including the Kaspersky Rescue CD and the BitDefender Rescue CD, just to see if they would come up with anything (they didn't).

    Does anyone have any thoughts on how I might identify this code?
     
    Last edited: May 14, 2014
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi, interesting indeed !

    Was this a new HD & what make is it ? What's the size of the data ?

    It could be malware, but i would have thought one or more of your Apps might have detected something by now.

    Unless it turns out to be harmless etc, it's possible that the HD could have been compromised @ the manufactures or on route ?
     
  3. dantz

    dantz Registered Member

    Joined:
    Jan 19, 2007
    Posts:
    991
    Location:
    Hawaii
    It's a new Samsung 840 EVO 120GB SSD. I really like the drive, it's very snappy.

    The unidentified data fills sectors 1 through 7. Each sector is 512 bytes, so the data is only 3,584 bytes in all.

    I've been searching online to see if any of my current programs are known to write to Track 0, but so far I have not found anything.

    Perhaps I'll just delete the data and see if anything breaks, although I was hoping for a more precise approach.
     
  4. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    It could be part of the DRM scheme of one of your programs.
     
Loading...
Thread Status:
Not open for further replies.