(re)fomat resistant malware

[StudioT]

I have heard of, but never seen, malware that can survive a volume format.

I was wondering if anyone has come across malware that can survive a low level format (reinitialisation)?

I recently had a drive that with some blocks the resisted recovery by checkdisk and even the manufacturer's (Hitachi) own drive software.

It also resisted format by normal means.

[nosirrah]

MBR rooter can survive just about anything and the new router patcher DNSChanger can survive you throwing your PC out the window and buying a new one .

The MBR rooter is best killed with FIXMBR from RC .

[John L. Galt]

...and the new router patcher DNSChanger can survive you throwing your PC out the window and buying a new one .

No, *that* is scary.

[StudioT]

Thanks for the suggestions, I've already resolved the problem itself, this is by way of inquest as there seem to be suddenly a lot of pcs about which refuse Check Disk or similar.

This Hitachi hard drive was dated 2006 and so was really too young to die.

SMART analysis reported perfect mechanics etc.

Pc booted to XP desktop where it froze, except for mouse movement.

XP would boot happily to safe mode where it would generally work OK, except that Check Disk halted the system at several attempts.

Check Disk also bombed out from Bart PE, several Linux and DR DOS cds

When the hard drive was removed and conected to another system Check Disk again halted the system, as did defrag. All the files on the drive were present and accessible to be read by the other system.

Interestingly when the drive was scanned with MBAM on this second system it halted the system with and 'unexpected error'.

A simple Fdisk format also halted the system.

The Hatachi analyser presented some corrupt sectors. However when asked to fix this the program ran for a while then halted the system with an

'unexpected error'

If it was just corrupt MBR windows would not load at all, if just corrupt files somewhere on the drive then Check Disk or Hitachi Analyser should have been able to fix it.

This is why I suspected malware and asked the question.

I finally fixed it by using a low level formatter which ignores the current structure and systematically erases and checks each location for the entire disk.

After this I was able to create and format a new partition without problem and reinstall XP cleanly.

SMART again reports everything hunky dory with the drive.

[AdvancedSetup]

Well thinking that a drive can't go bad because it's too new is wishful thinking.

If it required a low level format to fix it then it would seem to me that there are only so many reserved area sectors for the firmware to remap to and it was full.

The drive may seem okay now but I would suspect that it will probably once again fail after not too long, but that's just my opinion.

[nosirrah]

I read throug this and had the same thoughts , this drive is on the way out .

Could be the mobo or controler as well but not likely .

[StudioT]

it will probably once again fail after not too long,

It's easy to make generalisations, hedged by caveats.

I was hoping for better discussion with some reasoned train of thought.

It doesn't seem to be OK now . It is OK now. It passed a rigorous soak test.

However you may be right but I can't explain all the results I got, let alone those I posted

Why did MBAM fail?

Why does safe mode work reliably?

In fact why did everything work until I tried any process which involved a 'scan' whether under the control of an outside operating system or not, and how did it halt the outside OS?

And why are service people suddenly seeing an increase in Check Disk failures?

[nosirrah]

I have done home user IT for 6 years and what you are describing sounds like some kind of drive failure .

The only malware that can work outside of its own OS is a MBR rooter and if that is the case it could have infected whatever system you slaved it to .

The symptom of a scan causing a lockup is consistent with increased disk activity meets failing drive .

The Hatachi analyser presented some corrupt sectors.

Pysical damage cascades and the damage can increase at an increasing rate .

Mapping bad sectors so that they are not used is not fixed , physical damage cant be undone .

Why did MBAM fail?

I did not see where you mentioned which scanner or tool confirmed malware that we missed , how did you confirm this ?

If you are asking why MBAM failed to correc t the bad sectors on your drive I think you may have the wrong idea as to what MBAM does .

If you are asking why MBAM locked up you can see that it was not failing , your drive was failing to give a functional target .

You mentioned that many other disk intensive actions caused the same issue .

Another note , MBAM is not designed to work as a slaved drive scanner . It will detect malware that way but the majority of the 7 ways we detect malware dont work on a slaved drive .

[StudioT]

I didn't say I identified any malware.

MBAM happened to be on the machine I slaved the drive to and, yes, it failed to finish a scan locking the machine and forcing user intervention with the power button.

From the number of different disk checking tests I described I hoped it would be obvious that my first choice was simply corrupt data on the drive.

I put a lot of effort into fixing or isolating this but the drive steadfastly refused to play.

However it equally steadfastly operated smartly in safemode and in slowly diagnostic mode.

It also operated in other respects very well as a slave.

I didn't mention but the drive was a 40G travelstar, about half full.

Thre was in in-date copy of Macafee (A-virus only I think) on the drive.

My experience of failures concords with the 'bathtub curve' and this drive is the wrong age for either high. The drive behaviour showed none of the sluggishness or noise I normally associate with failing drives either.

So I thought that maybe the drive was faulty, and maybe there is malware I haven't come across, that can do this and just maybe someone else might be interested.

After all I have seen malware that can halt a Norton or Macafee scan, move about and morph on a drive. So why not malware that can halt checkdisk?

I have asked Hitachi for their opinion.

[nosirrah]

I can quote you for question and answer here :

So why not malware that can halt checkdisk?

because :

Check Disk also bombed out from Bart PE, several Linux and DR DOS cds

If you have done this for as long as I have you know that this has no chance of being malware .

[StudioT]

Well thank you for your comments - time will tell if the problem happens again.

Meanwhile I am interested in the idea that MBAM is somehow less effective on secondary drives

Another note , MBAM is not designed to work as a slaved drive scanner . It will detect malware that way but the majority of the 7 ways we detect malware dont work on a slaved drive .

Does this apply to attached (USB) drives?

[AdvancedSetup]

I have done system management and security management for 70,000 Server/Workstation Network (I also advised on a board that controlled another 60,000 systems) and speaking from experience a drive that has to be low level formatted often fails once again in a short period of time. Yes there are some that will continue on for years but they are not the norm in my experience.

Looking for exotic answers to a typical hardware issue is the real life answer. Is it possible? Who knows I myself have never seen it in over 15 years in the industry.

To insinuate that we are clueless or misinformed because we don't agree with your hypothesis is your prerogative but typically that won't get you very far on any board or system that offers help by attempting to belittle someone.

[nosirrah]

Let me break it down a little better .

The reason MBAM works better on a live drive is that it can use the registry to find malware . There are multiple forms of unique markers in the registry that point to known malware . If you slave a drive and scan it you will only have the markers in the actual files . We will still hit all files that we have in defs by file markers but all files that are only hit by registry marker will be missed . This is one of the critical differences between antivirus and antimalware and why you need both . Antivirus ignores the registry and does intensive file operations that will detect malware just as easy from a slaved scan . Antivirus is very bad at detecting malware that only has static registry markers .

A flash drive is different , it has no registry and it will be effectively scanned by MBAM .

[StudioT]

NoSirrah,

Thank you for that explanation.

I am a generalist, not a specialist like yourself and no two of the problems I fix are the same.

Advanced Setup

No insinuation or insult was intended, any more than (I hope) your comment about wishful thinking.

[nosirrah]

While no two are the same there are things carved in stone .

Multiple disk interaction problems from multiple OSs and setups cant be malware .

There is a HUGE differance between logical disk problems and physical disk problems .

There is no logical disk error that can resists a low level disk format .

There is no malware that can cause physical disk problems .

You take those two together and malware has been eliminated as a problem .

[StudioT]

Thank you again for your reasoning.

[nosirrah]

No problem .

There are cases where a drive has some bad sectors and then nothing ever comes of it and that may be the case here .

Personally I have no faith in a drive with physical problems and after getting burned once many years ago have never let it happen again . I had a drive with bad sectors work fine for a few months after a checkdsk but then one day just up and died , chkdsk found errors again but was no longer able to fix them .

[StudioT]

Fo interest this is Hitachi's reply, they had the same information posted here and were commendably quick to reply.

Thank you for your contact with Hitachi.

From the information available we are not able to tell you exactly if the

reason was a malware or disk failure. The result of a DFT test might help

us to find out but we will probably not be able to determine precisely what

caused the failure of your hard drive.

We are sorry but we can't help you further on this matter.

Since I didn't actually ask the reason, just comment their interest in premature, but post warranty failure is evident.

I note they haven't ruled out malware.

I am well aware that my actions will (should) have destroyed any way of distinguishing so maybe it was just one of those things and the drive will carry on for years, maybe not.

I am also aware that sometime you have to run check disk several times to get a result, an observation that may be of interest to others.

[nosirrah]

If they insinuate that malware can cause PHYSICAL damage to you disk then they are telling you the truth .

The Hatachi analyser presented some corrupt sectors.

If they know this and say it could be malware it is no different than a mechanic telling you that your car might be pulling to the left because you need a new muffler .

[StudioT]

I posted for interest

No I wasn't impressed with their reply either.

Nosirrah, shouldn't you be tucked up now, or don't you ever sleep?

Cheers

[nosirrah]

Not much , it is a lot of work keeping up with malware and I have many forums I keep tabs on .