Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted me just to tell me not to post it), so instead I’ve written a presentation overviewing and explaining the rootkit, which I’ve dubbed MT-SBK.
The general purpose of MT-SBK is to provide a “framework” for my previous project, TinyXPB
, A windows XP bootkit. This framework enables TinyXPB to be stored and loaded from within the hard disk firmware, preventing it from being removed by: antiviruses, operating system re-installs, or even full disk reformats. This rootkit is designed for a major brand of hard disk and can infect the firmware from within the operating system (no physical access required), it’s also completely undetectable to software running on the host computer.
The only way to remove MT-SBK is by replacing that hard disk’s PCB or connecting an SPI programmer directly to the flash chip and flashing it with the original firmware.