MalwareTech SBK – A Bootkit Capable of Surviving Reformat

Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a proof of concept for many reasons (people have even contacted me just to tell me not to post it), so instead I’ve written a presentation overviewing and explaining the rootkit, which I’ve dubbed MT-SBK.

The general purpose of MT-SBK is to provide a “framework” for my previous project, TinyXPB, A windows XP bootkit. This framework enables TinyXPB to be stored and loaded from within the hard disk firmware, preventing it from being removed by: antiviruses, operating system re-installs, or even full disk reformats. This rootkit is designed for a major brand of hard disk and can infect the firmware from within the operating system (no physical access required), it’s also completely undetectable to software running on the host computer. 
The only way to remove MT-SBK is by replacing that hard disk’s PCB or connecting an SPI programmer directly to the flash chip and flashing it with the original firmware. 
Hard Disk Firmware Hacking (Final)

Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single tap definition hardcoded, so i decided to comment it out …

Hard Disk Firmware Hacking (Part 5)

“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best option, especially when it comes to trusting other people’s research. …

Hard Disk Firmware Hacking (Part 4)

It seems that the bootstrap code is just scattered around various memory addresses and there’s no simple way to dump all of it, so i decided to just dump a chunk of memory from 0x00000000 and look for any reference to addresses outside of that chunk (allowing me to build …