Rootkits exist that survive OS reinstalls. I don't know how prevalent they are, but if you expect a target to try to reinstall their operating system to attempt to purge an infection it is possible to counter this.

Then replace the hard drive? I don't know of any viruses that could hide itself in your case fans so I'm inclined to think that buying a whole new computer is an overreaction.

Proof of concept of rootkit that can survive disk replacement by installing itself to the bios.

http://www.geek.com/news/researchers-demonstrate-persistent-...

> Researchers at Core Security Technologies demonstrated the techniques at CanSecWest security conference in Vancouver earlier this month, compromising one virtual machine running Windows and another running OpenBSD. The attack relies on modifying the BIOS of the target machine; startup firmware that is booted from a chip on the motherboard. Anybody wishing to use this kind of exploit in the wild would need to already have low-level access to the machine in order to make such a change. As the BIOS code is executed every time the system starts up, even if disks are wiped or replaced, this presents an attractive proposition for hackers.

I agree that it's unlikely, but it's nice to see someone actually saying "nuke it"(although "Nuke it" should probably be just "wipe the drive and re-install"), rather than fiddling around with combofix and malwarebytes.

Don't forget that some people don't have OS discs, they have a "Host Protected Area" partition. Maybe rootkits and malware can infect that?

>Maybe rootkits and malware can infect that?

If you can infect the BIOS, it seems pretty likely. On the other hand, if you can infect the BIOS, why bother?

You know you can run a program which updates your BIOS?

Therefore, a hacker can write a program to replace your BIOS with something that looks completely the same, except it also reinfects your computer each month.

This isn't paranoia. It's inevitable. I'm surprised it's not more well-known.

There's a lot of persistent, executable storage on modern computers. I don't know how often attackers take advantage of these, but if you suspect a threat against you is capable of taking advantage of them, then you may want to be more thorough. I kind of think the technician was overreacting too, but I don't know what kinds of rootkits are publicly available for any attacker to copy and paste these days.

>I don't know of any viruses that could hide itself in your case fans

Wait for Snowden's next leak.

The issue here (and my reaction was pertaining to that) is that no number of hardware replacements will make the problem go away. The solution is to use hardware that can't be infected in this way. If an OS can infect the firmware in this fashion, it's a security hole by design. Replacement by other crappy HW is a worthless step.

I was at a security seminar and one of the speakers mentioned a (theoretical?) BIOS virus that copied itself to the NIC when it detected the BIOS was being reflashed, then back again afterwards.

Yep, there are a few network cards, intel among them, that have pretty sophisticated firmwares that can be used to either stash stuff, or infect directly through vectors like DMA. Thankfully though, for home users, desktops tend to have cheap crappy cards with no such firmware update capabilities.

Really? where would the rootkit hide? Even if I replace all my HD sectors with zeros? I'm truly interested to know if this is real.

thanks

EFI partition, BIOS, other nonvolatile system memory? If it gets root level access it can hide anywhere there are a few KB. Even less than that will do if you're just putting a hook to instruct the computer to re-download the virus if it is detected that it has been removed.

wow... so there's no way to clean it? the only option is to junk the hardware?

Well, even if you cleaned some of the storage areas devindotcom mentions… How would you know you didn't miss any other area?

There are lots of things that use updatable firmware that can read and write data in interesting places. Portability is often an issue, so I guess it boils down to motivations of the writer.

There was an ars article (http://arstechnica.com/security/2013/10/meet-badbios-the-mys...) that was on HN just a few days ago describing all sorts of ways to hide rootkits in nearly any component of your machine with programmable firmware.

If I remember correctly there are rootkits that hide in firmware.

I haven't had to deal with a virus for some time but the number of times I've formatted a hard drive and started again far outweigh the number of times I've removed viruses. These days, when machines don't come with the OS on a disk - often don't even come with the drivers on a disk - buying new tech could well be the cheaper option.

If you're buying a computer with Windows installed, then it ought to come with a product key. Just download the appropriate ISO from Microsoft directly, burn it to disc or extract to a flash drive. For the drivers, just go to the manufacturer's website and download the appropriate drivers and burn that to another disc or copy to another flash drive.

Cost $1 for two discs, or $10 for two flash drives < Cost of a new computer

Even better, since you seem to be reformatting quite often, once you have the computer configured how you want, create a clone of the hard drive. That way you don't have to manually do everything over again.

I don't get viruses! If I'm dealing with a virus, it's on some other bugger's machine.

And they probably haven't even created the drivers disk let alone a restore disk. And what sort of idiot downloads an ISO onto a virus riddled machine?