Discussion:
hidden partitions
(too old to reply)
T
2019-10-19 00:46:58 UTC
Permalink
Hi All,

Has ransomware gotten smart enough to rad hidden drive
partitions now?

Many thanks,
-T
T
2019-10-19 00:47:19 UTC
Permalink
 rad hidden
read
Shadow
2019-10-19 10:24:30 UTC
Permalink
Post by T
Hi All,
Has ransomware gotten smart enough to rad hidden drive
partitions now?
The NSA has been infecting firmware and hidden partitions
(some malware even makes it's own hidden partition) for over a decade
now.
So, yes.
Kaspersky has an "agreement" not to detect said malware, so
most of the other bootable AVs probably do too.
And a bootable AV would be the only way to detect it.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
T
2019-10-20 00:51:43 UTC
Permalink
Post by Shadow
Post by T
Hi All,
Has ransomware gotten smart enough to rad hidden drive
partitions now?
The NSA has been infecting firmware and hidden partitions
(some malware even makes it's own hidden partition) for over a decade
now.
So, yes.
Kaspersky has an "agreement" not to detect said malware, so
most of the other bootable AVs probably do too.
And a bootable AV would be the only way to detect it.
[]'s
If you are the same Shadow as the Communist that writes over
on the home group, nothing you say can be trusted.
Apd
2019-10-19 11:22:07 UTC
Permalink
Post by T
Hi All,
There's an echo in here!
Post by T
Has ransomware gotten smart enough to read hidden drive
partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
T
2019-10-20 00:51:33 UTC
Permalink
Post by Apd
Post by T
Hi All,
There's an echo in here!
Post by T
Has ransomware gotten smart enough to read hidden drive
partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
https://www.wired.com/2015/02/nsa-firmware-hacking/
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
[]'s
If you are the same Shadow as the Communist that writes over
on the home group, nothing you say can be trusted.
Shadow
2019-10-21 10:38:40 UTC
Permalink
Post by T
Post by Apd
Post by T
Hi All,
There's an echo in here!
Post by T
Has ransomware gotten smart enough to read hidden drive
partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
https://www.wired.com/2015/02/nsa-firmware-hacking/
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
[]'s
If you are the same Shadow as the Communist that writes over
on the home group, nothing you say can be trusted.
Probably another Shadow, I also hate any dictatorships(right
or left wing).
I suppose that invalidates all the links to articles I posted
They are from a right-wing dictatorship where the government SPIES on
its citizens. And deletes records. Just like in 1984.
[]'s
--
Don't be evil - Google 2004
We have a new policy - Google 2012
T
2019-10-21 11:43:06 UTC
Permalink
Post by Shadow
Post by T
Post by Apd
Post by T
Hi All,
There's an echo in here!
Post by T
Has ransomware gotten smart enough to read hidden drive
partitions now?
Probably not because it isn't the place to find user documents. I've
seen nothing about it in IT security news. I presume you're talking
Windows. For malware to use hidden partitions it would have to mount
the file system (if there is one) to access files in the normal way.
This requires somewhat low-level operations which are unlikely to be
worth the trouble.
https://www.wired.com/2015/02/nsa-firmware-hacking/
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
[]'s
If you are the same Shadow as the Communist that writes over
on the home group, nothing you say can be trusted.
Probably another Shadow, I also hate any dictatorships(right
or left wing).
I suppose that invalidates all the links to articles I posted
They are from a right-wing dictatorship where the government SPIES on
its citizens. And deletes records. Just like in 1984.
[]'s
Good to know that you are not the Comrade Doctor that
spews Communist propaganda and gives Communists
aid and comfort.
Apd
2019-10-20 02:19:55 UTC
Permalink
https://www.wired.com/2015/02/nsa-firmware-hacking/
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
It's unclear if there's a hidden partition in that last link. It could
be an infected UEFI bios, or something else entirely.
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Yes, I know about advanced rootkits and state-sponsored malware. It is
way more than ransomware needs to do it's job. The spook stuff is well
targeted, usually by 0-day exploits on USB sticks which the targets
are encouraged to plug in their air-gapped systems. It's something
that needs to stay hidden, not "all ur files are belong to us!"
screamed out from an uncloseable pop-up window. Not saying it's
impossible, just unlikely in this scenario as users don't put their
stuff in hidden partitions. It's beyond the capabilities of the
average malware author and not worth the effort anyway.
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
Oo-er!
Shadow
2019-10-21 10:55:48 UTC
Permalink
Post by Apd
https://www.wired.com/2015/02/nsa-firmware-hacking/
(firmware)
https://www.geek.com/apps/nsa-malware-found-hiding-in-hard-drives-for-almost-20-years-1615949/
(firmware)
https://superuser.com/questions/1427188/unveil-hidden-partitions-created-by-malware-in-windows
(hidden partition)
It's unclear if there's a hidden partition in that last link. It could
be an infected UEFI bios, or something else entirely.
UEFIs (most) are bigger than an XP install. Could something
hide in that? (rhetorical).
Malware in hidden partitions is "old" tech.
Post by Apd
If it is loaded into memory before the OS loads, it has access
to everything (network and files). Even any Linux/Apple partitions or
cloud storage you might have. It's a sophisticated rootkit.
The payload can be anything. Just plain political spying to
stealing banking/administrative passwords or even ransom.
Yes, I know about advanced rootkits and state-sponsored malware. It is
way more than ransomware needs to do it's job. The spook stuff is well
targeted, usually by 0-day exploits on USB sticks which the targets
are encouraged to plug in their air-gapped systems. It's something
that needs to stay hidden, not "all ur files are belong to us!"
screamed out from an uncloseable pop-up window. Not saying it's
impossible, just unlikely in this scenario as users don't put their
stuff in hidden partitions. It's beyond the capabilities of the
average malware author and not worth the effort anyway.
I wasn't talking about HOW the infection took place. That's
the "sophisticated" part.
The average user does not use air-gapped systems. He just
clicks on unknown files he receives in his email with names like "I
know what you did on Saturday night" (no extension visible, but with a
nice PDF or WMP icon).

https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

That one has been in the wild for at least 5 years.
[]'s
Post by Apd
Weird, the original Kaspersky report has been removed from
archive.org. I get a "Bummer, that page cannot be found"
Oo-er!
--
Don't be evil - Google 2004
We have a new policy - Google 2012
Apd
2019-10-21 23:38:06 UTC
Permalink
Post by Shadow
Post by Apd
Yes, I know about advanced rootkits and state-sponsored malware. It is
way more than ransomware needs to do it's job. The spook stuff is well
targeted, usually by 0-day exploits on USB sticks which the targets
are encouraged to plug in their air-gapped systems. It's something
that needs to stay hidden, not "all ur files are belong to us!"
screamed out from an uncloseable pop-up window. Not saying it's
impossible, just unlikely in this scenario as users don't put their
stuff in hidden partitions. It's beyond the capabilities of the
average malware author and not worth the effort anyway.
I wasn't talking about HOW the infection took place. That's
the "sophisticated" part.
The question was about ransomware reading hidden partitions. I'm
saying it's unlikely for that variant of malware to do so by being
sophisticated and/or installing a rootkit for the reasons given.
Post by Shadow
The average user does not use air-gapped systems. He just
clicks on unknown files he receives in his email with names like "I
know what you did on Saturday night" (no extension visible, but with a
nice PDF or WMP icon).
All true.

Loading...