Firmware attack can drop persistent malware in hidden SSD area

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Content source
https://www.bleepingcomputer.com/news/security/hiding-malware-inside-the-flex-capacity-space-on-modern-ssds/
Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.

The attack models are for drives with flex capacity features and target a hidden area on the device called over-provisioning, which is widely used by SSD makers these days for performance optimization on NAND flash-based storage systems.

Hardware-level attacks offer ultimate persistence and stealth. Sophisticated actors have worked hard to implement such concepts against HDDs in the past, hiding malicious code in unreachable disk sectors.

Flex capacity is a feature in SSDs from Micron Technology that enables storage devices to automatically adjust the sizes of raw and user-allocated space to achieve better performance by absorbing write workload volumes.
Click to expand...
The researchers note [PDF] that forensic activity on NAND flash memory can reveal data that has not been deleted in over six months.

In a second attack model, the OP area is used as a secret place that users cannot monitor or wipe, where a threat actor could hide malware.

Example of malware injection in the OP space

Example of malware injection in the OP space
Source: Arxiv.org
The paper describes this attack as follows:
It is assumed that two storage devices SSD1 and SSD2 are connected to a channel in order to simplify the description. Each storage device has 50% OP area. After the hacker stores the malware code in SSD2, they immediately reduce the OP area of SSD1 to 25% and expand the OP area of SSD2 to 75%.
At this time, the malware code is included in the hidden area of SSD2. A hacker who gains access to the SSD can activate the embedded malware code at any time by resizing the OP area. Since normal users maintain 100% user area on the channel, it will not be easy to detect such malicious behavior of hackers.
Click to expand...
The obvious advantage of such an attack is that it is stealthy. Detecting malicious code in OP areas is not only time-consuming but also requires highly-specialized forensic techniques.
Click to expand...
www.bleepingcomputer.com

Firmware attack can drop persistent malware in hidden SSD area

Korean researchers have developed a set of attacks against some solid-state drives (SSDs) that could allow planting malware in a location that's beyond the reach of the user and security solutions.
www.bleepingcomputer.com www.bleepingcomputer.com
 
Last edited:
  • +Reputation
  • Wow
  • Like
Reactions: Venustus, South Park, harlan4096 and 2 others
You must log in or register to reply here.

Similar threads

vtqhtr413
    • Like
    • Hundred Points
Technology "Simply the best OEM SSD ever made": Micron's new SSD gets glowing reviews
Replies
0
Views
519
Technology News
vtqhtr413
vtqhtr413
vtqhtr413
    • Like
IoT Startup OP[4] Launches With Firmware Security Platform
Replies
0
Views
330
News Archive
vtqhtr413
vtqhtr413
Gandalf_The_Grey
    • Like
    • Applause
Technology Would you buy Microsoft-manufactured SSDs? Because its 1 TB Z1000 SSD has been discovered
Replies
6
Views
425
Technology News
SHvFl
SHvFl

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top