Why wiping a hard drive doesn’t always remove malware
Quick links
-
Why wiping a hard drive doesn’t always remove malware
-
Are rootkits and bootkits different? How to check for persistent malware
Wiping the device is considered a “full nuclear” option when it comes to dealing with malware. You erase all the data on the infected drive, with the theory that the malware can’t survive the process.
Except when possible.
Why wiping a hard drive doesn’t always remove malware
Persistent malware is one of the worst there is. Most malware is effectively removed by a system restore or, worse, a complete disk wipe. However, in both cases, certain types of malware remain active even when you think you’ve brought any signs of life to the drive.
It’s actually a two-part problem.
First, restoring a system restore point is often recommended as a good way to remove malware. It makes sense; you’re returning your computer to a previously known good configuration and hopefully avoiding significant data loss in the process.
However, system restore points are not a magic bullet. You have to hope that you created a system restore point before picking up the malware. In addition, some types of malware can hide in files and directories that remain unchanged after the system restore process, while other types of malware exist completely outside of the traditional file structure. Some malware can even delete system restore points, making it difficult to get back to a good configuration.
This brings me to point number two: rootkits and bootkits. These absolutely diabolical types of malware hide outside of your hard drive and instead infect your hard drive’s firmware, BIOS/UEFI, Master Boot Record (MBR), or GUID Partition Table (GPT). Because these elements do not exist on your hard drive, they can escape the system restore point or wipe the entire drive and re-infect your computer once you think you’re clean.
Are rootkits and bootkits different? How to check for persistent malware
As you’ve probably discovered, persistent malware such as a rootkit, bootkit, or other is particularly nasty. However, there are differences between a rootkit and a bootkit, and how to get rid of this malware is also different.
|
Rootkits |
Bootkits |
|
|---|---|---|
|
Location of infection |
Focus on a core operating system, application, or user-space component. Paste into system files or processes. |
Specifically target the boot process and infect areas such as MBR, GPT or BIOS/UEFI firmware. |
|
Degree of control |
Get control after the operating system starts, often involve system processes or drivers. |
Run malicious code during the initial boot sequence, allowing for a check before the operating system is loaded. |
|
Mechanisms of persistence |
Use advanced techniques to stay hidden in the operating system; sometimes removable with rootkit removal tools. |
Removal is more difficult because they can survive reboots and OS reinstalls, especially if they are built into BIOS/UEFI. |
|
Complexity and detection |
They can often be detected by security tools that scan memory and system files, even if they evade these tools. |
More difficult to detect due to operation beyond the reach of an operating system-based antivirus; removal may require a boot-level scan. |
Any way you look at it, detecting persistent malware is difficult, but there are some options.
First, consider how your computer works. If you experience unusual startup problems or significantly reduced performance, you may have malware. It may not be persistent malware, but if you perform a regular malware cleanup and clean your system and the malware keeps coming back, it could indicate a more serious problem.
In this case, you have several options:
You should also consider checking your motherboard manufacturer for firmware updates, as they may have fixed vulnerabilities that exploit bootkits.
Persistent malware is a terrible experience. When I was younger I downloaded what I thought was a game and ended up infecting my family computer with a rootkit. I have to say that I was far from flavor of the month, but after some time and experimentation I removed it. However, the best protection is to avoid infection, and that means avoiding dodgy downloads, pirated content, and the like, and making sure you have a decent antivirus or antimalware package installed.
