Security researchers have revealed a new technique that could be used to secretly write data onto a hard drive, with no chance that it could be detected by computer forensic or antivirus tools. It could be the malware writers' next big trick.
The system devised by Ariel Berkman, a data specialist at Israeli recovery firm Recover, relies on writing data to a hard disk's service area – the portion of the disk typically reserved for the manufacturer's firmware.
The data in a hard disk's service area – sometimes termed the reserved area or system area – is typically used to store modules that are needed to operate the drives. It's one of the reasons why hard drives' usable space is lower than the theoretical capacity.
But instructions for writing data to these portions of the hard drive are closely guarded secrets – it requires so-called vendor speciﬁc commands (VSCs). “These commands are unique to the hard-drive vendor and are not publicly disclosed,” said Berkman.
Nonetheless, Berkman has devised a proof-of-concept program that manipulate these secret VSCs and write a file of up to 94MB on a Western Digital 250GB Hawk hard drive.
“One could use these 'inaccessible" areas to store data - e.g. secret documents - or possibly code such that they would be effectively hidden to current tools,” he told V3.
Other methods of hiding data on hard drives, such as steganography, typically involve trying to bury data deep within other files, making it hard to discover.
But most detection tools, such as those used by antivirus vendors of forensic examiners, do not typically bother to analyse the service area, Berkman said.
“Antivirus and forensics tools will not be able to access and analyse that data, and sanitation tools will not be able to purge it,” he added.
So far, the trick is purely at the proof-of-concept stage, and the software can in some instances result in data loss or hard drive failure, so it's not ready for prime time just yet.
Nonetheless, it might offer malware writers, or maybe just those with secrets they wish to pass on undetected, with a method of hiding data where it cannot easily be found.
08 Mar 2013