This malware undetectable by antivirus is hiding in an unsuspected place of the SSD


Korean researchers have just discovered a type of attack that targets SSDs. Working in an unusual area of ​​the drive, the malware is undetectable by antivirus and other security solutions.

It’s no secret that the malware are able to hide themselves from detection software during the first days after their first release, like Mosaicloader which was not detected by Windows Defender. But rare are those who manage to fall into the hands of the net in the long term. But a Korean group of security experts have managed to develop a whole new type of attack that may well give antivirus companies a hard time.

The attack in question exploits a flaw discovered on Micron brand SSDs that use Flex Capacity technology. And many do, especially since this technology is also known by another name according to the manufacturers. Ultimately, the attack discovered by Korean researchers is likely to spread to all SSD models without distinction.

Attack targets SSDs that use Flex Capacity technology

Launched in 2016 with the Micron 5100, Flex Capacity technology is now proving to be as useful as it is widespread. Its purpose is to automatically adjust the raw storage space required for reading and writing data. Flex Capacity therefore creates a buffer space called Over Provisioning, which can use up to 25% of the total capacity of the SSD. If it is a dynamic system (the data is not doomed to persist on the disk), it mainly allows to offer better performance to the SSD. But above all, by its nature, this area is completely invisible to the operating system and applications.

Read also: Windows – Bizarro malware threatens to loot your bank account

According to experts from Korea University in Seoul, it is possible to inject data between the storage area of ​​the SSD and that dedicated to Over Provisioning. From then on, a pirate would be able to exploit this space as he sees fit, and to control its size via the firmware manager. Subsequently, it could recover data which has not been erased (many manufacturers prefer not to constantly erase the Over Provisioning space in order to save on hardware resources). Researchers explain that a hacker could thus find data that has not been deleted for more than six months. But above all, the hacker could also hide in this area any type of malicious code, without any security software disturbing it.

Example of malware injection on the SSD
Example of malware injection on the SSD (credit Arxiv.org).

Security experts suggest that manufacturers develop an algorithm that summarily erases data so that system resources do not decrease with each deletion. They also offer to analyze the throughput of data transmitted in the Over Provisioning area.

Note that the attack developed by Korean researchers is dedicated exclusively to Flex Capacity technology. Therefore, only Micron SSDs currently appear to be affected. But Over Provisioning does exist among competing brands, and in particular with the SSD giant, Crucial. It is likely that the malware will be able to infect technologies similar to Flex Capacity in the near future.

Source: Bleeping Computer



Source link -101