Can a computer virus be stored somewhere else than on the hard drive?

Plenty of places:

  • BIOS / UEFI - BlackHat presentation (PDF)
  • System Management Mode (SMM) or the Intel Management Engine (IME) - Phrack article.
  • GPUs - Proof of concept rootkit on GitHub.
  • Network cards - Recon 2011 presentation (PDF)
  • A Quest To The Core (PDF) - a good presentation covering everything from BIOS to SMM to microcode.

Modern hardware has a wide range of persistent data stores, usually used for firmware. It's far too expensive to ship a complex device like a GPU or network card and put the firmware on a mask ROM where it can't be updated, then have a fault cause mass recalls. As such you need two things: a writeable location for that firmware, and a way to put the new firmware in place. This means the operating system software must be able to write to where the firmware is stored in the hardware (usually EEPROMs).

A good example of this is the state of modern BIOS/UEFI update utilities. You can take a UEFI image and an executable running on your OS (e.g. Windows), click a button, and your UEFI updates. Simple! If you reverse engineer how these work (which I have done a few times) it's mostly a case of a kernel-mode driver being loaded which takes page data from the given UEFI image and talks directly to the UEFI chip using the out instruction, sending the correct commands to unlock the flash and start the update process.

There are some protections, of course. Most BIOS / UEFI images won't load unless they're signed by the vendor. Of course, an advanced enough attacker might just steal the signing key from the vendor, but that's going into conspiracy theories and godlike threat actors, which just aren't realistic to fight in almost any scenario. Management engines like IME are meant to have certain protections which prevent their memory sections from being accessed even by ring0 code, but research has shown that there are many mistakes out there, and lots of weaknesses.

So, everything is screwed, right? Well, yes and no. It's possible to put rootkits in hardware, but it's also incredibly difficult. Each individual computer has such a variance in hardware and firmware versions that it's impossible to build a generic rootkit for most things. You can't just get a generic Asus BIOS and flash it to any board; you'll kill it. You'd need to create a rootkit for each separate board type, sometimes down to the correct revision range. It's also an area of security that involves a huge amount of cross-domain knowledge, way down deep to the hardware and low-level operational aspects of modern computing platforms, alongside strong security and cryptographic knowledge, so not many people are capable.

Are you likely to be targeted? No.

Are you likely to get infected with a BIOS/UEFI/SMM/GPU/NIC-resident rootkit? No.

The complexities and variances involved are just too great for the average user to ever realistically have to worry about it. Even from an economic perspective, these things take an inordinate amount of skill and effort and money to build, so burning them on consumer malware is idiotic. These kinds of threats are so targeted that they only ever really belong in the nation-state threat model.


The short answer to your question is yes.

Here are some places where a virus could hide:

  • On the firmware of your keyboard, mouse, webcam, speakers, etc. Basically anything you connect to your computer that has a writable firmware.
  • On your hard drive firmware. Sort of on your hard drive, but still survives a reformatting. The NSA are likely suspects for that one.
  • In your BIOS or UEFI.
  • In ye olden days, boot sectors of floppy disks. This was standard among early viruses, since at the time floppy disks were often used as primary storage. Same goes for USB sticks now.

A virus could potentially target anything where there is writable data that gets treated as executable code. On a computer, that is basically anywhere. For it to survive a restart, though, it would have to be some kind of persistent storage. So the CPU cache might not be the best place to hide.

Most viruses don't do this, though, and just live on the HDD. This is because virus writers are (rationally) lazy. Why go for the complicated options when there is plenty of low hanging fruit?


One of most common but unchecked places is... a peripherial with "embedded driver disk", like lots of 3G/4G USB sticks. They have — technically — a hub inside, and a Generic Storage + the device itself on it. Upgrading its firmware usually upgrades a disk image mounted to the generic storage part. It's read-only from PC in regular use, but it's easily remapped as a CD-ROM with autoplay. The one I've experienced myself in 2006-2008 was a 4G stick for a local cell provider. It contained CD-ROM like storage out-of-the-box from local sale point, autoplay and torjan included =) Next firmware patch — and a storage is remapped back to HDD and no virus on board.

Tags:

Virus