Information Security Asked by joshnow on January 13, 2021
I have reason to believe that there is a persistent backdoor on my device, one which is not removed after a re installation of the OS.
I wanted to know the step by step protocol of system wipe to remove any potential back doors.
It’s possible that the installation media — live USB is re-infecting my machine when I boot from it, but I want to know the step by step protocol to remove any potential malware.
How do I completely return to factory conditions. Fresh bootloader, kernel, and OS.
OS: Ubuntu 20.04
There is no one-size-fits-all protocol for this. It really depends on what kind of adversary you believe you are dealing with.
Either way, the first step is the same: don't panic, take a deep breath, and thoroughly consider your threat model, your options and goals. Do you really want to wipe the device? This can potentially destroy evidence that may be relevant in a future investigation. If you can afford it, you may want to isolate the device and have a professional perform forensics on your device to figure out what kind of backdoor you have and to preserve any evidence.
If this is not viable, the next question would be how thorough you want to be. There are more places than initially obvious where a backdoor can persist, although the more sophisticated ones are rather uncommon. This is where considering your threat model is really important. What kind of sophistication are you expecting? Is this some run-off-the-mill bootkit malware or are you facing a state-level actor (most people aren't the target of TAO attacks or the like, and if you think you are, but then there may be better places to get advice ;).
So let's go through some of the places where a backdoor might be installed, from least to most sophisticated (or well, likely to less likely):
When wiping the disk, consider that you may not want to do this using the possibly compromised device. You may want to remove the disk, and attach it to a second computer without mounting it, and then overwriting it e.g. using dd
. If your device is an SSD with Secure Erase capabilities, you can also use those. This should remove any persistent malware on the disk, but not necessarily more sophisticated backdoors on the disk controller or other firmware.
Finally, the most paranoid option is to consider the device burned, power it off and don't use it anymore - although this is probably not within everyday joe's threat model.
Correct answer by plonk on January 13, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP