Skip the navigation

Awaiting the PC Killers

By Robert L. Mitchell
August 22, 2005 12:00 PM ET

Computerworld - The malicious code enters your network undetected, rapidly infecting more than 100 machines. But this is no ordinary virus. Your antivirus and disk recovery tools can't help, because the disk drives won't spin up at all. The drives are toast. The PCs are completely inoperable.
The era of microcode attacks has begun.
Could viruses really attack the low-level microcode that makes disk drives run? It's entirely possible, disk technology experts say. Dimitri Postrigan knows how such a virus might be created -- but he's not telling. Postrigan reverse-engineers and programs hard disk drives at ActionFront Data Recovery Labs.
He says each disk drive has its own internal operating system that enables the device to start up. The operating system microcode resides in a special system area of the disk. "A virus could be written which would destroy the whole system area on a drive. This will make the drive and data almost unrecoverable," Postrigan says.
That nightmare scenario also bothers Ben Carmitchel, president of ESS Data Recovery. "In the data recovery industry, we've been waiting around for this to happen. We've written programs to restore hard drives. We could easily write a program to destroy [them]," he says. He worries that others with fewer scruples could create a fast-spreading virus that causes massive destruction of data.
The idea of a microcode attack goes beyond hard drives, says Thor Larholm, senior security researcher at PivX Solutions. Microcode is found in other PC components, including graphics cards, the BIOS and the CPU. Both Intel and AMD offer microcode utilities, complete with source code that could be used to physically damage a CPU by severely overclocking it, Larholm says.
So, why haven't such exploits been more common? Fortunately, it's not that easy to do. Viruses thrive on homogeneity. While all PCs may look the same at the Windows level, at the machine level, things can be very different, making a broad attack more difficult to pull off.
Years ago, someone wrote a virus that attempted to overwrite the flash memory area of a PC's BIOS, but its success was limited because there are so many different BIOS implementations, says Sean Barry, remote data recovery manager at Ontrack Data Recovery.
Similarly, the way in which one accesses the service area of a hard disk varies by manufacturer. That means a virus would have to include code for each brand its creator wanted to target. The proprietary tools and codes required also aren't readily available to the layperson. Postrigan says he personally has tried to find such information on the Internet and through

Our Commenting Policies