American hard disk eavesdropping software conjecture

According to foreign media reports, the Russian Network Security Company Kaspersky Lab said that the company has discovered a variety of design precision spyware in the computer hard disk produced by enterprises such as Toshiba, Western Data, Seagate and IBM. The software can be eavesdropped. Most computers in the world, Kaspersky indirectly suggests that these software is an American intelligence agency NSA design. So, how is this buffer program hidden in the hard disk? I have some speculation and guess here.

Where is the spyware?

The process of starting from the hard disk starts from the hard disk is such that the BIOS power-up self-test is started, and the memory address is 0FFF: 0000, then the first sector of the hard disk: main boot record (0 head 0 1 sector, that is, Master Boot Sector, 512 bytes) Read memory address 0000: 7C00, then jump to 0000: 7C00 execution master boot record (MBR) program, MBR Searching in the primary partition table as an active partition, then read the first sector of the active partition to the memory address 0000: 7C00, check 1000: 7dfe is equal to 0xA55, if not, it is not equal to display “Missing Operating System”, If everything is normal, jump to 0000: 7C00 to continue to perform a startup program for a specific system, then the computer’s control is handed over to the operating system.

As can be seen from this system boot process, if you want to pre-install spyware and execute in your hard disk, you should modify the main boot record MBR program, add the relevant functionality.


From this idea, this procedure is actually like a guiding area that appears, this is also one of the earliest viruses. This virus is very harmful for old-fashioned DOS, Windows 9x is very harmful, but for Windows NT. The system has little influence because the NT system will limit the operation of the earlier program, and the previous virus will not be activated, and the oldest Windows XP is currently based on the NT core.

What can spyware do?

Since most operating systems (including Windows XP) limits the MBR program, the MBR’s program will not be able to propagate under the Windows system, which can be inferred that the MBR program can only cause the Windows system to be unable to start and load, and cannot Implement control Windows and transmit network transmission. When the user reinstalls the operating system, the MBR data will be rewritten, thereby clearing the modified MBR program.

What can the MBR program do before Windows loading? Since the network driver is not loaded, the program is obviously unable to connect, the file system is not loaded, the program can not read and write files, can only read and write the hard disk physics sector, once the read and write error destroys the Windows system, the user will focus Pack, so that the MBR is rewritten, and the program is removed.

How to clear spyware

From this speculation, if this spyware is based on the main guiding sector MBR, then only rewrite the MBR, before DOS or Windows 9x, use the fdisk / MBR to rewrite, under the current Windows system Using some disk partition tools to override MBR, after rewriting, the system boot does not load additional other programs.

Since the hard disk is just a storage device, this rewritable MBR program is actually not terrible. In fact, I think if I am NSA, consider holding the spyware in the CPU (central processor), more feasible and operability, because the CPU has not only computational power, but also stores, will be implied The instruction is placed in a waiting time to trigger more reliable.