The malicious code enters your network undetected, rapidly infecting more than 100 machines. But this is no ordinary virus. Your antivirus and disk recovery tools can't help, because the disk drives won't spin at all. The drives are toast. The PCs are completely inoperable.
The era of microcode attacks has begun.
Could viruses really attack the low-level microcode that makes disk drives run? It's entirely possible, disk technology experts say. Dimitri Postrigan knows how such a virus might be created; but he's not telling. Postrigan reverse-engineers and programs hard disk drives at ActionFront Data Recovery Labs.
He says each disk drive has its own internal operating system that enables the device to start up. The operating system microcode resides in a special system area of the disk. "A virus could be written which would destroy the whole system area on a drive. This will make the drive and data almost unrecoverable," Postrigan says.
That nightmare scenario also bothers Ben Carmichael, technical director of ESS Data Recovery. "In the data recovery industry, we've been waiting around for this to happen. We've written programs to restore hard drives. We could easily write a program to destroy them," he says. He worries that others with fewer scruples could create a fast-spreading virus that causes massive destruction of data.
The idea of a microcode attack goes beyond hard drives, says Thor Larholm, senior security researcher at PivX Solutions. Microcode is found in other PC components, including graphics cards, the Bios and the CPU. Both Intel and AMD offer microcode utilities, complete with source code that could be used to physically damage a CPU by severely overclocking it, Larholm says.
So why haven't such exploits been more common? Fortunately, it's not that easy to do. Viruses thrive on homogeneity. While all PCs may look the same at the Windows level, at the machine level, things can be very different, making a broad attack more difficult to pull off.
Years ago, someone wrote a virus that attempted to overwrite the flash memory area of a PC's Bios, but its success was limited because there are so many different Bios implementations, says Sean Barry, remote data recovery manager at Ontrack Data Recovery.
Similarly, the way one accesses the service area of a hard disk varies by manufacturer. That means a virus would have to include code for each brand its creator wanted to target. The proprietary tools and codes required also aren't readily available. Postrigan says he has personally tried to find such information on the internet and through other channels, without success. He gained the knowledge through the time-consuming process of reverse-engineering the products.
But Carmichael says knowledge is spreading. Old hard drives are routinely shipped to Russia, where the business of repairing old hard disk drives for resale is flourishing. He notes pointedly that many viruses today come from that region. How big a step would it be for that information to be shared?
Very big, says Bruce Schneier, chief technology officer at Counterpane Internet Security. Disk drive experts may reside in the same country as malicious hackers but that doesn't mean the two groups are any more likely to share information, he says.
In addition, professionals such as Carmichael and Postrigan, who have the determination to develop such skills, tend to develop a sense of moral responsibility. "Society is saved by that a lot," Schneier says.
The public may also give virus writers too much credit. Most simply aren't that good. Existing viruses tend to be quite buggy, while efforts at more difficult, hardware-based attacks, such as attempts to overwrite disk controllers, have attained only mediocre results, Schneier says. Most writers look for the easiest route to destruction. Why do all that research when you can simply erase the data?
Schneier thinks that only one type of organisation would be likely to apply the skills necessary to pull off such attacks. "You can imagine that the [US] government has in its back pocket malicious code that does these sort of things for military use," he says.
Nonetheless, while an imminent attack by virus writers may be unlikely, Schneier acknowledges that ultimately, Carmichael may be right. "Sooner or later, someone is going to say, 'Let's really hurt people.' It's unfortunate," he says. That possibility - albeit a remote one - is just one more reason to keep your antivirus software up to date.