Best / easiest way to wipe disks after potential malware attack, using Linux boot USB?

[VirtualLarry]

I need to "wipe" an SSD and a 1TB WD HDD, in an older Sandy Bridge-era Dell PC.

Was thinking of using Linux boot USB, and using the "Disks" tool. Does it offer an "easy Secure Erase" feature? I used to know how to do it command-line style with HDParm, but with my aging brain, that esoterica has started to escape me.

The box in question was running Win10, and after I wipe the disks, I'm going to re-install Win10 (as per owner's wishes). But is a re-format "enough", or should I look into doing a secure erase? Just run "sudo dd" on the SSD, for the first million sectors or whatever MS's "DISKPART" tool does with "CLEAN"?

I just don't want to accidentally allow any potential rootkit to escape onto my LAN (will be doing the disk wipe(s) with the ethernet disconnected), and don't want it to survive a re-format if it's a "bootkit".

 

[SamirD]

I typically will use a parted magic live cd and use the standard ata secure erase command and let it do the work. This clears even the non-user areas on the disk so it's the real deal. Otherwise, I would just look up hdparm and use it since you're familiar with it.

 

[VirtualLarry]

Well, I was pressed for time. I booted the Linux USB, ran Disks, selected the disk, deleted all of the partitions, selected the disk, deleted all the partitions, then shut down / rebooted with the Win10 USB, installed Win10 Pro onto the SSD. Well, when I finally got it all installed, and went to quick-format the 1TB secondary games HDD, in Disk Management, it DID NOT ask me to "initialize" (install the MBR code) the disk. Ruh-roh. Guess the Linux disk wipe was incomplete, didn't get the disk boot-sectors.

Anyways, I installed Malwarebytes, enabled Rootkit scanning, and scanned the rig, no positives. I'm going to cross my fingers that they didn't install a bootkit.

I don't know, but it's a Dell, it may have Secure Boot enabled as well, I actually didn't check it. If it does, it strongly suggests that there IS NO "bootkit", and my friend's rig is now safe.

 

[VirtualLarry]

Well, he still owes me for the job, but I did get a fresh hot tasty pizza from Domino's as a tip for doing this on short notice.

 

[Paperdoc]

You may have done all you plan. But for reference, my usual procedure that I THINK does an effective cleaning is to do a Zero Fill operation on the HDD. This process, as I understand it, writes all zeroes to EVERY Sector of the HDD, including all the first Sectors involved in a Partition Table, etc. As a secondary effect, that triggers the HDD's own internal self-checking tools (normally done as a Sector is written, but now we're talking ALL Sectors) so that any that are weak or faulty are marked for never-to-use, and replaced with empty spare good Sectors. So when done, the HDD is completely empty of old data AND appears to any OS as a perfect unit with NO faulty Sectors. It has NO information of any kind on it, and requires the normal Partition and Format operations in your OS to make it useable.

To do this, the easiest way is to download and use the HDD maker's disk diagnostics utility package - in this case, WD's Data Lifeguard, which runs under Windows.

WD Software

List of all WD firmware and software available for download.

support.wdc.com

I note that page says the utility has been replaced by their new Western Digital Dashboard, but that appears to be aimed at SSD's.

WD Software

List of all WD firmware and software available for download.

support.wdc.com

The other tool is that old friend, DBAN, which can do this, too.

I will note that these tools imply that the zero-fill is done EVERYWHERE on the HDD, but I don't know that for sure. Also, this is NOT a DoD-type Secure Erase. That kind of process does several writes to everywhere in many patterns, ensuring that no tool later can recover anything of the old files. Technically, when a Zero Fill has been done ONCE, there are very sophisticated tools that MAY be able to revoce old data by peeking at the edges of Sector tracks, etc., but VERY few people would have that and use it.

 

[VirtualLarry]

Well, I know about and have used DBAN in the past, for older HDDs, that is useful for doing a zero-wipe of the drive, but that's not really appropriate for an SSD, and some SSDs can actually fail, if you write all of the user sectors at once. (No chance / space to do GC properly.)

So I didn't want to use DBAN on it.

I probably should have used DISKPART, from the Win10 USB installer, as an added precaution after using the Linux USB to delete the partitions. Or used 'dd' in Linux.

I was kind of pressed for time, the fellow wanted it back same-day service. I had it done in under an hour, I think. Although getting the pizza and getting back to me to pick it up took some more time.

 

[Paperdoc]

I quite agree I would not try the older tools on an SSD. So I was interested to learn that WD's new tool is aimed at those. However, It was not clear whether the new one also can handle HDDs. Glad you got it all sorted out.

 

[Fallen Kell]

For SSD's you need to use a proper utility from the manufacturer of the drive. The problem with many of the SSDs is that the different manufacturers have different configurations in terms of reserve space, cache, and possibly even hidden firmware partitions. A real nasty hack could hide in those places. Some drives also support the "ATA Secure Erase" command, which can be sent using the hdparam command. In many cases, drives that support it have full drive encryption, and what they do is change the encryption key and mark all blocks to the erase state (the state that lets the TRIM command know it can be cleaned up and reused). So it won't really delete the files, but since everything is encrypted and the key is no longer there, any virus/malware would be rendered inoperable. But again, trust this only as well as you trust the manufacturer of the drive (and the price point/product level of the drive in the manufacturer's lineup). If the drive is part of the manufacturer's cheap line, they may have skimped on this and just tell you it is wiped, and set the blocks into the erase state even though they do not have encryption, which means the data is still there and can be accessed to be able to re-infect the system.

For normal spinning rust disks, any bootable linux distro will work to be able to wipe them with the "dd" command. Something like "dd if=/dev/zero of=/dev/my_disk_device_typically_sda bs=32768" will work fairly efficiently. Using DBAN also works. But like I said, for SSDs you need to get the utility from the manufacturer. You might be able to find the reserve space on the drive with hdparam, and then could also use hdparam to resize the reserve area and that would let you use "dd" to erase, but with many SSD controllers, you would need to use "if=/dev/random" instead of "/dev/zero" in my previous example because many of the controllers are smart enough to see that you are simply writing all zero's (or ones) and will just mark the sectors for erase or mark a lookup table stating the sectors are zero or one filled to prevent the extra wear on the drive. Using "/dev/random" will greatly slow down the operation as it takes a lot of extra time to read from "/dev/random".

 

[Hans Gruber]

I use a USB cradle and connect to a PC that has nothing on it. It still has Windows 7 and ivy bridge i5. I used to use laptops. I wipe it with disk management in windows. If you are paranoid about hidden files after wiping the disk. Don't put it back in the same machine where you suspect the malware issue.

 

[Red Squirrel]

If you just want to make sure there's no boot sector malware or weird stuff you can just use dd. Basically it's a tool to write data at a more raw level and it can be used to zero out the drive.

Something like:

dd if=/dev/zero of=/dev/sdb

Where sdb is the drive you want to wipe. /dev/zero is a system file that basically just outputs unlimited zeros. (0x00) Technically you can let it run for a few seconds and ctrl+c out of it, then repartition, but if you want to be really safe then just let it run through completely.

Malware is pretty advanced these days though, so if it did something more sophisticated like infect the actual microcontroller of the HDD, or the bios or any other chips in the system then this won't work against it.

Now if you're trying to do this for security reasons so someone can't recover the data, then I would use the shred tool. I forget the syntax off hand but if you check the help file it's fairly self explanatory. Basically it does a bunch of passes writing random data to it.

SSDs are kinda tricky when it comes to secure erasing due to how they work internally as they overprovision flash so they last longer which means writing to the same address twice may not necessarily be writing to the same part of the flash. Not to mention the very act of doing such a large amount of writing to it will greatly reduce it's life span, so for SSDs I would look into manufacturer specific tools. Personally I have yet to come into a situation where I need to sell/give a SSD as I always end up finding a use for them, so have not really explored secure erasing them. Even HDDs I tend to just repurpose for backups.

 

[Shmee]

Glad you got it sorted, but I would have used parted magic for both most likely, doing a secure erase or sanitize for the SSD, and then you can select options for the HDD in it such as filling with 0's.

If you don't already, I would make sure you have a parted magic USB standalone, perhaps for an older, more picky PC that doesn't like multi-boot media, and then you can also put it on a multi-boot USB with other images as well. Also, one of my favorite tools is the Zalman VE350 external drive enclosure. It includes a CD/DVD emulator built in, so that you can easily mount and boot disc images from it, even on many older PCs. With an SSD inside, they are super fast too.

 

[Paperdoc]

This is exactly the type of thing I look for here - lots of good ideas from experienced users for anybody to evaluate, learn and use.

 

[mikeymikec]

What kind of weird-ass malware did you encounter? In my experience hasn't been anything remotely scary for about 10 years now, certainly nothing that I'd lose any sleep over whether nuking partitions would get rid of it, and the only clean install jobs I've done in response to malware in that time were precautionary (I say to the customer if they'd like the extra peace of mind by having an entirely new Windows installation, even in response to everyday scammers who were given remote access and just want your credit card number).

Personally I'd only be asking the kind of questions in the OP if I had done a partition nuke + clean install and continued to see symptoms of infection at that point. You've got to be evidence-based or you're just going to go mad. "Did it get into UEFI? How can I be sure that a BIOS update would fix that? Better turn the computer plus all the customers' data into a pile of slag just to be safe!"

 

[VirtualLarry]

(I say to the customer if they'd like the extra peace of mind by having an entirely new Windows installation, even in response to everyday scammers who were given remote access and just want your credit card number).

That's what actually happened. Owner of PC's father was using PC, got pop-up web malware that said PC had a virus, "call this number", so he called it. Thankfully, friend stopped his dad once he found out what was going on, and stopped him from giving out the CC#, but still, disturbing. They DID get remote-access to the PC, so I can only assume that:
1) All information on that PC is compromised, documents stolen, pictures, and more importantly, browser cookies and login credentials. (One reason why I never let my browser store credentials.)
2) Trojans and/or remote-access back-doors may have been placed on the system, surreptitiously.

In any case, when faced with a large unknown like that, "nuke and pave" is generally the best response, IMHO. Then use a "secure" system to change passwords, if any were exposed.

 

[mikeymikec]

That's what actually happened. Owner of PC's father was using PC, got pop-up web malware that said PC had a virus, "call this number", so he called it. Thankfully, friend stopped his dad once he found out what was going on, and stopped him from giving out the CC#, but still, disturbing. They DID get remote-access to the PC, so I can only assume that:
1) All information on that PC is compromised, documents stolen, pictures, and more importantly, browser cookies and login credentials. (One reason why I never let my browser store credentials.)
2) Trojans and/or remote-access back-doors may have been placed on the system, surreptitiously.

In any case, when faced with a large unknown like that, "nuke and pave" is generally the best response, IMHO. Then use a "secure" system to change passwords, if any were exposed.

I haven't encountered a single case of those scammers being super-competent. At worst they knew how to encrypt the SAM which I haven't got a workaround for (aside from a fresh install), but I've never seen any actual malware as a result of a scammer (and I've seen shitloads of scammer scenarios whom customers have given remote access to).

By all means scan away but I think you've vastly overestimated their abilities. In my experience, this is what they do:

"Hello customer, your computer is terribly infected, gimme access to it"
"ok"
<rare these days: encrypt SAM to hold computer ransom in the event of non-payment>
<often: remove AV, install another free AV, charge insane amounts for it>
<sometimes: install another browser or similar, to make it look like more work was done>
"gimme money"

They tend to leave behind the remote access software but it's legit software like AnyDesk etc.

Personally I'd treat scammers typically as being as serious to a home user as say a dodgy browser add-on, and any evidence I encounter when checking over the computer will govern how much I'll respond to it, but because they had remote access I give the customer the option of a wipe clean install. In many cases I've checked the computer over, found nothing worthy of note, given the customer advice, suggest to them that in future if they ever get any calls pertaining to their computer, feel free to run it by me first before acting on it and how scammers typically work by panicking the customer into believing that they have to act now.

The most malicious thing I've seen a scammer do is to take ~£10k from a customer's bank account: They convinced the customer to log in to online banking then to turn the screen off for an hour! In my experience they're only there to make a quick buck, not to create a bot network or anything relevant to computer security.

 

[VirtualLarry]

Just a small added note.

I built a rig with an ASRock B560M-HDV micro-ATX mobo, and in it's BIOS 1.30 (only one available at launch), it has specific options under the tools category, for:
1) Secure Erase SATA SSD
2) Sanitize NVMe SSD

Good to know. I used the SATA Secure Erase on a Samsung EVO 870 250GB SATA 2.5" SSD, it seemed to complete successfully. I DID NOT have to hibernate/sleep/reboot in order to do that, which is different from when I did an NVMe and SATA secure-erase, on my Asus B450-F ROG STRIX Gaming ATX mobo, with BIOS 3001. I have used both the NVMe as well as the SATA Secure Erase on that Asus board, and for the SATA, I believe that it wanted me to reboot the BIOS and re-enter it to finally do the erase.