Quick Links
Wiping your device is considered the “full nuclear” option when it comes to tackling malware. You wipe all data on your infected drive with the theory being that malware can’t survive the process.
Except for when it can.
Why Wiping Your Hard Drive Doesn’t Always Remove Malware
Persistent malware is some of the worst out there. Most malware is effectively removed with a system restore or, worse comes to worst, a full drive wipe. But in both cases,certain types of malware remain active, even if you think you’ve nuked any signs of life on the drive.
It’s a two-part problem, really.
First, restoring a system restore point is often recommended as a good way to remove malware. It makes sense; you’re returning the computer to a previously known good configuration and hopefully avoiding considerable data loss in the process.
However, system restore points aren’t a magic salve. You have to hope that you made a system restore point before picking up the malware. Furthermore, some malware types can hide in files and directories that will remain unchanged after the system restore process, while other malware types exist outside the traditional file structure altogether. Some malware can even delete your system restore points, making it difficult to return to a good configuration.
This brings me to point number two:rootkits and bootkits. These absolutely devilish malware types hide outside your hard drive and instead infect your hard drive firmware, BIOS/UEFI, master boot record (MBR), or GUID partition table (GPT). Because these elements don’t exist on your hard drive, they can escape a system restore pointora full drive wipe and reinfect your computer as soon as you think you’re in the clear.
Are Rootkits and Bootkits Different? How to Check For Persistent Malware
As you’ve likely gathered, persistent malware, like a rootkit, bootkit, or otherwise, is particularly nasty. However, there are differences between a rootkit and a bootkit, and how you rid yourself of this malware also differs.
Location of Infection
Target the OS’s kernel, applications, or user-space components. Embed within system files or processes.
Specifically target the boot process, infecting areas like the MBR, GPT, or BIOS/UEFI firmware.
Stage of Control
Gain control after the OS has started, often hooking into system processes or drivers.
Execute malicious code during the initial boot sequence, allowing control before the OS loads.
Persistence Mechanisms
Use advanced techniques to remain hidden within the OS; sometimes removable with rootkit removal tools.
More difficult to remove, as they can survive reboots and OS reinstalls, especially if embedded in BIOS/UEFI.
Complexity and Detection
Can often be detected by security tools that scan memory and system files, though they evade these tools.
Harder to detect due to operating outside OS-based antivirus reach; removal may require boot-level scanning.
However you look at it, detecting persistent malware is difficult, but there are some options.
First, consider how your computer performs. If you notice unusual startup issues or significantly degraded performance, you may have malware. It might not be persistent malware, but if you complete a regular malware sweep and clean your system, yet the malware keeps coming back, it could indicate a more significant issue.
If that’s the case, you have a couple of options:
You should also consider checking your motherboard manufacturer for firmware updates, as they may have patched vulnerabilities bootkits exploit.
Persistent malware is an awful experience. When I was younger, I downloaded what I thought was a game and ended up with a rootkit infection on my family computer. Fair to say I was far from flavor of the month, but after some time and experimenting, I did get it removed. However, the best protection is to avoid infection to begin with, and that means avoiding dodgy downloads, pirated content, and similar, and making sure you have adecent antivirus or antimalware suite installedto begin with.
