Thursday, July 23, 2009

SATA hardware write blocker, anyone?

In the course of our automated malware analysis, we have made use of CorePROTECT's CoreRESTORE IDE hardware write blocker. Unfortunately, I bought the last four available and without a significant (i.e. 500+) order, they do not plan on doing another production run.

It is becoming increasingly difficult to buy modern systems with IDE drives. Enter the problem. No one seemingly makes hardware write blockers for SATA drives.

There are plenty of software options out there, such as Microsoft's SteadyState, DeepFreeze, Returnil, and CornerStone (see: SANS discussion of multiple products). All of these work with varying degrees of success and detectability. CoreRESTORE blockers work extremely well, but aren't foolproof when it comes to detection. Fortunately, we have not run across any malware that specifically looks for this hardware.

Why don't we use virtual systems, snapshots, etc...? We do. But we always have physical systems ready, in case the malware is VM aware.

If you are aware of anyone else manufacturing hardware write blockers, especially for modern drives, please reply.

No comments:

Post a Comment