David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| Li'l Abner wrote:
>
>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>september.org:
>
>>>> http://www.dban.org/
>
>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>back to the original factory image, got rid of Norton, got all the Windows
>>>updates, installed Avira, copied his documents back (they were clean), and
>>>the owner has picked it up.
>
>| So what are you going to do if the recovery partition had a
>| modification to load a rootkit and the rootkit loads malware from the
>| infected disk space that was not wiped when you reinstalled? At this
>| point you cannot claim with certainty that they are not still
>| infected.
>
>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

It's more of a precautionary speculation based on best practices. It's
trivial to programmatically access most recovery partitions, and to
manipulate the images created for "recovery". I have not specifically
identified this on any of the infected computers I've come across, but
then I don't allow hidden recovery partitions to exist on computers I
configure or rebuild. I have, on the other hand, seen malware place
code outside the normal file system on the boot partition. Some will
even encrypt the content of their own "partition" in the unused
portions of the disk.