What next?

[Dustin]

Menno Hershberger <mhersh22@nosuchplace.net> wrote in
news:Xns9E0F8532FE523butter@wefb973cbe498:

> Dustin <bughunter.dustin@gmail.com> wrote in
> news:Xns9E0F835B61E81HHI2948AJD832@no:
>
>> "Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in
>> news:i91e6k$ja1$1@news.eternal-september.org:
>>
>>> David H. Lipman wrote:
>>>
>>>> From: "Li'l Abner" <blvstk@dogpatch.com>
>>>>> I have a little HP laptop ...
>>>>
>>>> Remove the hard disk, put it on a surriogate PC and then scan the
>>>> affected hard disk.
>>>
>>> Wouldn't it be easier to simply reformat the badly infected drive,
>>> rather than trying to pull it out of a _laptop_?
>>
>> What do you mean? Most modern laptops have two screws holding the
>> drive in place; remove them and tug.
>
> This one is an HP Mini 210-1U80NR.
>
> I haven't looked up the manual yet, but I don't see a screw on it
> anywhere. The bottom is perfectly smooth (no covers, etc.) The
> battery attaches to the back between the hinges. It was behind the
> battery that I finally found the model and serial numbers.
>
> I've had plenty of laptop hard drives out, both IDE & SATA. Most
> were easy but a couple of them were quite a challenge. If I decide
> to pursue that on this one I'll definitely have to do some
> studying... :-) According to the device manager, it's a ST9250410AS
> which translates to a Seagate Model ST9250410AS SATA 3Gb/s 250GB
> 16MB 7200. So there's one in there somewhere. Theres no CD/DVD rom
> though. I had a helluva time finding the switch to turn it on!
>

That's a mini netbook; not an actual laptop. More like a stripped down
version.


--
Some people are like a Slinky. Not much good for anything, but you
can't help but smile when one tumbles down the stairs.

[siljaline]

Cut your losses, DBAN and get on with your life.
(http://www.dban.org/)

Good luck !

Silj


--
"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

[Li'l Abner]

"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
september.org:

> http://www.dban.org/

I didn't have to get *that* violent! There was a recovery partion. I put it
back to the original factory image, got rid of Norton, got all the Windows
updates, installed Avira, copied his documents back (they were clean), and
the owner has picked it up.



--
--- Everybody has a right to my opinion. ---

[David H. Lipman]

From: "Li'l Abner" <blvstk@dogpatch.com>

| "siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
| september.org:

>> http://www.dban.org/

| I didn't have to get *that* violent! There was a recovery partion. I put it
| back to the original factory image, got rid of Norton, got all the Windows
| updates, installed Avira, copied his documents back (they were clean), and
| the owner has picked it up.



Violent ? Bwahahahahaha :-)

--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

Li'l Abner wrote:

>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>september.org:
>
>> http://www.dban.org/
>
>I didn't have to get *that* violent! There was a recovery partion. I put it
>back to the original factory image, got rid of Norton, got all the Windows
>updates, installed Avira, copied his documents back (they were clean), and
>the owner has picked it up.

So what are you going to do if the recovery partition had a
modification to load a rootkit and the rootkit loads malware from the
infected disk space that was not wiped when you reinstalled? At this
point you cannot claim with certainty that they are not still
infected.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| Li'l Abner wrote:

>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>september.org:

>>> http://www.dban.org/

>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>back to the original factory image, got rid of Norton, got all the Windows
>>updates, installed Avira, copied his documents back (they were clean), and
>>the owner has picked it up.

| So what are you going to do if the recovery partition had a
| modification to load a rootkit and the rootkit loads malware from the
| infected disk space that was not wiped when you reinstalled? At this
| point you cannot claim with certainty that they are not still
| infected.

Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| Li'l Abner wrote:
>
>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>september.org:
>
>>>> http://www.dban.org/
>
>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>back to the original factory image, got rid of Norton, got all the Windows
>>>updates, installed Avira, copied his documents back (they were clean), and
>>>the owner has picked it up.
>
>| So what are you going to do if the recovery partition had a
>| modification to load a rootkit and the rootkit loads malware from the
>| infected disk space that was not wiped when you reinstalled? At this
>| point you cannot claim with certainty that they are not still
>| infected.
>
>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

It's more of a precautionary speculation based on best practices. It's
trivial to programmatically access most recovery partitions, and to
manipulate the images created for "recovery". I have not specifically
identified this on any of the infected computers I've come across, but
then I don't allow hidden recovery partitions to exist on computers I
configure or rebuild. I have, on the other hand, seen malware place
code outside the normal file system on the boot partition. Some will
even encrypt the content of their own "partition" in the unused
portions of the disk.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| Li'l Abner wrote:

>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>september.org:

>>>>> http://www.dban.org/

>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>the owner has picked it up.

>>| So what are you going to do if the recovery partition had a
>>| modification to load a rootkit and the rootkit loads malware from the
>>| infected disk space that was not wiped when you reinstalled? At this
>>| point you cannot claim with certainty that they are not still
>>| infected.

>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

| It's more of a precautionary speculation based on best practices. It's
| trivial to programmatically access most recovery partitions, and to
| manipulate the images created for "recovery". I have not specifically
| identified this on any of the infected computers I've come across, but
| then I don't allow hidden recovery partitions to exist on computers I
| configure or rebuild. I have, on the other hand, seen malware place
| code outside the normal file system on the boot partition. Some will
| even encrypt the content of their own "partition" in the unused
| portions of the disk.

I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
it would be orphaned and have no hooks into the OS.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| Li'l Abner wrote:
>
>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>september.org:
>
>>>>>> http://www.dban.org/
>
>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>the owner has picked it up.
>
>>>| So what are you going to do if the recovery partition had a
>>>| modification to load a rootkit and the rootkit loads malware from the
>>>| infected disk space that was not wiped when you reinstalled? At this
>>>| point you cannot claim with certainty that they are not still
>>>| infected.
>
>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?
>
>| It's more of a precautionary speculation based on best practices. It's
>| trivial to programmatically access most recovery partitions, and to
>| manipulate the images created for "recovery". I have not specifically
>| identified this on any of the infected computers I've come across, but
>| then I don't allow hidden recovery partitions to exist on computers I
>| configure or rebuild. I have, on the other hand, seen malware place
>| code outside the normal file system on the boot partition. Some will
>| even encrypt the content of their own "partition" in the unused
>| portions of the disk.
>
>I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
>it would be orphaned and have no hooks into the OS.

If you replace the disk drivers in the image you would have the hook.
With access to the recovery image you can add almost anything you want
to the recovered system, but it would make more sense to stick to
basic rootkit stealth of a downloader that would then update it's
software once the system was recovered.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| David H. Lipman wrote:

>>>>From: "Andy Walker" <awalker@nspank.invalid>

>>>>| Li'l Abner wrote:

>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>september.org:

>>>>>>> http://www.dban.org/

>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>the owner has picked it up.

>>>>| So what are you going to do if the recovery partition had a
>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>| point you cannot claim with certainty that they are not still
>>>>| infected.

>>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation
>>>>?

>>| It's more of a precautionary speculation based on best practices. It's
>>| trivial to programmatically access most recovery partitions, and to
>>| manipulate the images created for "recovery". I have not specifically
>>| identified this on any of the infected computers I've come across, but
>>| then I don't allow hidden recovery partitions to exist on computers I
>>| configure or rebuild. I have, on the other hand, seen malware place
>>| code outside the normal file system on the boot partition. Some will
>>| even encrypt the content of their own "partition" in the unused
>>| portions of the disk.

>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>else,
>>it would be orphaned and have no hooks into the OS.

| If you replace the disk drivers in the image you would have the hook.
| With access to the recovery image you can add almost anything you want
| to the recovered system, but it would make more sense to stick to
| basic rootkit stealth of a downloader that would then update it's
| software once the system was recovered.

I don't see it and I don't see any malware modifying the recovery image. Even if
attempted, the recovery image would be corrupted and unusable.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp