What next?

[Andy Walker]

Li'l Abner wrote:

>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>september.org:
>
>> http://www.dban.org/
>
>I didn't have to get *that* violent! There was a recovery partion. I put it
>back to the original factory image, got rid of Norton, got all the Windows
>updates, installed Avira, copied his documents back (they were clean), and
>the owner has picked it up.

So what are you going to do if the recovery partition had a
modification to load a rootkit and the rootkit loads malware from the
infected disk space that was not wiped when you reinstalled? At this
point you cannot claim with certainty that they are not still
infected.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| Li'l Abner wrote:

>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>september.org:

>>> http://www.dban.org/

>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>back to the original factory image, got rid of Norton, got all the Windows
>>updates, installed Avira, copied his documents back (they were clean), and
>>the owner has picked it up.

| So what are you going to do if the recovery partition had a
| modification to load a rootkit and the rootkit loads malware from the
| infected disk space that was not wiped when you reinstalled? At this
| point you cannot claim with certainty that they are not still
| infected.

Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| Li'l Abner wrote:
>
>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>september.org:
>
>>>> http://www.dban.org/
>
>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>back to the original factory image, got rid of Norton, got all the Windows
>>>updates, installed Avira, copied his documents back (they were clean), and
>>>the owner has picked it up.
>
>| So what are you going to do if the recovery partition had a
>| modification to load a rootkit and the rootkit loads malware from the
>| infected disk space that was not wiped when you reinstalled? At this
>| point you cannot claim with certainty that they are not still
>| infected.
>
>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

It's more of a precautionary speculation based on best practices. It's
trivial to programmatically access most recovery partitions, and to
manipulate the images created for "recovery". I have not specifically
identified this on any of the infected computers I've come across, but
then I don't allow hidden recovery partitions to exist on computers I
configure or rebuild. I have, on the other hand, seen malware place
code outside the normal file system on the boot partition. Some will
even encrypt the content of their own "partition" in the unused
portions of the disk.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| Li'l Abner wrote:

>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>september.org:

>>>>> http://www.dban.org/

>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>the owner has picked it up.

>>| So what are you going to do if the recovery partition had a
>>| modification to load a rootkit and the rootkit loads malware from the
>>| infected disk space that was not wiped when you reinstalled? At this
>>| point you cannot claim with certainty that they are not still
>>| infected.

>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

| It's more of a precautionary speculation based on best practices. It's
| trivial to programmatically access most recovery partitions, and to
| manipulate the images created for "recovery". I have not specifically
| identified this on any of the infected computers I've come across, but
| then I don't allow hidden recovery partitions to exist on computers I
| configure or rebuild. I have, on the other hand, seen malware place
| code outside the normal file system on the boot partition. Some will
| even encrypt the content of their own "partition" in the unused
| portions of the disk.

I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
it would be orphaned and have no hooks into the OS.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| Li'l Abner wrote:
>
>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>september.org:
>
>>>>>> http://www.dban.org/
>
>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>the owner has picked it up.
>
>>>| So what are you going to do if the recovery partition had a
>>>| modification to load a rootkit and the rootkit loads malware from the
>>>| infected disk space that was not wiped when you reinstalled? At this
>>>| point you cannot claim with certainty that they are not still
>>>| infected.
>
>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?
>
>| It's more of a precautionary speculation based on best practices. It's
>| trivial to programmatically access most recovery partitions, and to
>| manipulate the images created for "recovery". I have not specifically
>| identified this on any of the infected computers I've come across, but
>| then I don't allow hidden recovery partitions to exist on computers I
>| configure or rebuild. I have, on the other hand, seen malware place
>| code outside the normal file system on the boot partition. Some will
>| even encrypt the content of their own "partition" in the unused
>| portions of the disk.
>
>I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
>it would be orphaned and have no hooks into the OS.

If you replace the disk drivers in the image you would have the hook.
With access to the recovery image you can add almost anything you want
to the recovered system, but it would make more sense to stick to
basic rootkit stealth of a downloader that would then update it's
software once the system was recovered.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| David H. Lipman wrote:

>>>>From: "Andy Walker" <awalker@nspank.invalid>

>>>>| Li'l Abner wrote:

>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>september.org:

>>>>>>> http://www.dban.org/

>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>the owner has picked it up.

>>>>| So what are you going to do if the recovery partition had a
>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>| point you cannot claim with certainty that they are not still
>>>>| infected.

>>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation
>>>>?

>>| It's more of a precautionary speculation based on best practices. It's
>>| trivial to programmatically access most recovery partitions, and to
>>| manipulate the images created for "recovery". I have not specifically
>>| identified this on any of the infected computers I've come across, but
>>| then I don't allow hidden recovery partitions to exist on computers I
>>| configure or rebuild. I have, on the other hand, seen malware place
>>| code outside the normal file system on the boot partition. Some will
>>| even encrypt the content of their own "partition" in the unused
>>| portions of the disk.

>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>else,
>>it would be orphaned and have no hooks into the OS.

| If you replace the disk drivers in the image you would have the hook.
| With access to the recovery image you can add almost anything you want
| to the recovered system, but it would make more sense to stick to
| basic rootkit stealth of a downloader that would then update it's
| software once the system was recovered.

I don't see it and I don't see any malware modifying the recovery image. Even if
attempted, the recovery image would be corrupted and unusable.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| David H. Lipman wrote:
>
>>>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>>>| Li'l Abner wrote:
>
>>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>>september.org:
>
>>>>>>>> http://www.dban.org/
>
>>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>>the owner has picked it up.
>
>>>>>| So what are you going to do if the recovery partition had a
>>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>>| point you cannot claim with certainty that they are not still
>>>>>| infected.
>
>>>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation
>>>>>?
>
>>>| It's more of a precautionary speculation based on best practices. It's
>>>| trivial to programmatically access most recovery partitions, and to
>>>| manipulate the images created for "recovery". I have not specifically
>>>| identified this on any of the infected computers I've come across, but
>>>| then I don't allow hidden recovery partitions to exist on computers I
>>>| configure or rebuild. I have, on the other hand, seen malware place
>>>| code outside the normal file system on the boot partition. Some will
>>>| even encrypt the content of their own "partition" in the unused
>>>| portions of the disk.
>
>>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>>else,
>>>it would be orphaned and have no hooks into the OS.
>
>| If you replace the disk drivers in the image you would have the hook.
>| With access to the recovery image you can add almost anything you want
>| to the recovered system, but it would make more sense to stick to
>| basic rootkit stealth of a downloader that would then update it's
>| software once the system was recovered.
>
>I don't see it and I don't see any malware modifying the recovery image. Even if
>attempted, the recovery image would be corrupted and unusable.

Well, since AV software doesn't look at the recovery partition it
would probably go unnoticed if it did exist. Modifying images is done
all the time and works very nicely for keeping base images fresh. I
use ImageX to update WIM images all the time.

[Li'l Abner]

Andy Walker <awalker@nspank.invalid> wrote in
news:4cb793c7.80197828@news.webtv.com:

> Li'l Abner wrote:
>
>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>september.org:
>>
>>> http://www.dban.org/
>>
>>I didn't have to get *that* violent! There was a recovery partion. I
>>put it back to the original factory image, got rid of Norton, got all
>>the Windows updates, installed Avira, copied his documents back (they
>>were clean), and the owner has picked it up.
>
> So what are you going to do if the recovery partition had a
> modification to load a rootkit and the rootkit loads malware from the
> infected disk space that was not wiped when you reinstalled? At this
> point you cannot claim with certainty that they are not still
> infected.

This was a $299 Best Buy special. It came without a recovery CD. I'n not
sure if you can even order one. If I wiped it clean with DBAN, then I would
have not had a way to restore it. It probably took me 3 hours (I won't
exaggerate like some people do) to reformat the system partition, restore
it and update it. I had to have spent at least 4 times that much trying to
"fix" it. In the rare event that it does come back (I read your discussion
with Dave) I haven't lost that much time on it. The hours I spent trying to
fix it were lost time, but I can chalk that up as a "learning" experience.
If I had charged the guy for all that time, it would have been cheaper for
him to just go get another one.

Thanks for your input though. Technically you're right.
But not practically.... :-)

--
--- Everybody has a right to my opinion. ---

[Andy Walker]

Li'l Abner wrote:

>This was a $299 Best Buy special. It came without a recovery CD. I'n not
>sure if you can even order one. If I wiped it clean with DBAN, then I would
>have not had a way to restore it. It probably took me 3 hours (I won't
>exaggerate like some people do) to reformat the system partition, restore
>it and update it. I had to have spent at least 4 times that much trying to
>"fix" it. In the rare event that it does come back (I read your discussion
>with Dave) I haven't lost that much time on it. The hours I spent trying to
>fix it were lost time, but I can chalk that up as a "learning" experience.
>If I had charged the guy for all that time, it would have been cheaper for
>him to just go get another one.
>
>Thanks for your input though. Technically you're right.
>But not practically.... :-)

Fair enough.

I would suggest to anyone purchasing a computer that doesn't come with
a re-imaging CD/DVD to make an image of the recovery partition and an
image of the production partition. Then re-partition and reformat the
machine creating only one partition. Then restore the production image
on the partition. If everything works as it should, you really don't
need to keep the recovery partition image. Store the production image
in a safe location with a copy of the image software in case you need
to re-image (use DBN to wipe the disk before reloading). You can
update the image as you go along to make it even less painful once all
your software is loaded and the OS is up to date. A cheap way to do
this is with a copy of Clonezilla since its free and works well.