What next?

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| Li'l Abner wrote:
>
>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>september.org:
>
>>>> http://www.dban.org/
>
>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>back to the original factory image, got rid of Norton, got all the Windows
>>>updates, installed Avira, copied his documents back (they were clean), and
>>>the owner has picked it up.
>
>| So what are you going to do if the recovery partition had a
>| modification to load a rootkit and the rootkit loads malware from the
>| infected disk space that was not wiped when you reinstalled? At this
>| point you cannot claim with certainty that they are not still
>| infected.
>
>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

It's more of a precautionary speculation based on best practices. It's
trivial to programmatically access most recovery partitions, and to
manipulate the images created for "recovery". I have not specifically
identified this on any of the infected computers I've come across, but
then I don't allow hidden recovery partitions to exist on computers I
configure or rebuild. I have, on the other hand, seen malware place
code outside the normal file system on the boot partition. Some will
even encrypt the content of their own "partition" in the unused
portions of the disk.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| Li'l Abner wrote:

>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>september.org:

>>>>> http://www.dban.org/

>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>the owner has picked it up.

>>| So what are you going to do if the recovery partition had a
>>| modification to load a rootkit and the rootkit loads malware from the
>>| infected disk space that was not wiped when you reinstalled? At this
>>| point you cannot claim with certainty that they are not still
>>| infected.

>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

| It's more of a precautionary speculation based on best practices. It's
| trivial to programmatically access most recovery partitions, and to
| manipulate the images created for "recovery". I have not specifically
| identified this on any of the infected computers I've come across, but
| then I don't allow hidden recovery partitions to exist on computers I
| configure or rebuild. I have, on the other hand, seen malware place
| code outside the normal file system on the boot partition. Some will
| even encrypt the content of their own "partition" in the unused
| portions of the disk.

I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
it would be orphaned and have no hooks into the OS.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| Li'l Abner wrote:
>
>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>september.org:
>
>>>>>> http://www.dban.org/
>
>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>the owner has picked it up.
>
>>>| So what are you going to do if the recovery partition had a
>>>| modification to load a rootkit and the rootkit loads malware from the
>>>| infected disk space that was not wiped when you reinstalled? At this
>>>| point you cannot claim with certainty that they are not still
>>>| infected.
>
>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?
>
>| It's more of a precautionary speculation based on best practices. It's
>| trivial to programmatically access most recovery partitions, and to
>| manipulate the images created for "recovery". I have not specifically
>| identified this on any of the infected computers I've come across, but
>| then I don't allow hidden recovery partitions to exist on computers I
>| configure or rebuild. I have, on the other hand, seen malware place
>| code outside the normal file system on the boot partition. Some will
>| even encrypt the content of their own "partition" in the unused
>| portions of the disk.
>
>I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
>it would be orphaned and have no hooks into the OS.

If you replace the disk drivers in the image you would have the hook.
With access to the recovery image you can add almost anything you want
to the recovered system, but it would make more sense to stick to
basic rootkit stealth of a downloader that would then update it's
software once the system was recovered.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| David H. Lipman wrote:

>>>>From: "Andy Walker" <awalker@nspank.invalid>

>>>>| Li'l Abner wrote:

>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>september.org:

>>>>>>> http://www.dban.org/

>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>the owner has picked it up.

>>>>| So what are you going to do if the recovery partition had a
>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>| point you cannot claim with certainty that they are not still
>>>>| infected.

>>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation
>>>>?

>>| It's more of a precautionary speculation based on best practices. It's
>>| trivial to programmatically access most recovery partitions, and to
>>| manipulate the images created for "recovery". I have not specifically
>>| identified this on any of the infected computers I've come across, but
>>| then I don't allow hidden recovery partitions to exist on computers I
>>| configure or rebuild. I have, on the other hand, seen malware place
>>| code outside the normal file system on the boot partition. Some will
>>| even encrypt the content of their own "partition" in the unused
>>| portions of the disk.

>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>else,
>>it would be orphaned and have no hooks into the OS.

| If you replace the disk drivers in the image you would have the hook.
| With access to the recovery image you can add almost anything you want
| to the recovered system, but it would make more sense to stick to
| basic rootkit stealth of a downloader that would then update it's
| software once the system was recovered.

I don't see it and I don't see any malware modifying the recovery image. Even if
attempted, the recovery image would be corrupted and unusable.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| David H. Lipman wrote:
>
>>>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>>>| Li'l Abner wrote:
>
>>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>>september.org:
>
>>>>>>>> http://www.dban.org/
>
>>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>>the owner has picked it up.
>
>>>>>| So what are you going to do if the recovery partition had a
>>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>>| point you cannot claim with certainty that they are not still
>>>>>| infected.
>
>>>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation
>>>>>?
>
>>>| It's more of a precautionary speculation based on best practices. It's
>>>| trivial to programmatically access most recovery partitions, and to
>>>| manipulate the images created for "recovery". I have not specifically
>>>| identified this on any of the infected computers I've come across, but
>>>| then I don't allow hidden recovery partitions to exist on computers I
>>>| configure or rebuild. I have, on the other hand, seen malware place
>>>| code outside the normal file system on the boot partition. Some will
>>>| even encrypt the content of their own "partition" in the unused
>>>| portions of the disk.
>
>>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>>else,
>>>it would be orphaned and have no hooks into the OS.
>
>| If you replace the disk drivers in the image you would have the hook.
>| With access to the recovery image you can add almost anything you want
>| to the recovered system, but it would make more sense to stick to
>| basic rootkit stealth of a downloader that would then update it's
>| software once the system was recovered.
>
>I don't see it and I don't see any malware modifying the recovery image. Even if
>attempted, the recovery image would be corrupted and unusable.

Well, since AV software doesn't look at the recovery partition it
would probably go unnoticed if it did exist. Modifying images is done
all the time and works very nicely for keeping base images fresh. I
use ImageX to update WIM images all the time.

[David H. Lipman]

From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| David H. Lipman wrote:

>>>>From: "Andy Walker" <awalker@nspank.invalid>

>>>>| David H. Lipman wrote:

>>>>>>From: "Andy Walker" <awalker@nspank.invalid>

>>>>>>| Li'l Abner wrote:

>>>>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>>>>september.org:

>>>>>>>>> http://www.dban.org/

>>>>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>>>>the owner has picked it up.

>>>>>>| So what are you going to do if the recovery partition had a
>>>>>>| modification to load a rootkit and the rootkit loads malware from the
>>>>>>| infected disk space that was not wiped when you reinstalled? At this
>>>>>>| point you cannot claim with certainty that they are not still
>>>>>>| infected.

>>>>>>Which RootKit do you think can/will do this Andy or is this precautionary
>>>>>>speculation
>>>>>>?

>>>>| It's more of a precautionary speculation based on best practices. It's
>>>>| trivial to programmatically access most recovery partitions, and to
>>>>| manipulate the images created for "recovery". I have not specifically
>>>>| identified this on any of the infected computers I've come across, but
>>>>| then I don't allow hidden recovery partitions to exist on computers I
>>>>| configure or rebuild. I have, on the other hand, seen malware place
>>>>| code outside the normal file system on the boot partition. Some will
>>>>| even encrypt the content of their own "partition" in the unused
>>>>| portions of the disk.

>>>>I don't think it is that trivial. Even if you could modify the MBR or do soemthing
>>>>else,
>>>>it would be orphaned and have no hooks into the OS.

>>| If you replace the disk drivers in the image you would have the hook.
>>| With access to the recovery image you can add almost anything you want
>>| to the recovered system, but it would make more sense to stick to
>>| basic rootkit stealth of a downloader that would then update it's
>>| software once the system was recovered.

>>I don't see it and I don't see any malware modifying the recovery image. Even if
>>attempted, the recovery image would be corrupted and unusable.

| Well, since AV software doesn't look at the recovery partition it
| would probably go unnoticed if it did exist. Modifying images is done
| all the time and works very nicely for keeping base images fresh. I
| use ImageX to update WIM images all the time.

It isn't as trivial as you believe.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp

[Andy Walker]

David H. Lipman wrote:
>
>It isn't as trivial as you believe.

You're entitled to your opinion and it's probably based on your own
experiences. My opinion is similarly based on my knowledge and
experience. If I really felt the need to prove the point I'd create a
proof of concept, but it isn't something I have the time for since
there would be no practical uses for it in my line of work.

Cheers Dave!

Andy