From: "Andy Walker" <awalker@nspank.invalid>

| David H. Lipman wrote:

>>From: "Andy Walker" <awalker@nspank.invalid>

>>| Li'l Abner wrote:

>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>september.org:

>>>>> http://www.dban.org/

>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>the owner has picked it up.

>>| So what are you going to do if the recovery partition had a
>>| modification to load a rootkit and the rootkit loads malware from the
>>| infected disk space that was not wiped when you reinstalled? At this
>>| point you cannot claim with certainty that they are not still
>>| infected.

>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?

| It's more of a precautionary speculation based on best practices. It's
| trivial to programmatically access most recovery partitions, and to
| manipulate the images created for "recovery". I have not specifically
| identified this on any of the infected computers I've come across, but
| then I don't allow hidden recovery partitions to exist on computers I
| configure or rebuild. I have, on the other hand, seen malware place
| code outside the normal file system on the boot partition. Some will
| even encrypt the content of their own "partition" in the unused
| portions of the disk.

I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
it would be orphaned and have no hooks into the OS.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp