David H. Lipman wrote:

>From: "Andy Walker" <awalker@nspank.invalid>
>
>| David H. Lipman wrote:
>
>>>From: "Andy Walker" <awalker@nspank.invalid>
>
>>>| Li'l Abner wrote:
>
>>>>>"siljaline" <spam@uce.gov> wrote in news:i9673q$ecg$1@news.eternal-
>>>>>september.org:
>
>>>>>> http://www.dban.org/
>
>>>>>I didn't have to get *that* violent! There was a recovery partion. I put it
>>>>>back to the original factory image, got rid of Norton, got all the Windows
>>>>>updates, installed Avira, copied his documents back (they were clean), and
>>>>>the owner has picked it up.
>
>>>| So what are you going to do if the recovery partition had a
>>>| modification to load a rootkit and the rootkit loads malware from the
>>>| infected disk space that was not wiped when you reinstalled? At this
>>>| point you cannot claim with certainty that they are not still
>>>| infected.
>
>>>Which RootKit do you think can/will do this Andy or is this precautionary speculation ?
>
>| It's more of a precautionary speculation based on best practices. It's
>| trivial to programmatically access most recovery partitions, and to
>| manipulate the images created for "recovery". I have not specifically
>| identified this on any of the infected computers I've come across, but
>| then I don't allow hidden recovery partitions to exist on computers I
>| configure or rebuild. I have, on the other hand, seen malware place
>| code outside the normal file system on the boot partition. Some will
>| even encrypt the content of their own "partition" in the unused
>| portions of the disk.
>
>I don't think it is that trivial. Even if you could modify the MBR or do soemthing else,
>it would be orphaned and have no hooks into the OS.

If you replace the disk drivers in the image you would have the hook.
With access to the recovery image you can add almost anything you want
to the recovered system, but it would make more sense to stick to
basic rootkit stealth of a downloader that would then update it's
software once the system was recovered.