rootkit & re image from partition

Discussion in 'Computer Security' started by dnss, Mar 31, 2006.

  1. dnss

    dnss Guest

    The desktop has a virus with known rootkit capability. Virus scans indicate
    the virus cannot be cleaned.

    The computer mfg has suggested recovery via the recovery image file on the
    2nd partition of the only hdd.

    Would the rootkit be overwritten in the recovery process on the hdd or only
    be idle in the kernel until the o/s is rebuilt? Basically waiting to spread
    across the the rebuilt desktop?

    The desktop has a Windows XP home o/s.
    dnss, Mar 31, 2006
    #1
    1. Advertising

  2. From: "dnss" <>

    | The desktop has a virus with known rootkit capability. Virus scans indicate
    | the virus cannot be cleaned.
    |
    | The computer mfg has suggested recovery via the recovery image file on the
    | 2nd partition of the only hdd.
    |
    | Would the rootkit be overwritten in the recovery process on the hdd or only
    | be idle in the kernel until the o/s is rebuilt? Basically waiting to spread
    | across the the rebuilt desktop?
    |
    | The desktop has a Windows XP home o/s.
    |

    You need to be specific. Is it really a "virus" or in fact a Trojan. What RootKit is it ?
    How do you know that you are infected ? What AV software was used and what is the fully
    qualified name and path to the infected file ?

    Trojan RootKit examples; Apropos, Goldun and Backdoor.Haxdoor.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Mar 31, 2006
    #2
    1. Advertising

  3. dnss wrote:
    > The desktop has a virus with known rootkit capability. Virus scans indicate
    > the virus cannot be cleaned.
    >
    > The computer mfg has suggested recovery via the recovery image file on the
    > 2nd partition of the only hdd.
    >
    > Would the rootkit be overwritten in the recovery process on the hdd or only
    > be idle in the kernel until the o/s is rebuilt? Basically waiting to spread
    > across the the rebuilt desktop?


    What tells you that the rootkit didn't modify the recovery image as well?
    Sebastian Gottschalk, Apr 1, 2006
    #3
  4. David H. Lipman, Apr 1, 2006
    #4
  5. David H. Lipman wrote:

    > | What tells you that the rootkit didn't modify the recovery image as well?
    >
    > Recovery images are in proprietary archive formats


    And that's about how reliable.

    > usually in Read-Only format.


    The malware doesn't care about a read-only flag.

    > Therefore that scenario is extremely unlikely.


    You haven't been around for long? Writing to other filesystems, certain
    archive types and certain encodings has become a standard feature.
    Sebastian Gottschalk, Apr 1, 2006
    #5
  6. dnss

    Noname Guest

    "Sebastian Gottschalk" <> wrote in message
    news:...
    > David H. Lipman wrote:
    >
    > > | What tells you that the rootkit didn't modify the recovery image as

    well?
    > >
    > > Recovery images are in proprietary archive formats

    >
    > And that's about how reliable.
    >
    > > usually in Read-Only format.

    >
    > The malware doesn't care about a read-only flag.
    >
    > > Therefore that scenario is extremely unlikely.

    >
    > You haven't been around for long? Writing to other filesystems, certain
    > archive types and certain encodings has become a standard feature.


    You have confirmed my concerns, why would the rootkit not write to the
    recovery image?
    Noname, Apr 1, 2006
    #6
  7. Noname wrote:
    > "Sebastian Gottschalk" <> wrote in message
    > news:...


    It's called an introduction line, not lines...

    >>> | What tells you that the rootkit didn't modify the recovery image as

    > well?


    Your quoting is broken, most likely due to the crap you're misusing as a
    newsreader.

    > You have confirmed my concerns, why would the rootkit not write to the
    > recovery image?


    Hm... may I mind you about that presentation about intentionally
    non-stealth rootkits on Blackhat Europe 06? :)
    Sebastian Gottschalk, Apr 1, 2006
    #7
  8. From: "Sebastian Gottschalk" <>

    | David H. Lipman wrote:
    |
    |>> What tells you that the rootkit didn't modify the recovery image as well?
    >>
    >> Recovery images are in proprietary archive formats

    |
    | And that's about how reliable.
    |
    >> usually in Read-Only format.

    |
    | The malware doesn't care about a read-only flag.
    |
    >> Therefore that scenario is extremely unlikely.

    |
    | You haven't been around for long? Writing to other filesystems, certain
    | archive types and certain encodings has become a standard feature.

    Long enough to know that malware can't insert itseld into a proprietary archive, read-only
    medium and change such things as Registry and other configuration settings.

    Next thing you'll tell me the RootKit has infected the BIOS ! Rubbish.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Apr 1, 2006
    #8
  9. Sebastian Gottschalk wrote:

    > Noname wrote:
    >> "Sebastian Gottschalk" <> wrote in message
    >> news:...

    >
    > It's called an introduction line, not lines...


    It WAS one line. YOUR "broken" news client wrapped it.

    ROTFL!

    >
    >>>> | What tells you that the rootkit didn't modify the recovery image as

    >> well?

    >
    > Your quoting is broken, most likely due to the crap you're misusing as a
    > newsreader.
    >
    >> You have confirmed my concerns, why would the rootkit not write to the
    >> recovery image?

    >
    > Hm... may I mind you about that presentation about intentionally
    > non-stealth rootkits on Blackhat Europe 06? :)


    No.
    George Orwell, Apr 1, 2006
    #9
  10. dnss wrote:

    > The desktop has a virus with known rootkit capability. Virus scans
    > indicate the virus cannot be cleaned.


    What virus? What "capabilities"? What antivirus software? What EXACTLY is
    it telling you?

    > The computer mfg has suggested recovery via the recovery image file on the
    > 2nd partition of the only hdd.


    Tech support people are notoriously useless. They read from a script
    usually, and this would be one of their canned replies to ANY customer
    complaint.

    If you want real help, you need to provide real information.

    >
    > Would the rootkit be overwritten in the recovery process on the hdd or
    > only be idle in the kernel until the o/s is rebuilt? Basically waiting to
    > spread across the the rebuilt desktop?


    It's impossible to say without knowing exactly what you're dealing with.
    It's certainly POSSIBLE for this to happen.

    >
    > The desktop has a Windows XP home o/s.
    George Orwell, Apr 1, 2006
    #10
  11. David H. Lipman wrote:

    > From: "Sebastian Gottschalk" <>
    >
    > | David H. Lipman wrote:
    > |
    > |>> What tells you that the rootkit didn't modify the recovery image as
    > |>> well?
    >>>
    >>> Recovery images are in proprietary archive formats

    > |
    > | And that's about how reliable.
    > |
    >>> usually in Read-Only format.

    > |
    > | The malware doesn't care about a read-only flag.
    > |
    >>> Therefore that scenario is extremely unlikely.

    > |
    > | You haven't been around for long? Writing to other filesystems, certain
    > | archive types and certain encodings has become a standard feature.
    >
    > Long enough to know that malware can't insert itseld into a proprietary
    > archive,


    Um... who said proprietary? You're ASSuming something to prove your point,
    which means you know you're wrong. You're diddling the rules trying to
    make reality conform to your unrealistic argument.

    Fact is, at least two major PC manufacturers use "industry standard"
    compression on a partition that relies mostly on the <cough> security of
    never being mounted under normal usage. Buy the library, or reverse
    engineer it, and mount the partition an you're in like Flint.

    > read-only medium


    Umm, you DO realize that a partition isn't it's own medium, right? That
    it's really just part of a R+W medium known commonly as a "hard drive",
    and is made "read only" because of ceratin software "switches", right?

    > and change such things as Registry and other
    > configuration settings.


    Simplicity defined once you're in.

    > Next thing you'll tell me the RootKit has infected the BIOS ! Rubbish.


    Not as of yet, but it was once widely argued that you couldn't get a virus
    from simply viewing an image, too. :(

    It's certainly within the realm of possibility, but such an infectious
    piece of code would be either well contained, or a monster, because of the
    huge variety of BIOS platforms it would have to contend with. IOW, the
    only reason we DON'T see a flash BIOS virus in the real world is because
    it's IMPRACTICAL.

    Try Googling 'bimorph.a' some time. It's a proof of concept that could
    EASILY be modified to replicate, except where would it go? It's highly
    BIOS specific, as any such virus must be.

    If a common denominator "flaw" is found between BIOS brands and versions,
    that will change as sure as The popularity of Micro$oft products has
    helped enable "macro viruses" and such malware.
    Borked Pseudo Mailed, Apr 1, 2006
    #11
  12. George Orwell wrote:

    >> Noname wrote:
    >>> "Sebastian Gottschalk" <> wrote in message
    >>> news:...

    >> It's called an introduction line, not lines...

    >
    > It WAS one line. YOUR "broken" news client wrapped it.
    >
    > ROTFL!


    It was definitely not. Taking a clear look at
    <news.2lXf.56212$YX1.5557@dukeread06> reveals that clearly.

    Anyway, his "line" contains a lot of duplicate information.

    >>> You have confirmed my concerns, why would the rootkit not write to the
    >>> recovery image?

    >> Hm... may I mind you about that presentation about intentionally
    >> non-stealth rootkits on Blackhat Europe 06? :)

    >
    > No.


    It's not upon you to decide about that. :)
    Anyway, it doesn't apply here.
    Sebastian Gottschalk, Apr 1, 2006
    #12
  13. David H. Lipman wrote:

    > Long enough to know that malware can't insert itseld into a
    > proprietary archive,


    Then you don't know much.

    > read-only medium


    a harddisk isn't read-only

    > and change such things as Registry and other configuration settings.


    Even the registry is, well lousy, documented. And you don't need to
    change any configuration, just infect some system binaries.

    > Next thing you'll tell me the RootKit has infected the BIOS !


    Unlikely, but possible.
    Sebastian Gottschalk, Apr 1, 2006
    #13
  14. Sebastian Gottschalk wrote:

    > George Orwell wrote:
    >
    >>> Noname wrote:
    >>>> "Sebastian Gottschalk" <> wrote in message
    >>>> news:...
    >>> It's called an introduction line, not lines...

    >>
    >> It WAS one line. YOUR "broken" news client wrapped it.
    >>
    >> ROTFL!

    >
    > It was definitely not. Taking a clear look at
    > <news.2lXf.56212$YX1.5557@dukeread06> reveals that clearly.


    I did look at it. It was on one line. You're pissing yourself over
    something that's not only the most childish bullshit I've ever seen anyone
    pee themselves over, but something that's YOUR doing.

    LOL!

    >
    > Anyway, his "line" contains a lot of duplicate information.


    And everything YOU post contains a lot of useless, self serving,
    obnoxious, incorrect, boring nonsense.

    Everyone voted and we decided we prefer the attribution "problem" over
    your multi-line idiocy. Please close the door on you way out, and leave
    the towels where you found them.

    >>>> You have confirmed my concerns, why would the rootkit not write to the
    >>>> recovery image?
    >>> Hm... may I mind you about that presentation about intentionally
    >>> non-stealth rootkits on Blackhat Europe 06? :)

    >>
    >> No.

    >
    > It's not upon you to decide about that. :)


    Wanna bet?

    > Anyway, it doesn't apply here.


    No, YOU don't apply here......

    *plonk*
    George Orwell, Apr 1, 2006
    #14
  15. From: "Sebastian Gottschalk" <>

    | David H. Lipman wrote:
    |
    >> Long enough to know that malware can't insert itseld into a
    >> proprietary archive,

    |
    | Then you don't know much.
    |
    >> read-only medium

    |
    | a harddisk isn't read-only
    |
    >> and change such things as Registry and other configuration settings.

    |
    | Even the registry is, well lousy, documented. And you don't need to
    | change any configuration, just infect some system binaries.
    |
    >> Next thing you'll tell me the RootKit has infected the BIOS !

    |
    | Unlikely, but possible.

    To infect a file in the archive it has to be extracted, infected, re-archived. Oops, there
    goes the backup softwasre CRC and a restoration will fail a CRC check.

    OK -- Name ONE RootKit that is known to infect a "recovery image file".

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Apr 1, 2006
    #15
  16. David H. Lipman wrote:

    > To infect a file in the archive it has to be extracted, infected, re-archived.


    You forgot: adjusting the CRC accordingly.

    > Oops, there goes the backup softwasre CRC and a restoration will fail a CRC check.


    That's why you have to adjust the CRC.

    > OK -- Name ONE RootKit that is known to infect a "recovery image file".


    Gaobot in at least a dozen variants.
    Sebastian Gottschalk, Apr 2, 2006
    #16
  17. From: "Sebastian Gottschalk" <>


    |
    | Gaobot in at least a dozen variants.

    Gaobot is an Internet worm that exploits RPC/RPCSS DCOM and LSASS via TCP ports 135 and 445,
    via NetBIOS over unsecured shares, other OS/OS component vulnerabilities and WebDav.

    The closest it may come to a "RootKit" is that it may create a NT Service but I haven't seen
    any variants infect a "recovery image file".

    Please show me an AV vendor writeup on a AGOBot/SDBot/GAOBot worm that purports to infect a
    "recovery image file". That is the core of this discussion.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Apr 2, 2006
    #17
  18. David H. Lipman wrote:
    > From: "Sebastian Gottschalk" <>
    >
    >
    > | | Gaobot in at least a dozen variants.
    >
    > Gaobot is an Internet worm that exploits RPC/RPCSS DCOM and LSASS via
    > TCP ports 135 and 445, via NetBIOS over unsecured shares, other OS/OS
    > component vulnerabilities and WebDav.


    Gaobot is a high-quality Trojan/Rootkit whichs sourcecode was released
    into public and has been adapted into about anything, including worming.
    There are literally thousand of variants out there, and a big load of
    easily-adopted plugins has been developed, including some to easily
    access a lot of archive and image formats.

    > Please show me an AV vendor writeup on a AGOBot/SDBot/GAOBot worm
    > that purports to infect a "recovery image file". That is the core of
    > this discussion.


    AV vendors only cover the most spreaded variants, even though they're
    already counting at C?.
    Sebastian Gottschalk, Apr 2, 2006
    #18
  19. Sebastian Gottschalk wrote:

    > David H. Lipman wrote:
    >> From: "Sebastian Gottschalk" <>
    >>
    >>
    >> | | Gaobot in at least a dozen variants.
    >>
    >> Gaobot is an Internet worm that exploits RPC/RPCSS DCOM and LSASS via
    >> TCP ports 135 and 445, via NetBIOS over unsecured shares, other OS/OS
    >> component vulnerabilities and WebDav.

    >
    > Gaobot is a high-quality Trojan/Rootkit whichs sourcecode was released
    > into public and has been adapted into about anything, including worming.
    > There are literally thousand of variants out there, and a big load of
    > easily-adopted plugins has been developed, including some to easily access
    > a lot of archive and image formats.


    TRANSLATION:

    "I'm a fukwit who pulled a name out of my ass hoping nobody would bother
    to check. GaoBot does nothing of the sort, I'm standing here with my pants
    around my knees and everyone is laughing at me. The only thing I have
    left to do is pretend I know something the rest of the world doesn't."

    You are PATHETIC.

    >
    >> Please show me an AV vendor writeup on a AGOBot/SDBot/GAOBot worm that
    >> purports to infect a "recovery image file". That is the core of this
    >> discussion.

    >
    > AV vendors only cover the most spreaded variants, even though they're
    > already counting at C?.
    Borked Pseudo Mailed, Apr 2, 2006
    #19
  20. Borked Pseudo Mailed wrote:
    > Sebastian Gottschalk wrote:
    >
    >> David H. Lipman wrote:
    >>> From: "Sebastian Gottschalk" <>
    >>>
    >>>
    >>> | | Gaobot in at least a dozen variants.
    >>>
    >>> Gaobot is an Internet worm that exploits RPC/RPCSS DCOM and LSASS via
    >>> TCP ports 135 and 445, via NetBIOS over unsecured shares, other OS/OS
    >>> component vulnerabilities and WebDav.

    >> Gaobot is a high-quality Trojan/Rootkit whichs sourcecode was released
    >> into public and has been adapted into about anything, including worming.
    >> There are literally thousand of variants out there, and a big load of
    >> easily-adopted plugins has been developed, including some to easily access
    >> a lot of archive and image formats.

    >
    > TRANSLATION:
    >
    > "I'm a fukwit who pulled a name out of my ass hoping nobody would bother
    > to check. GaoBot does nothing of the sort,


    It does, and I guess even a moron like you is able to google for some of
    those plugins.

    Not telling about many other Trojan Horses that use similar techniques.
    Sebastian Gottschalk, Apr 2, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Pierre Jarry
    Replies:
    6
    Views:
    1,368
    Pierre Jarry
    Jul 14, 2003
  2. Mike
    Replies:
    4
    Views:
    11,875
    ┬░Mike┬░
    Jan 29, 2004
  3. Dutch Treat
    Replies:
    0
    Views:
    820
    Dutch Treat
    Dec 6, 2004
  4. SirReal

    to partition or not to partition

    SirReal, Jun 29, 2005, in forum: Computer Support
    Replies:
    7
    Views:
    806
    Toolman Tim
    Jul 4, 2005
  5. picker

    Partition or not ot partition?

    picker, Mar 6, 2004, in forum: Computer Information
    Replies:
    18
    Views:
    730
    Michael-NC
    Mar 7, 2004
Loading...

Share This Page