Mailinglist Archive: opensuse (770 mails)

< Previous Next >
Re: [Summary/Solved] Re: [opensuse] Partition Recovery? Is it even missing to begin with or just shifted?
On 08/12/2012 08:21 PM, David Haller wrote:
Actually, it turns out that that "fishy" sector actually does contain
the first part of the Boot.Pihar Trojan/Backdoor, and I think some
more stuff is between each EPBR and the actual partition/filesystem.

https://www.virustotal.com/file/1cf12d246e9a2fbe1995034366f74aa5c892fc78a21de31cf6ba2a32ce74b6bc/analysis/

I think one could "fix" the partitioning itself by just deleting the
extra entry in the MBR-Partitiontable and move the real entries (now
sda2/3) to sda1/2 again. The partitions and filesystems seem ok.

As it is a virus/trojan/backdoor infection, I recommended dcr do
best zero the disk and reinstall.

dnh,

You are the wizard. I appreciate the education that this has been for me
regarding how to look at the code within the various bytes of the boot sector. I
still cannot begin to fully understand precisely what happened, but I think I
have gotten the big picture. There is one part of this puzzle I do not
understand though. What did this malware do to cause an extra partition to be
created?

I think I get part of that. The first 63 sector were originally occupied by
grub stage1.5 in sectors 1-19. Sectors 20-63 were originally empty. The boot
tract was not considered by the system to be a partition in and of itself. The
original sda1 began on sector 63 and ended on sector 315291689. Whatever was
inserted into the boot tract after sector 19 caused sector 29 to appear as a
complete partition to the system. Even though it was of 0 length. Sector 29 had
some byte within it that caused it to be identified as a partition (a new sda1)
and the original sda1 became sda2. Right?

However, what I don't get is what the malware hoped to accomplish with a 1
sector entry. It gets inserted at sector 29 and the boot flag points to it. Then
on boot, that code is read, and presumable triggers other code resident on what
is now sda2. The reason for the quandary is I can't see enough code being
inserted into a single sector (sector 29) to do much at all by itself other than
scramble the disk/delete files/etc... or address code somewhere else on the
disk. Meaning that I can't see enough code fitting into 1 sector to be
intelligent enough by itself to conduct network activities or (phone home) for
lack of better words. (I admit I could be completely wrong here, but I will take
that, 512 bytes isn't much room to work with)

So, I won't do it, but what your are saying is I could zero sectors 20-63 on
the drive, reboot, and essentially have the original disk back with the correct
partition numbering and a virus somewhere in the restored sda1 waiting to strike
again -- right?

Thank you again for another great bit of learning.

--
David C. Rankin, J.D.,P.E.
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >