Mailinglist Archive: opensuse (686 mails)

< Previous Next >
Re: [opensuse] Malware on Disks
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Wed, 17 Jul 2013 14:55:22 +0200 (CEST)
  • Message-id: <alpine.LNX.2.00.1307171448080.2653@Telcontar.valinor>
Hash: SHA1

On Tuesday, 2013-07-16 at 13:19 -0700, Lew Wolfgang wrote:

Of course one test would be to use fdisk to make sure there's
no disk partition label, the presumption being that no label ==
no filesystem == no malware. You need a filesystem to run a
"scan". But is this strictly true?

The scan software would refuse, but it is possible to have malware there. Just boot the disk, which reads the first sector, and if there is an MBR in there, all bets are off.

Could the "raw" device contain a filesystem that Windows would
see? For example, instead of doing mkfs /dev/sda1, do mkfs /dev/sda.
We can then "mount /dev/sda" in Linux, but what about Windows?

I believe you can. I would have to verify, though.

Also, could there be something bad in the MBR that could point
to a filesystem not present in the partition table?

Yep. They may define their own filesystem.

Maybe the safest course is to zero both the MBR and the label
with dd?

The safest is what Cristian recomended. Othewise, full dd. Both, I think, as the write to the entire "surface" would trigger write fault errors, which is an advantage with new disks (if they fail the test, return to dealer/manufacturer).

- -- Cheers,
Carlos E. R.
(from 12.3 x86_64 "Dartmouth" at Telcontar)

Version: GnuPG v2.0.19 (GNU/Linux)

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >