[opensuse] Malware on Disks
Hi Folks, I occasionally have to certify that brand new SATA disks don't contain any malware. The concern is of course for MS Windows threats, but policy doesn't care about subtle distinctions, it wants a "scan" to be done on the disks. Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true? Could the "raw" device contain a filesystem that Windows would see? For example, instead of doing mkfs /dev/sda1, do mkfs /dev/sda. We can then "mount /dev/sda" in Linux, but what about Windows? Also, could there be something bad in the MBR that could point to a filesystem not present in the partition table? Maybe the safest course is to zero both the MBR and the label with dd? If it matters, the target disks are all SSD's. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 16/07/13 16:19, Lew Wolfgang escribió:
Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true?
Yes, at least there can be no malware in the traditional sense.
Maybe the safest course is to zero both the MBR and the label with dd?
Not really, just issue ATA secure erase (unless your concerns goes beyond that.. i.e malware in the drive's firmware, which its existence cannot usually be proven beyond reasonable doubt) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-07-16 at 16:33 -0400, Cristian Rodríguez wrote:
Maybe the safest course is to zero both the MBR and the label with dd?
Not really, just issue ATA secure erase (unless your concerns goes beyond that.. i.e malware in the drive's firmware, which its existence cannot usually be proven beyond reasonable doubt)
With the added advantage that this is done by the disk firmware, not the computer; ie, you do not load the computer at all. You could do a hundred disks at once, if you can connect them all, that is :-) - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHmkUoACgkQtTMYHG2NR9V1AgCeO58JGPXYCn3v6me3JioNwG1t WX0AnjECgeAYjbd2SNxJv54tpGIJHKah =mfgK -----END PGP SIGNATURE-----
On Tue, Jul 16, 2013 at 4:19 PM, Lew Wolfgang <wolfgang@sweet-haven.com> wrote:
Hi Folks,
I occasionally have to certify that brand new SATA disks don't contain any malware. The concern is of course for MS Windows threats, but policy doesn't care about subtle distinctions, it wants a "scan" to be done on the disks.
Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true?
It is not true. The partition table only occupies a small part of the first sector (ie. the MBR). Some malware such as the very scary code for TDL4 (http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot) primarily lives in the MBR as I understand it. I'm going from memory, but I believe in 2012 TDL developed an ability to maintain a hidden filesystem at the end of physical disks. For most large drives in windows systems, the last X GBs is never written to. Not during formatting, not during install, and not during day to day use. That means that filesystem that grows down from the end of the disk like a stack does can used those X GB anyway it wants and never be interfered with by the person who thinks he owns the computer. Thus malware absolutely exists that maintains filesystems not documented in the MBR.
Could the "raw" device contain a filesystem that Windows would see?
For example, instead of doing mkfs /dev/sda1, do mkfs /dev/sda. We can then "mount /dev/sda" in Linux, but what about Windows?
Windows requires a partition table as far as I know. Either the old PCDOS style or the new GPT style. Of course malware can do as it will.
Also, could there be something bad in the MBR that could point to a filesystem not present in the partition table?
Now your thinking.
Maybe the safest course is to zero both the MBR and the label with dd?
It's a good start. Wiping the entire disk is much better (and what is done by many). If you can't wait for the entire drive to wipe, then wipe at least the first few MBs and the last several GB. I would actually worry as much about the end of the disk as I did the start. Overwriting the first few MBs of a drives is pretty common, so a smart virus writer might figure out a way to leverage a payload at the end of the disk that survives normal drive prep. No, I don't know how the leveraging would happen, but I hadn't thought about a grow backwards filesystem either before I read that a virus was maintaining one.
If it matters, the target disks are all SSD's.
Regards, Lew
Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/16/2013 11:19 PM, Lew Wolfgang wrote:
Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true?
- recently, tried to " dd " bootable Knoppix-Live CD on to usb thumb-drive . . . fdisk saw no partition : but stuff was written to vfat invisible partition [ did not succeed to make bootable Knoppix usb thumb-drive ] ............ best regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/17/2013 08:39 AM, ellanios82 wrote:
On 07/16/2013 11:19 PM, Lew Wolfgang wrote:
Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true?
- recently, tried to " dd " bootable Knoppix-Live CD on to usb thumb-drive
. . . fdisk saw no partition : but stuff was written to vfat invisible partition
[ did not succeed to make bootable Knoppix usb thumb-drive ] ........................
- is there an obvious reason why a Linux distribution "Knoppix" would choose to use a MSoft file system VFAT for their Live DVD Linux Distribution ?? ............................... best regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2013-07-17 09:17 (GMT+0300) ellanios82 composed:
recently, tried to " dd " bootable Knoppix-Live CD on to usb thumb-drive
Using exactly what command string?
. . . fdisk saw no partition : but stuff was written to vfat invisible partition [ did not succeed to make bootable Knoppix usb thumb-drive ]
Not invisible partition -> partitionless media.
is there an obvious reason why a Linux distribution "Knoppix" would choose to use a MSoft file system VFAT for their Live DVD Linux Distribution ??
What makes you think it does? AFAIK, there's no way VFAT can be used on a DVD any more than can EXT4 or SWAP. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-07-17 at 02:46 -0400, Felix Miata wrote:
What makes you think it does? AFAIK, there's no way VFAT can be used on a DVD any more than can EXT4 or SWAP.
Yes, there is. I burn my DVDs with XFS, not iso9660. I have also used reiserfs, and LUKS encryption. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHmknEACgkQtTMYHG2NR9Uy/QCfX59QwmP47y9mxKHwHV8rdXyv +ewAn2RRJoE9usbHCmRl/orVpVl21RvR =WQYP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2013-07-17 14:47 (GMT+0200) Carlos E. R. composed:
On Wednesday, 2013-07-17 at 02:46 -0400, Felix Miata wrote:
What makes you think it does? AFAIK, there's no way VFAT can be used on a DVD any more than can EXT4 or SWAP.
Yes, there is. I burn my DVDs with XFS, not iso9660. I have also used reiserfs, and LUKS encryption.
These are bootable so that their malware can autorun? -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2013-07-17 at 10:15 -0400, Felix Miata wrote:
On 2013-07-17 14:47 (GMT+0200) Carlos E. R. composed:
What makes you think it does? AFAIK, there's no way VFAT can be used on a DVD any more than can EXT4 or SWAP.
Yes, there is. I burn my DVDs with XFS, not iso9660. I have also used reiserfs, and LUKS encryption.
These are bootable so that their malware can autorun?
I doubt it, but I have not tried. The "Eltorito" standard emulates a floppy, so that the bios thinks there is a floppy and boots it. If it sees a hard disk instead it might boot on some bios. But I have not tried. - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHm+DgACgkQtTMYHG2NR9U7IgCbB6xdy7mBJ3oau+cjKTrst/En k8sAn2pmc7zJNoaHWpPLUAhbqc8xNSfv =I39h -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2013-07-16 at 13:19 -0700, Lew Wolfgang wrote:
Of course one test would be to use fdisk to make sure there's no disk partition label, the presumption being that no label == no filesystem == no malware. You need a filesystem to run a "scan". But is this strictly true?
The scan software would refuse, but it is possible to have malware there. Just boot the disk, which reads the first sector, and if there is an MBR in there, all bets are off.
Could the "raw" device contain a filesystem that Windows would see? For example, instead of doing mkfs /dev/sda1, do mkfs /dev/sda. We can then "mount /dev/sda" in Linux, but what about Windows?
I believe you can. I would have to verify, though.
Also, could there be something bad in the MBR that could point to a filesystem not present in the partition table?
Yep. They may define their own filesystem.
Maybe the safest course is to zero both the MBR and the label with dd?
The safest is what Cristian recomended. Othewise, full dd. Both, I think, as the write to the entire "surface" would trigger write fault errors, which is an advantage with new disks (if they fail the test, return to dealer/manufacturer). - -- Cheers, Carlos E. R. (from 12.3 x86_64 "Dartmouth" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlHmlDoACgkQtTMYHG2NR9U/mgCfbxxjq5Q8/2ptNddB+pvjyxzx 60wAn2x7aP61oPv9nB0NBX2ASa3aKf6W =6zE8 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Carlos E. R. -
Cristian Rodríguez -
ellanios82 -
Felix Miata -
Greg Freemyer -
Lew Wolfgang