Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Doing a 100% hard disk erase after malware


  • Please log in to reply
1 reply to this topic

#1 rootkid

rootkid

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 07 September 2013 - 10:39 AM

Okay, so I had some kind of a malware dropper on my system. My big name av failed to remove the dropper. Perhaps, there was some root kit also, defending the dropper. Everyday I found dropped files with names that had some patterns in them. This helped me a lot in finding the crap manually.

The av removed all the dropped files. Then one day, files with names similar to old names were dropped and av could not detect them even in aggressive mode. But, I used Norton power erase to kill those files. It seems they crypted it to avoid av.

Anyway, I decided to go for a full erasure. I quickly decided to do a dban erase.
Its going on now and will take about 7 hours. Method is prng 8 passes. I am on the 6th pass now.

I have the following questions -

1 - Can I just stop before it completes ? I feel 6 is enough ? Should I eject the CD ?

2 - Some malware are known to hide in "secret areas" of the hard disk as mentioned in two links. It seems that dB an does not cover these secret areas. So a root kit that resides there can evade dBan too.

So, is there a tool which can do a 100% erase ? Preferably free/open source.
Links about dban limits -

http://techlogon.com/2012/07/07/securely-erase-a-hard-drive-dban-may-not-be-sufficient/


http://answers.microsoft.com/en-us/windows/forum/windows_xp-security/alureon-rootkit-is-too-strong-for-me/21ba1158-a2a8-4be9-bc28-ea698fa06b1b

3 - What are the things one needs to be aware of to ensure a full erase or for selecting a full erase tool ? Eg. MBR, HPA and all that kind of stuff.

I am posting this from a mobile phone, so please adjust.

Thanks.

Edited by rootkid, 07 September 2013 - 10:53 AM.


BC AdBot (Login to Remove)

 


#2 rootkid

rootkid
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:23 AM

Posted 07 September 2013 - 10:42 AM

I made the dban ISO disk on the compromised system. Hopefully the attackers did not mess with ISO to ensure persistence. Is that possible ? How to check if that is not the case ?
Maybe I am being too paranoid. :(

BTW, I found no manual which addresses the questions which I asked. I think those are pretty important questions and should be covered by any detailed manual or review.

Edited by rootkid, 07 September 2013 - 02:31 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users