Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can infections spread to an encrypted partition


  • Please log in to reply
13 replies to this topic

#1 SuperSapien64

SuperSapien64

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 15 August 2014 - 12:25 AM

Is it possible for a Windows infection (malware, rootkit, spyware, ransomware, etc) to spread or effect files on a highly encrypted partition such as a encrypted Linux installation? :question:

 

Please explain in detail how and why this is or isn't possible.



BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 15 August 2014 - 07:02 AM

Please give more details about your setup. Windows / Linux dual boot?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 15 August 2014 - 05:13 PM

Please give more details about your setup. Windows / Linux dual boot?

Sure Windows 764 bit and Kubuntu 64bit with defult Grub boot manager and I used a standard Linux installation with no high-grade encryption, but I'm planning to get a separate SSD for Linux distros and preferably I would like to partition the majority of my 2TB HDD (about 1.5TB) for Linux media file storage. And if I use a blend of high grade encryption algorithms with some open source disk encryption software comparable to TrueCrypt, so is there any chance of an infection effecting this partition at all if I use a combination of high grade encryption techniques?



#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 15 August 2014 - 05:32 PM

If the partitions are fully encrypted, malware will not be able to access the filesystem on the partitions that are not mounted.

 

However, malware will still be able to overwrite the MBRs with malicious code.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Kilroy

Kilroy

  • BC Advisor
  • 3,318 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:05:14 AM

Posted 17 August 2014 - 06:32 AM

Assume a virus or malware can do anything you can do.  If you can access the file, the virus or malware can access the file.  If you can change the file, the virus or malware can change the file.  This is why it is best to run with the lowest access required to accomplish the tasks you need to complete.



#6 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 17 August 2014 - 03:14 PM

If the partitions are fully encrypted, malware will not be able to access the filesystem on the partitions that are not mounted.

 

However, malware will still be able to overwrite the MBRs with malicious code.

 

Well cleaning the MBR by hand can be a real pain or even attempting to rely on third party software to identify any unwanted modifications to the MBR might be a bigger waste of time as opposed to doing by hand, the only guaranteed methond is to wipe the drive completely with something like DBAN of course. And if it spreads the MBR than it could likely modify the system settings on that partition so hypothetically even ransomware from a Windows partition could quite easily effect a Unix/Linux partition on the same drive.

 

Assume a virus or malware can do anything you can do.  If you can access the file, the virus or malware can access the file.  If you can change the file, the virus or malware can change the file.

 

Well I sandbox with SBIE but nothings totally bulletproof for instance once you recover a file app-installer,image,document etc there's only your antivirus/antimalware and firewall to possibly protect you from an infection spreading especially if you open or attempt to install the files without virtualization. To make matters more complicated drive by network hacking is becoming more of a problem and if they cant penetrate your firewall directly to control you computer then they could attempt to highjack a unencrypted app or system update and infect you machine that way.

 

 

 

This is why it is best to run with the lowest access required to accomplish the tasks you need to complete.

 

Another reason why Linux has better security compared to Windows all accounts on Linux are non-admin accounts, so anytime an app requires root you'll be prompted to enter your password. It would be nice Microsoft would integrate this feature into Windows 9.


Edited by SuperSapien64, 17 August 2014 - 03:17 PM.


#7 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:14 PM

Posted 17 August 2014 - 07:36 PM

If the partitions are fully encrypted, malware will not be able to access the filesystem on the partitions that are not mounted.
 
However, malware will still be able to overwrite the MBRs with malicious code.

 
Well cleaning the MBR by hand can be a real pain or even attempting to rely on third party software to identify any unwanted modifications to the MBR might be a bigger waste of time as opposed to doing by hand, the only guaranteed method is to wipe the drive completely with something like DBAN of course. And if it spreads the MBR than it could likely modify the system settings on that partition so hypothetically even ransomware from a Windows partition could quite easily effect a Unix/Linux partition on the same drive.
Look at http://www.trojanhunter.com/products/mbr-backup/ and https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/

Using MBR Backup and saving it as a file, you'll be able to compare it with the original when you did a fresh OS install. Just compare the original MBR-01-01-2005 with MBR-18-08-2014 using a Hex viewer with the file hex comparison function.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:14 AM

Posted 17 August 2014 - 09:39 PM

aswMBR will provide a dump of a clean MBR or infected MBR. Upon the first run the MBR is backed up to the Desktop as MBR.dat and a log is saved.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 18 August 2014 - 12:14 AM

 

 

If the partitions are fully encrypted, malware will not be able to access the filesystem on the partitions that are not mounted.
 
However, malware will still be able to overwrite the MBRs with malicious code.

 
Well cleaning the MBR by hand can be a real pain or even attempting to rely on third party software to identify any unwanted modifications to the MBR might be a bigger waste of time as opposed to doing by hand, the only guaranteed method is to wipe the drive completely with something like DBAN of course. And if it spreads the MBR than it could likely modify the system settings on that partition so hypothetically even ransomware from a Windows partition could quite easily effect a Unix/Linux partition on the same drive.
Look at http://www.trojanhunter.com/products/mbr-backup/ and https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/

Using MBR Backup and saving it as a file, you'll be able to compare it with the original when you did a fresh OS install. Just compare the original MBR-01-01-2005 with MBR-18-08-2014 using a Hex viewer with the file hex comparison function.

 

 

aswMBR will provide a dump of a clean MBR or infected MBR. Upon the first run the MBR is backed up to the Desktop as MBR.dat and a log is saved.

 

Good point I forgot about cloning utilities speaking of which can Clonezilla backup the MBR? Since it's designed to backup the entire system which logically should include the MBR and at the very least it shouldn't have any issues backup/restoring the MBR on Linux distros. 



#10 Scoop8

Scoop8

  • Members
  • 326 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas TX
  • Local time:05:14 AM

Posted 18 August 2014 - 08:58 AM

 

Good point I forgot about cloning utilities speaking of which can Clonezilla backup the MBR? Since it's designed to backup the entire system which logically should include the MBR and at the very least it shouldn't have any issues backup/restoring the MBR on Linux distros. 

 

 

I've been cloning Win 7 & XP with Acronis (2011), Macrium Reflect (free ver), and Clonezilla for a few years with no issues (no boot/MBR issues).



#11 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 18 August 2014 - 11:44 PM

 

I've been cloning Win 7 & XP with Acronis (2011), Macrium Reflect (free ver), and Clonezilla for a few years with no issues (no boot/MBR issues).

Good to know thanks. By the way can Clonezilla backup system files (registry, MBR, Windows restore points, etc) & third party app data but exclude personal media or document files?

 

 

Look at http://www.trojanhunter.com/products/mbr-backup/ and https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/

Using MBR Backup and saving it as a file, you'll be able to compare it with the original when you did a fresh OS install. Just compare the original MBR-01-01-2005 with MBR-18-08-2014 using a Hex viewer with the file hex comparison function.

Do you know of any open source options besides cloning the MBR that can also backup all stock system files and even third party app data?

 

aswMBR will provide a dump of a clean MBR or infected MBR. Upon the first run the MBR is backed up to the Desktop as MBR.dat and a log is saved.

Wow I wasn't even aware Avast had developed a toll like this. :thumbsup:



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,658 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:12:14 PM

Posted 19 August 2014 - 01:39 PM

 

 

I've been cloning Win 7 & XP with Acronis (2011), Macrium Reflect (free ver), and Clonezilla for a few years with no issues (no boot/MBR issues).

Good to know thanks. By the way can Clonezilla backup system files (registry, MBR, Windows restore points, etc) & third party app data but exclude personal media or document files?

 

From reading the description, I don't think it can. It processes disks and partitions, but not individual files.

It knows about the filesystem to backup only used diskspace, but I don't think it used the filesystem to look at files.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:10:14 PM

Posted 20 August 2014 - 01:42 AM

Look at http://www.trojanhunter.com/products/mbr-backup/ and https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/
Using MBR Backup and saving it as a file, you'll be able to compare it with the original when you did a fresh OS install. Just compare the original MBR-01-01-2005 with MBR-18-08-2014 using a Hex viewer with the file hex comparison function.

Do you know of any open source options besides cloning the MBR that can also backup all stock system files and even third party app data?

I've used, Image for Windows for many years. http://www.terabyteunlimited.com/image-for-windows.htm

There is also, Image for Linux.
http://www.terabyteunlimited.com/image-for-linux.htm | http://www.terabyteunlimited.com/image-for-linux-ss.htm

Also consider this. http://www.winimage.com/ | http://www.winimage.com/winimage.htm

Edited by Crazy Cat, 20 August 2014 - 01:43 AM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#14 SuperSapien64

SuperSapien64
  • Topic Starter

  • Members
  • 846 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:14 AM

Posted 26 August 2014 - 11:52 PM

 

Look at http://www.trojanhunter.com/products/mbr-backup/ and https://www.raymond.cc/blog/5-free-tools-to-backup-and-restore-master-boot-record-mbr/
Using MBR Backup and saving it as a file, you'll be able to compare it with the original when you did a fresh OS install. Just compare the original MBR-01-01-2005 with MBR-18-08-2014 using a Hex viewer with the file hex comparison function.

Do you know of any open source options besides cloning the MBR that can also backup all stock system files and even third party app data?

I've used, Image for Windows for many years. http://www.terabyteunlimited.com/image-for-windows.htm

There is also, Image for Linux.
http://www.terabyteunlimited.com/image-for-linux.htm | http://www.terabyteunlimited.com/image-for-linux-ss.htm

Also consider this. http://www.winimage.com/ | http://www.winimage.com/winimage.htm

 

Thanks Crazy Cat but they all appear to be property software, though I have nothing against property software. One reason I love the open source model is because there typically non-intrusive and have no adware junk but there's plenty of property software like this as well.

 

 

 

 

 

 

BTW I'm planning to purchase a separate drives for Linux and Windows, and if I repurpose my current HDD to work as a Windows & Linux cloning/Linux media storage drive should I virtualize the Linux media partition or the Clonezilla partition? Also what are the the drawbacks to virtualizing a storage partition and is there any reasonable need to be concerned about the possibility of an infection spreading from a Clonezilla backup file?   






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users