Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unmounted Partition Can be Infected?


  • Please log in to reply
18 replies to this topic

#1 Tenis

Tenis

    Bleepin' FX


  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 25 December 2014 - 05:28 PM

Hi,

Suppose i have two partition with two OS.

If i boot form one OS & un-mount the drive of second OS.Can malware infect that partiton too?

I think it can't because malware need a path to infect the files.

 

i havn't tested it yet.

Can Anyone tell me if they experimented this?

 

 

Regards

Tenis  :warrior:


Edited by tenisverma, 25 December 2014 - 05:30 PM.

fseDQlO.jpg

 

 


BC AdBot (Login to Remove)

 


m

#2 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:54 AM

Posted 25 December 2014 - 05:46 PM

This would be closely related to whether malware can infect a system image upon trying to load it, or infect a recovery partition on the disk. I don't have an answer to this but i know that whatever the answer to this is it will apply to those situations also.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#3 buddy215

buddy215

  • BC Advisor
  • 12,616 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:08:54 PM

Posted 25 December 2014 - 05:51 PM

There is no malware that I know of capable of doing that.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 26 December 2014 - 03:11 PM

I think it can't because malware need a path to infect the files.

 

Yes, but malware can do other things to propagate than infect files. For example, there is malware that achieves persistence by modifying the MBR.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:03:54 AM

Posted 26 December 2014 - 03:41 PM

Yes, but malware can do other things to propagate than infect files. For example, there is malware that achieves persistence by modifying the MBR.


And let's not forget our popular fileless fiend - Poweliks.

#6 Tenis

Tenis

    Bleepin' FX

  • Topic Starter

  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 27 December 2014 - 03:03 AM

I think it can't because malware need a path to infect the files.

 

 

Yes, but malware can do other things to propagate than infect files. For example, there is malware that achieves persistence by modifying the MBR.

A master boot record (MBR) is a special type of boot sector at the very beginning of Partitioned computer mass storage devices. Source

So its a part of partitioned Drive.It can't infect the un-partitioned drive.   Am i Right? Didier Stevens.

 

 

And let's not forget our popular fileless fiend - Poweliks.

Poweliks is a threat located in a registry key.

All registry Data is stored in System Drive which is Partitioned.

Nothing it can do to non partitioned Drive.

Right?

 

 

Let me clarify I talking about a Partition which has no Letter which means we can't do anything inside to that partition (Data transfer,Changes in files,etc..)

 

 

Regards

Tenis  :warrior:

 

 


fseDQlO.jpg

 

 


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 27 December 2014 - 03:39 AM

 
It can't infect the un-partitioned drive.   Am i Right? Didier Stevens.

 

I think you mean the "unmounted partition"? Then it is correct.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Tenis

Tenis

    Bleepin' FX

  • Topic Starter

  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 27 December 2014 - 03:53 AM

yeah  UnMounted Partition 

Thats also written in Topic name   :)


fseDQlO.jpg

 

 


#9 Tenis

Tenis

    Bleepin' FX

  • Topic Starter

  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 27 December 2014 - 10:36 AM

Next Question coming in My mind is Can i boot in that unmounted partition?

We unmounted 2nd OS partition from 1st OS partition.

Now if i want to boot in 2nd OS Partition.Can i?

 

Is it right ? information about un-mount is only stored in 1st OS partition.(Partition letter information).

 

 

 


fseDQlO.jpg

 

 


#10 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:02:54 PM

Posted 27 December 2014 - 05:59 PM

Suppose i have two partition with two OS.

If i boot form one OS1 & unmount the drive of second OS2.Can malware infect that partition too?

I think it can't because malware need a path to infect the files.

Attack methodology,

(1) Infect MBR of OS1, that will search and infect any other MBR when mounted.

(2) OS1 mounted, and OS2 unmount. Use the Diskpart Command-Line Utility on OS1 to mount all unmounted partitions.

Diskpart Command-Line Utility. http://support.microsoft.com/kb/300415/en-au
Diskpart. http://ss64.com/nt/diskpart.html


Next Question coming in My mind is Can i boot in that unmounted partition?
We unmounted 2nd OS partition from 1st OS partition.
Now if i want to boot in 2nd OS Partition.Can i?

Is it right ? information about un-mount is only stored in 1st OS partition.(Partition letter information).

There is a legitimate app that will do what you want, however, it CAN BE USED for malicious intent, so I won't post it.
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#11 Tenis

Tenis

    Bleepin' FX

  • Topic Starter

  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 28 December 2014 - 03:18 AM

Attack methodology,


(1) Infect MBR of OS1, that will search and infect any other MBR when mounted.

(2) OS1 mounted, and OS2 unmount. Use the Diskpart Command-Line Utility on OS1 to mount all unmounted partitions.

Diskpart Command-Line Utility. http://support.microsoft.com/kb/300415/en-au
Diskpart. http://ss64.com/nt/diskpart.html

I am not gonna Mount that partition again ever thats my purpose of unmount here.

2nd Partition is unmounted for OS1 and 1st Partition is unmounted for OS2  So they can't access to each others, thats what i want to do.

In that way i can also use computer for Normal Work and Malware Research.(I don't wanna use VM).

 

 

There is a legitimate app that will do what you want, however, it CAN BE USED for malicious intent, so I won't post it.

Its okay. :)  I will find it  :grinner:

 

 

Tenis :warrior:

 


fseDQlO.jpg

 

 


#12 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:54 PM

Posted 28 December 2014 - 03:50 AM

 

(1) Infect MBR of OS1, that will search and infect any other MBR when mounted.

Are we talking Linux as 1 OS? And How are we booting said Linux? Is it installed and where is it installed? Is it a Live boot with a persistence file,? I could go on and on. What's a virus?


Edited by NickAu, 28 December 2014 - 03:54 AM.


#13 Tenis

Tenis

    Bleepin' FX

  • Topic Starter

  • Malware Study Hall Senior
  • 1,151 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:08:24 AM

Posted 28 December 2014 - 04:01 AM

I'm Considering Windows for now.

But yes Linux Partition doesn't show in windows.

I m thinking to do the same for windows.

But much i know is Boot require to provide Partition Letter to boot from specific Partition.and unmounted partition doesn't have letter.(Don't know it has no letter only for OS1)


fseDQlO.jpg

 

 


#14 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,784 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:54 PM

Posted 28 December 2014 - 04:36 AM

Wouldn't a bootkit of some sort do it( Windows )? 


Edited by NickAu, 28 December 2014 - 04:55 AM.


#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:54 AM

Posted 28 December 2014 - 06:16 AM

So this is for your viruslab?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users