Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering files from an infected drive


  • Please log in to reply
12 replies to this topic

#1 musicbits

musicbits

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 06 March 2016 - 08:04 PM

A friend got hit with a handful of infections on Win 7. I got them cleaned up and that PC is running OK but of course there is no way to be certain the drive doesn't have a new and therefore undetected bad actor still on it. My plan is to copy all of the good data from the infected drive, reformat, and then reinstall Win 7. If I install the infected drive in an uninfected Windows 7 PC is there any chance of active infections moving to the uninfected C Drive of this PC?



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 22,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2016 - 08:18 PM

Very much so. I would not copy the files using windows but use a bootable live linux disk to take Windows out of the picture. You may want to post in the Virus Removal Forum to verify from the Malware Removal Experts if the computer is clean after seeing your logs. See the pinned topics for more information.

 

If you decide to use a live linux disk you can burn a Parted Magic iso to disk. It can be downloaded here. See this guide on using it to recover files to an external USB drive. 


Edited by JohnC_21, 06 March 2016 - 08:19 PM.


#3 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 06 March 2016 - 10:43 PM

I was afraid of that. What is the attack vector?



#4 JohnC_21

JohnC_21

  • Members
  • 22,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2016 - 11:09 PM

It depends on the type of malware. A file infector can infect any USB device attached to the computer. I am not an expert in malware but I can say your better off copying files outside of any Windows system. 

 

I would post in the Virus Removal Section to verify if the computer is clean and if still infected what the infection is. 



#5 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 06 March 2016 - 11:15 PM

It depends on the type of malware. A file infector can infect any USB device attached to the computer.

 

But doesn't it need to execute from the bootable OS?



#6 JohnC_21

JohnC_21

  • Members
  • 22,612 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:06 AM

Posted 06 March 2016 - 11:23 PM

That's possible but I would not want to take the chance. For the small amount of time it takes to create a bootable linux disk, that would prevent any chance of the malware to cause any further infection. 

 

For instance there is malware that infects USB drives and any computer that USB flash drive is attached to.

 

http://www.paretologic.com/resources/newsletter/usb_drives_spreading_viruses.aspx



#7 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 March 2016 - 01:10 AM

That's possible but I would not want to take the chance. For the small amount of time it takes to create a bootable linux disk, that would prevent any chance of the malware to cause any further infection. 

 

For instance there is malware that infects USB drives and any computer that USB flash drive is attached to.

 

http://www.paretologic.com/resources/newsletter/usb_drives_spreading_viruses.aspx

 

That article is describing autorun as the vector which applies to any removable media including CDs and DVDs.



#8 Platypus

Platypus

  • Moderator
  • 13,688 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:09:06 PM

Posted 07 March 2016 - 01:39 AM

The point of using a Linux boot CD/DVD is that it is not vulnerable to any Windows malware vector, both because it is Linux, and because its launch media is a read-only medium so cannot receive any infection. If you then copy data files to a USB flash drive or HDD while the Linux OS is running the computer, any Windows infection vector such as an auto-run infector is inactive so cannot infect the removable drive.

 

This doesn't prevent a copied file from already containing some kind of malware, but the same principle could be applied to checking the copied files, by booting from a non-Windows environment and scanning the drive contents. Two facilities I use for this purpose are Kaspersky Rescue and EmsiSoft Emergency Kit:

 

http://support.kaspersky.com/viruses/rescuedisk

 

http://www.emsisoft.com.au/en/software/eek/


Top 5 things that never get done:

1.


#9 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 07 March 2016 - 01:57 AM

I understand that Linux is great option but that is not my question. I will rephrase.

 

If Drive 1 is the boot drive and contains an uninfected copy of Windows and Drive 2 is the infected drive installed as an internal SATA drive, are there any known vectors that would allow rogue code to run from the infected drive without user interaction?


Edited by musicbits, 07 March 2016 - 01:59 AM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 11 March 2016 - 10:28 AM


If Drive 1 is the boot drive and contains an uninfected copy of Windows and Drive 2 is the infected drive installed as an internal SATA drive, are there any known vectors that would allow rogue code to run from the infected drive without user interaction?

 

Yes, there are known vectors. If you want an example, this is something I discovered years ago: http://blog.didierstevens.com/2009/03/09/quickpost-jbig2decode-look-mommy-no-hands/

 

But let's come back to your original problem: copying the data of the "infected" drive to the new drive without copying malware.

Is it only data files that you want to copy? No executables?

And what type of data files? Pictures, Office documents, ...


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 22 March 2016 - 09:10 AM

Yes, there are known vectors. If you want an example, this is something I discovered years ago: http://blog.didierstevens.com/2009/03/09/quickpost-jbig2decode-look-mommy-no-hands/

 

Good discovery. Is there a thread here that discusses the other known vectors?



#12 RolandJS

RolandJS

  • Members
  • 4,478 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:06:06 AM

Posted 10 April 2016 - 08:10 AM

Not all data files were safe, some time ago, Word Macro "malware" were somehow planted inside of numerous DOC files.  I believe even some XLS files contained "macro malware."


Edited by RolandJS, 10 April 2016 - 08:10 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)

"I heard Spock finally got colander!"  "I believe the word is Kolinahr."  "Oh."


#13 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,638 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:06 PM

Posted 10 April 2016 - 09:07 AM

Not all data files were safe, some time ago, Word Macro "malware" were somehow planted inside of numerous DOC files.  I believe even some XLS files contained "macro malware."

 

This is a trend that started (again, a revival of sorts) in October 2014. We've seen all types of MS Office documents with malicious VBA macros.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users