Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recovering from an infection


  • Please log in to reply
18 replies to this topic

#1 musicbits

musicbits

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 24 December 2016 - 05:31 PM

When working with a Windows based PC that has been infected with malware or ransomware;

 

1) is it 100% safe to recover by doing a factory restore from the hidden restore partitions or are there known instances where malware has compromised the recovery partitions?

 

2) if I create a bootable USB Flash Drive from an ISO image is the Flash Drive at risk of being infected?

 

3) if I create a bootable DVD from an ISO image is the DVD at risk of being infected?


Edited by Orange Blossom, 24 December 2016 - 06:23 PM.
Moved to AII. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 25 December 2016 - 07:38 PM

A "factory restore (reset)" essentially reformats your hard drive, removes all data and restores the computer to the state it was in when you first purchased it. Most computers manufactured and sold by OEM vendors come with a vendor-specific Recovery Disk or Recovery Partition for performing a clean "factory restore". Some factory restore partitions/partitions/disks give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the computer. Either way, you will need to reinstall any programs that did not come preinstalled with your computer and run Windows update to redownload all critical patches.

With that said, infections and severity of damage will vary and there are some types of malware which may resist reformatting. For example, there are some infections (rootkits and bootkits) which can create a hidden partition table and alter (overwrite) the Master Boot Record (MBR) of the system drive to ensure persistent execution of malicious code and the MBR would need to be repaired. In these cases, FDISK or similar software utility is typically used to delete the boot partition where the MBR is located and repartition/format a given volume...a separate function. If restoring a full hard drive image it will replace the MBR since hard drive imaging software also clones the MBR. Other types of malware can infect recovery partitions and even render them unusable. If the recovery partition has become infected, you will need to contact the computer manufacturer, explain what happened and ask them to send full recovery disks to use instead. If you lost or misplaced your recovery disks, again you can contact and advise the manufacturer. In many cases they will send replacements as part of their support or charge a small fee.

Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive hard disk wiping and reinfected a clean disk. This type of malware is very rare, exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS.

This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.

These articles explain the complexity of the UEFI (Unified Extensible Firmware Interface), secure boot protocol and exploitation.

Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for cyber-criminals to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.

LiveCD/Rescue CD/USB utilities are tools provided by most anti-virus vendors to assist with difficult to remove malware without having to boot into Windows. They are primarily used to boot from and repair unbootable or damaged systems, rescue data, and scan the system for malware infections. With a bootable virus scanning utility, you create a flash drive or CD/DVD disc from a working computer and then use it on an infected machine to scan the hard drive for malware. These types of utilities permit offline scanning which can disinfect malware from outside the infected Windows system. The advantage of offline scans is that they can be used when the malware is not running and interfering with the clean-up process. Rescue CD’s typically come as an ISO image file that can be written to a CD or installed on a USB flash drive which is then used to boot-up the computer to run the live operating system in memory. However, there are some issues to be aware of...see Linux Rescue CD: a help or a hinderance?

List of Anti-virus vendors that offer free LiveCD/Rescue CD utilities


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 25 December 2016 - 08:34 PM

Thank you for the very detailed answer to Question #1

 

Anyone have answers for the others?

 

When working with a Windows based PC that has been infected with malware or ransomware;

 

2) if I create a bootable USB Flash Drive from an ISO image is the Flash Drive at risk of being infected?

 

3) if I create a bootable DVD from an ISO image is the DVD at risk of being infected?



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 25 December 2016 - 09:11 PM

If you follow the instructions, there is no need to worry about those 2 questions.

...bootable antivirus solutions...can clean malware from outside the infected Windows system, so the malware won’t be running and interfering with the clean-up process....Using an antivirus boot disc or USB drive is actually pretty simple. You’ll just need to find the antivirus boot disc you want to use and burn it to disc or install it on a USB drive. You can do this part on any computer, so you can create antivirus boot media on a clean computer and then take it to an infected computer.

...Insert the boot media into the infected computer and then reboot. The computer should boot from the removable media and load the secure antivirus environment...No malware will be running in the background while you do this.

 
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 25 December 2016 - 10:48 PM

All i know is just to be shore when im dealing with a computer that was infected i use something like this.

 

http://www.killdisk.com/downloadfree.htm

 

Unless were talking bios virus or something scary this tactic tends to kill everything virus like,then you just reinstall after rebuilding hdd format.



#6 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 26 December 2016 - 12:50 PM

 

If you follow the instructions, there is no need to worry about those 2 questions.

 

 

 

I'm doing remote support and the patient doesn't have a clean computer therefore I can't follow the instructions so I do need to worry about these questions.

 

When working with a Windows based PC that has been infected with malware or ransomware;

 

2) if I create a bootable USB Flash Drive from an ISO image is the Flash Drive at risk of being infected?

 

3) if I create a bootable DVD from an ISO image is the DVD at risk of being infected?



#7 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 26 December 2016 - 04:30 PM

If your using a infected computer to burn DVD's or sticking flash drives in em then yes theirs all ways a risk, why i don't understand why theirs no switch on flash drives like their use to be on floppy disks to make em read only.



#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 26 December 2016 - 04:39 PM

They make flash drives with such a switch...see here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 26 December 2016 - 05:06 PM

Ouch $40 + tax for a 16gig just to have one with a physical write protect switch, costly.

Good to know thier are some flash drives with a physical write protect switch but my self i think they should all come with one, it should be a industry standard.

Even back in the floppy disk days if one was dealing with a virus infected computer it was well know and a good idea to write protect all your disks that you used on the infected computer.

I even remember some computer bios options back in the day that could make hdd read only if you wanted.



#10 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 26 December 2016 - 05:24 PM

Flash drives are out. 

 

Are there any known instances where malware has injected itself onto a DVD that is created from a bootable ISO image?



#11 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:47 AM

Posted 26 December 2016 - 05:38 PM

Id have to research the topic but my self just to be safe when dealing with a virus computer i like sticking my DVD's in to a DVD drive only, not a DVD burner, don't know if its possible to burn a writable DVD more then once but you know.



#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 26 December 2016 - 06:47 PM

This is a quote from AdvancedSetup, Malwarebytes Root Admin (Post #3)

On 9/26/2016 at 4:22 AM, AdvancedSetup said:
...You can get an infected DVD but infections cannot infect one that's already recorded.


Can a piece of malware/virus inject itself into an ISO
Can a virus be transfered to a cd or dvd?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 26 December 2016 - 07:23 PM

quiteman, thank you for your help.

 

Based on those links do you agree that while its theoretically possible for malware to attack the ISO burning process it's highly unlikely?



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,281 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:47 PM

Posted 27 December 2016 - 07:04 AM

It's highly unlikely when the DVD has already bee recorded and cannot be written to again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 musicbits

musicbits
  • Topic Starter

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Local time:10:47 AM

Posted 27 December 2016 - 09:44 AM

I agree with that statement, but my situation is different..

 

We have burned a live DVD from an ISO on an infected windows PC. Is this DVD at risk of being infected?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users