Welcome, Guest. Please Login
 
  HomeHelpSearchLogin FAQ Radified Ghost.Classic Ghost.New Bootable CD Blog  
 
Pages: 1 2 
Send Topic Print
Trojan Malware/Rootkits and Ghost 15 (Read 21709 times)
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Trojan Malware/Rootkits and Ghost 15
Jul 30th, 2012 at 2:00pm
 
There is alot of recent activity on the Norton Internet Security forum regarding a rash of outbreaks of variations of Trojan rootkit infections.

One of the resolutions is imaging software as long as it replaces/rebuilds the MBR during the restore process.
(See the bottom of this linked page).

http://community.norton.com/t5/Norton-Internet-Security-Norton/Symantec-Please-S...

I have Windows 7 with the System Reserved Partition (SRP).

If infection happens, does Ghost 15 replace/rebuild the MBR during a prior image restore?

Automatically? Or with what Optons?

Is the MBR on the SRP, or on the Windows 7 Partition?

Also SRP update FYI >>

Per my other post where we discussed the SRP and at the time, you were of the opinion (based on a few friends input) that the SRP would not need to be restored when restoring the Windows partition to the same drive.  I have now backed up my SRP 20 times over the past 8 months and each time it is progessively larger in size (based on the size of the backed up partition size shown in Windows Explorer).

So perhaps the SRP should be replaced with the Windows 7 partition?

Thanks
 
 
IP Logged
 

Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #1 - Jul 30th, 2012 at 3:43pm
 
@
Lexus23

Lexus23 wrote on Jul 30th, 2012 at 2:00pm:
does Ghost 15 replace/rebuild the MBR during a prior image restore? 


Yes. Selecting Restore MBR in Ghost does this. It restores the First Track with the exception of the Disk Signature and Partition Table. There is another option to Restore Disk Signature.

Code:
Is the MBR on the SRP, or on the Windows 7 Partition? 


Neither. The MBR is outside of all partitions. The First Track is LBA-0 to LBA-62. The "MBR" is usually regarded as LBA-0.

Quote:
So perhaps the SRP should be replaced with the Windows 7 partition?

People don't seem to do this. Maybe the enlarging SRP is due to log files but I don't know.
 
 
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #2 - Aug 1st, 2012 at 11:04am
 
@
Brian

Quote:
Neither. The MBR is outside of all partitions. The First Track is LBA-0 to LBA-62. The "MBR" is usually regarded as LBA-0.

I don't think there are any versions of Windows that the above is not *true*--I think all the boot loader programing is within the boundaries of the *first tract*--but, if you are doing stuff with Linux and/or using the Grub boot loader and not Microsoft's boot loader--recall this thread as to how many sectors may be in use using Grub:  http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1335993593

I'm not sure where in the MBR and/or *first track* *Trojan rootkit infections* would infect a system that has Grub on it!

As you said above, the *first track* is defined as *LBA-0 to LBA-62*.  But, if you're using 2048 alignment and Grub--then the *boot area* is well outside of that area (i.e. it goes to LBA-101 (? or would it be LBA-100?))

Brian wrote on May 2nd, 2012 at 4:19pm:
Edit: Also, if the source drive is using 2048 sector alignment, Grub2 then occupies 101 sectors in the first track, and in that case you have to set First Track Sectors to 101 (or higher), or the target system will not boot. 

I don't know what to call the Grub *boot region*--is there a *name* for the boot area when 2048 alignment is being used?  The author of the above quote seems to be *abusing* the definition of *First Track* as it was classically defined!

Well, my point being:

Lexus23 wrote on Jul 30th, 2012 at 2:00pm:
I have Windows 7 with the System Reserved Partition (SRP).

Is Lexus23's system likely to be 2048 aligned? 

Does Ghost 15 restore the 2048 sector boot region as opposed to the *first track* region (*LBA-0 to LBA-62*)? 

Where would the *Trojan rootkit infections* be located in that 2048 region?

Ouch--my head is hurting again--it's all getting too complicated........


 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 
NightOwl
Radministrator
*****
Offline


"I tought I saw a puddy
tat..."

Posts: 5826
Olympia, WA--Puget Sound--USA


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #3 - Aug 1st, 2012 at 11:33am
 
@
Brian

NightOwl wrote on Aug 1st, 2012 at 11:04am:
Where would the *Trojan rootkit infections* be located in that 2048 region?

Okay, answered my own question--should read those other linked posts before asking questions  Wink

Quote:
Hi, Apostolos.  Some things to know about how rootkits/bootkits work:



1.  All Windows installations done with "conventional" (IOW "non-EFI" BIOS) use a piece of code embedded in the Master Boot Record (MBR) to start-up the machine.



2.  Rootkits/Bootkits modify this Boot Code for their own nefarious purposes.  If the Boot Code is not properly replaced as part of a reinstall (or a removal process such as Quads performs) - the modified Boot Code will run again each time the machine is rebooted.  This starts the whole cycle-of-infection over again from scratch.

This reminded me--Rootkits put there code only in the MBR--pointing to their *boot loader* code rather than that of Microsoft's--so the problem code for a Rootkit is only in the LBA-0 sector!

There might be other *code* in the boot region associated with the Rootkit--or it may be on the OS partition somewhere, but the real problem code is that *jump to* coding in LBA-0--if it points to the Rootkit, you will continue to have the problem.  Replace that LBA-0 coding--and that destroys the function of the Rootkit.

 

____________________________________________________________________________________________

No question is stupid ... but, possibly the answers are Wink !
 
IP Logged
 
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #4 - Aug 1st, 2012 at 12:03pm
 
Now I have a headache  Undecided

NightOwl you are way over my head.

Is the answer still the same about Ghost 15 replacing my particular MBR set up?

The standard install for Windows 7 is to set up a separate System Reserved Partition (SRP). It is my understanding that Windows 7 utilizes this SRP to (among other things) boot from.
Per Brian > the SRP is set to the "active" partition and *not* the partition that contains the Windows 7 operating system (C:\).

So in easy to understand terms - where is my MBR and how would I ensure that it is restored/rebuilt in the event that I got hit with one of these rootkit infections?

Please reply to me only as respects my Windows 7 Professional 64bit with SRP installation.

Thanks so much  Cheesy
 
 
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #5 - Aug 1st, 2012 at 2:23pm
 
@
NightOwl

NightOwl wrote on Aug 1st, 2012 at 11:04am:
Is Lexus23's system likely to be 2048 aligned?

Yes.

NightOwl wrote on Aug 1st, 2012 at 11:04am:
Does Ghost 15 restore the 2048 sector boot region as opposed to the *first track* region (*LBA-0 to LBA-62*)?

LBA-0 to LBA-62.

@
Lexus23

Lexus23 wrote on Aug 1st, 2012 at 12:03pm:
So in easy to understand terms - where is my MBR and how would I ensure that it is restored/rebuilt in the event that I got hit with one of these rootkit infections?


I've already told you. It's not in the SRP or the Win7 partition. In a Ghost restore there is an option to Restore MBR.
 
 
IP Logged
 

Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #6 - Aug 1st, 2012 at 2:49pm
 
Brian - OK

I though maybe NightOwl had concerns with SRP and whether Ghost 15 would find the MBR.
I also said I did not understand what he was really saying - so thought I better clarify.

NightOwl wrote on Aug 1st, 2012 at 11:04am:
Is Lexus23's system likely to be 2048 aligned?
Does Ghost 15 restore the 2048 sector boot region as opposed to the *first track* region (*LBA-0 to LBA-62*)?
Where would the *Trojan rootkit infections* be located in that 2048 region?

 
 
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #7 - Aug 1st, 2012 at 3:43pm
 
 
 
IP Logged
 
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #8 - Aug 2nd, 2012 at 9:59am
 
Brian,

Thanks so much for that link. It helps explain what we have been discussing.

It also brings up several more questions regarding what Ghost 15 is imaging (I make "cold" images from the uninstalled version of Ghost 15).

The author of the link states:

The MBR ("Master Boot Record") is in the first sector (LBA 0) of the first track (Track 0) of your HDD.  This sector contains your partition table, a randomized DiskID (to differentiate disks), and bootstrap code.  In some contexts, "MBR" refers to just the bootstrap code, while in others it is used to refer to the entire first sector--all three parts.  (Less commonly, some references may also refer to the MBR as being the entire first track.)  The lesson here is don't take the term too literally when reading various articles because you may not be sure what, exactly, they're referring to.

Track 0 is not part of any partition--hence, why it is not typically captured in a partition image.  Think of it like a book with chapters and a table of contents.  Your partitions are the "chapters" and Track 0 contains your TOC.  If you photocopy just one chapter from a book, you don't usually also copy the TOC.

A whole-disk image will capture all parts.  Alternatively, you can achieve the same result with individual images of each partition plus a Track 0 backup.


My system has Windows 7 with the separate SRP. I have 2 HDD @ 1T each.

The Disk 0 has 4 partitions > SRP (no letter, but Ghost shows as D:\), Operating System (C:\), Factory installed original image (F:\), and general data (E:\).
SRP shows as "Active/Recovery", C: shows as "Boot/Primary", F: shows as "Primary" and E: shows as "Logical".

The Disk 1 has 3 partitions > K:\  L:\  M:\  and all show as "Primary".  They are for data storage.

Per the author's comments, the MBR contains 3 items/parts: Partition Table, DiskID, Bootstrap Code.

A whole-disk image will capture all parts.  Alternatively, you can achieve the same result with individual images of each partition plus a Track 0 backup


To my knowledge Ghost 15 does not do whole-disk images, but partition by partition. I do not recall an option to image Track 0. There is an option to restore the MBR.

1. What does Ghost 15 define the MBR as? All three parts? If not, what is it imaging? Is the MBR automatically imaged each time?

2. Is the MBR only on Disk 0?

3. If I image the SRP, C:, F:, D: does Ghost 15 image the MBR once with 4 separate partition images? Or, does it image the MBR 4 times (once with each Partition image?)

4. If only once for all images, and I want to restore only C: plus the MBR, how does Ghost know where to find it?

5. I seem to recall your advice is to always restore multiple images one at a time then reboot after the final restore is complete (maybe this was just when restoring the SRP?).  How does this affect MBR restoration?

6. What about if I image only Disk 1, or only partition K:?  Is the MBR imaged at all?

Thanks in advance.
 
 
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #9 - Aug 2nd, 2012 at 4:13pm
 
@
Lexus23

Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
To my knowledge Ghost 15 does not do whole-disk images, but partition by partition. I do not recall an option to image Track 0. 


Whenever Ghost 15 creates a partition image it also backs up the First Track. So if you have 4 partition images you have 4 First Track backups.

Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
What does Ghost 15 define the MBR as? All three parts? If not, what is it imaging? 


Ghost 15 regards the MBR as the First Track. Everything from LBA-0 to LBA-62 is backed up.

Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
Is the MBR only on Disk 0?


Every HD will have a MBR after it has been Initialized in Windows. Basically, if it has partitions it will have a MBR. But not necessarily bootstrap code. I've seen screenshots of several external HDs that only had a Disk Signature and a Partition Table.

Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
I seem to recall your advice is to always restore multiple images one at a time then reboot after the final restore is complete (maybe this was just when restoring the SRP?).How does this affect MBR restoration?


Yes, restore the images one at a time. Reboot when finished all restores. Say you are restoring 4 images. You only have to select Restore MBR once otherwise you are doing the same thing 4 times. But if you do restore it 4 times, no problem.

Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
What about if I image only Disk 1, or only partition K:?Is the MBR imaged at all?


If you image partition K: you will have backed up the First Track on Disk 1 but not the First Track on Disk 0.
 
 
IP Logged
 
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #10 - Aug 2nd, 2012 at 5:12pm
 
Lexus23 wrote on Aug 2nd, 2012 at 9:59am:
What does Ghost 15 define the MBR as? All three parts? If not, what is it imaging? 


Ghost 15 regards the MBR as the First Track. Everything from LBA-0 to LBA-62 is backed up.



So does LBA-0 to LBA-62 mean that all these parts are imaged:
MBR
Partition Tables
Disk Signatures
Bootstrap Code

Per NightOwl comments - does 2048 alignment affect any of this?  What does this mean?

You said earlier > Selecting the Restore MBR option in Ghost restores the First Track with the exception of the Disk Signature and Partition Table. There is another option to Restore Disk Signature.

How do we restore the Partition Table?  The ability to restore the PT seems very important to the author of the link above as the PT can be changed by rootkits also.


Thanks again.
 
 
IP Logged
 

Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #11 - Aug 2nd, 2012 at 6:21pm
 
Lexus23 wrote on Aug 2nd, 2012 at 5:12pm:
So does LBA-0 to LBA-62 mean that all these parts are imaged:
MBR
Partition Tables
Disk Signatures
Bootstrap Code


Sure do. Those components are LBA-0.

Lexus23 wrote on Aug 2nd, 2012 at 5:12pm:
does 2048 alignment affect any of this?What does this mean?


2048 sector alignment (MB alignment) and Cylinder alignment have nothing to do with the First Track. Alignment relates to where the partitions commence. 2048 sector aligned partitions begin on an integer multiple of 2048 sectors. Cylinder aligned partitions begin on an integer multiple of 16065 sectors.

For example if a partition began on LBA-30,972,837,888 it would be 2048 sector aligned.

Lexus23 wrote on Aug 2nd, 2012 at 5:12pm:
How do we restore the Partition Table?


Ghost 15 doesn't restore the partition table with a single image restore. Deliberately, as it would be a dangerous thing to have in the hands of someone who didn't know the potential consequences. Dan describes how to backup the First Track with MBRWork. This backup will include the partition table.

http://radified.com/cgi-bin/yabb2/YaBB.pl?num=1338460705/33#33 (and earlier posts)

Remember, when you restore a partition table you wipe out the present partition table so if you have created new partitions since the backup was created they will be gone after you restore the backup. Keep your backup current.
 
 
IP Logged
 
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #12 - Aug 9th, 2012 at 10:15am
 
Brian wrote on Aug 2nd, 2012 at 6:21pm:
Ghost 15 doesn't restore the partition table with a single image restore


OK, understand the concern with a "single" image restore.

Does Ghost 15 provide an option for a complete drive image restore?

In which case can the partition table be restored?

Or, does Ghost 15 only allow single image (or multiple single images) restoration and therefore absolutely no option to ever restore the partition table?
 
 
IP Logged
 
Brian
Demigod
******
Offline



Posts: 6345
NSW, Australia


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #13 - Aug 9th, 2012 at 3:37pm
 
@
Lexus23

Lexus23 wrote on Aug 9th, 2012 at 10:15am:
Does Ghost 15 provide an option for a complete drive image restore?


You can only restore partition images. One at a time.

Lexus23 wrote on Aug 9th, 2012 at 10:15am:
absolutely no option to ever restore the partition table? 


Never. But if you have imaged all partitions on the HD and you restore all images you will have re-created the original partition table.
 
 
IP Logged
 
Lexus23
Gnarly
*
Offline


I Love Radified!

Posts: 43


Back to top
Re: Trojan Malware/Rootkits and Ghost 15
Reply #14 - Aug 10th, 2012 at 9:21am
 
Brian wrote on Aug 9th, 2012 at 3:37pm:
Never. But if you have imaged all partitions on the HD and you restore all images you will have re-created the original partition table.
           


OK to summarize:

My original questions was whether Ghost 15 could/would completely replace/restore the MBR in the event that a rootkit took over any part of it.

MBR meaning:
Track 0 including
Partition Tables
Disk Signatures
Bootstrap Code

I think we established that Ghost 15:

Does not create entire disk images, but partition by partition images.

It does image the entire MBR with each partition image and if you image more than one partition you get an MBR image with each and every partition image.

With a single image restore you have separate options to replace the MBR (Track 0), but it only replaces the Bootstrap Code.  There is a separate option to replace the Disk Signature, and no option to replace the Partition Tables.

If you image the entire HDD of say 3 partitions and the hidden SRP, you get 4 separate partition images and 4 separate complete MBR images.  If you restore ALL Four partition images, you will re-create the original partition table.

>Can you explain why this works?
>Does it matter if the partitions are primary or logical?
>Assume SRP needs to be restored? Does it matter that this is the "active" partition?


I assume/guess you still have to select the options to restore the rest of the MBR and Disk Signature?

And confirm that the re-created partition table will have
overwritten/replaced
any rootkit infected partition table - thus eliminating the problem.

Is this summary correct?


Thanks
 
 
IP Logged
 
Pages: 1 2 
Send Topic Print