On Wed, 22 Jul 2003, Bret Comstock Waldow wrote:
> You need to worry about the mbr (Master Boot Record) as well as the disk
> partitions.
>
> Keep in mind no malware (virus, etc.) does anything on it's own - your
> CPU must be tricked into running it. Just 'cause there's a sequence of
> bytes some where on the disk doesn't mean your system's at risk - it
> must be in the file system so that it can be loaded into memory by your
> OS and the CPU's nose must be pointed at it and told to run it.
>
> I've had circumstances where using fdisk to kill, and then recreate
> partitions allowed me to recover files afterward, but recovery tools
> bypass the directory listings. Otherwise, if you initialize a
> partition, there's no way for the OS to find the files, load the byte
> sequences, etc., 'cause the facilities the OS uses read the directory
> listing to find the files, which the directory listing says aren't
> there...
Correct.
I did hear about an interesting hack (by a cracker I suppose, but a hack
none the less) where a cache of tools was stashed in a hidden file system
located on blocks which the original file system had been told to regard
as bad blocks on the disk.
There's no way to access that cache without already having substantial
control over the system. It's not the point at which the system becomes
vulnerable.
It's interesting though, which is the sole reason I mention it.
Andrew McNaughton
--
No added Sugar. Not tested on animals. May contain traces of Nuts. If
irritation occurs, discontinue use.
-------------------------------------------------------------------
Andrew McNaughton In Sydney
Working on a Product Recommender System
[EMAIL PROTECTED]
Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
