Viruses That Infect Recovery Partitions on Windows Computers

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Are there any viruses that infect the recovery partitions of Windows
computers?

What are they?

What tools are effective against them?

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Tue, 06 Aug 2013 12:49:05 -0400

Quoted text here. Click to load it

Factory Restore hidden partitions/drives? Basically, no, unless it was infected at the factory or at or before the time it was created and hidden. If you are talking about 'restore points' of the system restore feature - then yes.

[...]


Re: Viruses That Infect Recovery Partitions on Windows Computers

FromTheRafters has written on 8/6/2013 1:17 PM:
Quoted text here. Click to load it

The former.

Can you tell me why this is true? Is there something about that
partition that prevents an infection?

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Tue, 06 Aug 2013 13:58:36 -0400

Quoted text here. Click to load it

Nothing special to prevent an infection, but not a likely target for infection. There *are* malware types that create a hidden partition and alter the boot axis to include it, but that's not the same as a virus targetting an already existing hidden partition for corruption or infection.

Re: Viruses That Infect Recovery Partitions on Windows Computers


Quoted text here. Click to load it

Or trojanizing (patching) the MBR.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Viruses That Infect Recovery Partitions on Windows Computers

David H. Lipman has written on 8/6/2013 5:16 PM:
Quoted text here. Click to load it

????

Wouldn't a "Windows 8 Reset" overwrite the MBR?

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Tue, 06 Aug 2013 17:58:53 -0400

Quoted text here. Click to load it

Not specifically mentioned in the documentation for "reset" so I doubt it.

http://www.techspot.com/guides/630-windows-8-boot-fix/

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Tue, 6 Aug 2013 17:16:19 -0400

Quoted text here. Click to load it
I imagine a 'payload' could corrupt data on such hidden partitions - it's best to have your restore option(s) kept safely away from malicious programs.

Re: Viruses That Infect Recovery Partitions on Windows Computers

FromTheRafters has written on 8/6/2013 6:03 PM:
Quoted text here. Click to load it

What's a "payload"?

How do I keep restore option(s) away from malicious programs???

Re: Viruses That Infect Recovery Partitions on Windows Computers


Quoted text here. Click to load it

When discussing malicious activity, the payload is the malware that is  
foisted upon the unsuspecting computer user.


--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Viruses That Infect Recovery Partitions on Windows Computers

David H. Lipman has written on 8/6/2013 7:49 PM:
Quoted text here. Click to load it

Your use of single quotes in your original message made m,e think you
had some other definition.

How do I keep my restore option(s) away from malicious programs???

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Wed, 07 Aug 2013 01:25:31 -0400

Quoted text here. Click to load it

I believe that was me, not David. I put the quotes there because asking if a virus can "infect" something is quite different from asking if its associated payload can corrupt something. As an example, consider a restore partition that keeps all the needed information for getting the machine software back to a clean factory condition. Some of the information there is code (programs) which 'can' be "infected" by a virus and when later these programs get executed they in turn can 'infect' more programs - this is what viruses do even if there is no actual 'do stuff' payload.

Then, consider that the entire restore partition is encrypted and the decryption 'program' isn't there but is kept somewhere else where a virus can't get to it. In that case there is no way the partition can get 'infected' because there is no 'code' to 'infect' - only data which can be corrupted but not infected.

Quoted text here. Click to load it

A lot depends upon how much value you place on your data and programs. I suggest using two imaging programs (for type diversity in case one 'restore' program doesn't work anymore) and making more than one image using each program and keeping them in separate locations (space diversity) so that a disaster won't be able to take out all copies at once.

This is in addition to your normal 'full backup' and subsequent 'incremental backups' of data which may or may not be stored locally - but I suggest they also 'not' be.

Re: Viruses That Infect Recovery Partitions on Windows Computers

FromTheRafters has written on 8/7/2013 7:25 AM:
Quoted text here. Click to load it

I'm still not sure what the difference between a virus and a payload is.

Are you indeed saying that programs that are stored on a
restore/recovery partition are indeed exposed to viral infection?

Quoted text here. Click to load it

I see. I think the poster meant "Keep your backup/restore/recovery
images -- as well as your backups -- away from where a malicious program
can get at them, such as on removable media."

Re: Viruses That Infect Recovery Partitions on Windows Computers


Quoted text here. Click to load it

A virus is just a title based upon the taxonomy of a malware being able to  
self replicate.

The payload is the objective.

Whether malware is a trojan (which needs assistance to spread) or a virus  
(which spreads autonomously) malware has an objective and that's the  
payload.

Example:
Take a space rocket that is to release a communications satellite.  The  
rocket is the delivery platform and the payload is the communications  
satellite.

Take an AutoRun worm.  The delivery platform is the AutoRun/AutoPlay  
facility of Windows to spread the malware but the objective or payload may  
be to steal data such as software licenses, passwords, BitCoins, etc.

Take a spam bot.  Its delivery vehicle can be a trojan or virus but the  
objective is to send spam from your computer.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Viruses That Infect Recovery Partitions on Windows Computers

David H. Lipman has written on 8/7/2013 4:30 PM:
Quoted text here. Click to load it

?? The objective would be to release the commsat and not the commsat
itself.

Quoted text here. Click to load it

You're dealing with a level way beyond me! :-)

When "people" talk about "viruses" and "malware" and "getting infected",
they generally mean that something got "on" their computer and is making
it do things the owner did not intend.

So a "malicious program" MAY be the delivery agent or it may be
delivered via some other vehicle, and whatever the malicious program
does is its objective.

Re: Viruses That Infect Recovery Partitions on Windows Computers


Quoted text here. Click to load it

Malware is just a shortened form of the two words MALicious and softWARE.  
Malware consists of three major classes;  viruses, trojans and exploit code.  
This becomes the taxonomy.  Each of them can be broken down to sub-classes  
based upon various elements of the function or action.

Quoted text here. Click to load it

Yes.

Take a file infecting virus that may prepend, append or cavity inject  
malicious code into a legitimate file.  The virus itself is malware and the  
payload could be the simple concept of spreading from file to file and  
computer to computer.

Take the Lovsan/Blaster worm.  It probed the network for vulnerable  
computers and if the computer was vulnerable it used a Buffer Overflow with  
an Elevation of Priveledges to compromise the networked computer through TCP  
port 135 (RPC/DCOM).  The payload was to drop a blaster.exe file on the  
compromised computer and thenexecute it.  Thus the now infected computer  
seeks out more vulnerable computers thus spreading autonomously.

Take a web site that is serving up exploits.  When the visitor accesses the  
site it tests the visitor with a laundry list of vulnerabilities and if the  
conditions are met then an attempt will be made to exploit the specified  
vulnerability/vulnerabilities.  If the attempt(s) is/are successful the  
payload of the exploitation is to drop some sort of malware on the visitor's  
computer and execute it directly or indirectly.

--  
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp


Re: Viruses That Infect Recovery Partitions on Windows Computers

David H. Lipman has written on 8/7/2013 5:59 PM:
Quoted text here. Click to load it

So,, let's go back to "how can a recovery partition get infected?".

Re: Viruses That Infect Recovery Partitions on Windows Computers

Juan Wei, while unnecessarily full-quoting previous messages, wrote:
  
Quoted text here. Click to load it

Juan - don't get into a useless argument with Rafters and Lipman.

They really don't have any operationally-useful information to give you
about how malware can, or does, interact with the recovery partition on
a windoze machine.

But they will spend hours talking about how to properly (and
inconsequentially) apply the terms virus, trojan and worm - terms
developed developed to describe ancient and primative forms of malware
that existed in the 1980's and 1990's - to todays more sophisticated
internet-based malware.

They will always steer technical questions such as yours in that
direction, because it obfuscates and diverts the direction of the thread
away from your question and towards a direction where they can write
paragraphs about - which will generally not be useful to you.

Re: Viruses That Infect Recovery Partitions on Windows Computers

On Wed, 07 Aug 2013 18:16:45 -0400

Quoted text here. Click to load it

Answer the question then. Be sure to not include the ideas of "infection" or "virus" in your answer.


Re: Viruses That Infect Recovery Partitions on Windows Computers

On Wed, 07 Aug 2013 22:46:43 +0000, FromTheRafters wrote:


Quoted text here. Click to load it

:-)

Thane

Site Timeline