Re: rootkit & re image from partition



David H. Lipman wrote:

From: "Sebastian Gottschalk" <seppi@xxxxxxxxx>

| David H. Lipman wrote:
|
|>> What tells you that the rootkit didn't modify the recovery image as
|>> well?

Recovery images are in proprietary archive formats
|
| And that's about how reliable.
|
usually in Read-Only format.
|
| The malware doesn't care about a read-only flag.
|
Therefore that scenario is extremely unlikely.
|
| You haven't been around for long? Writing to other filesystems, certain
| archive types and certain encodings has become a standard feature.

Long enough to know that malware can't insert itseld into a proprietary
archive,

Um... who said proprietary? You're ASSuming something to prove your point,
which means you know you're wrong. You're diddling the rules trying to
make reality conform to your unrealistic argument.

Fact is, at least two major PC manufacturers use "industry standard"
compression on a partition that relies mostly on the <cough> security of
never being mounted under normal usage. Buy the library, or reverse
engineer it, and mount the partition an you're in like Flint.

read-only medium

Umm, you DO realize that a partition isn't it's own medium, right? That
it's really just part of a R+W medium known commonly as a "hard drive",
and is made "read only" because of ceratin software "switches", right?

and change such things as Registry and other
configuration settings.

Simplicity defined once you're in.

Next thing you'll tell me the RootKit has infected the BIOS ! Rubbish.

Not as of yet, but it was once widely argued that you couldn't get a virus
from simply viewing an image, too. :(

It's certainly within the realm of possibility, but such an infectious
piece of code would be either well contained, or a monster, because of the
huge variety of BIOS platforms it would have to contend with. IOW, the
only reason we DON'T see a flash BIOS virus in the real world is because
it's IMPRACTICAL.

Try Googling 'bimorph.a' some time. It's a proof of concept that could
EASILY be modified to replicate, except where would it go? It's highly
BIOS specific, as any such virus must be.

If a common denominator "flaw" is found between BIOS brands and versions,
that will change as sure as The popularity of Micro$oft products has
helped enable "macro viruses" and such malware.

.