Anyone familiar with malware that attacks recovery software, so an image can't be restored if the machine is infected?

Never had any malware thats specifically done that. There's been a few threads in the past about malware that specifically targets restore/recovery software. If you keep your backup images isolated from your main system you shouldn't have any problems imo.

Hello,
Most recovery programs have the ability to create a bootable CD for restore operations. Thus, it does not really matter what's on the disk, if anything.
Mrk

I ran across some malware that corrupted the image backup software itself, though not the image (it seemed). Since it also disabled some other features of windows, we couldn't reinstall the recovery software to restore the saved image we had. Running the software from the bootable emergency CD, which is also supposed to restore a backup image, failed. (Of course, the user was running as admin, though fully updated and using IE7.)

I didn't know if this is common or not, since it is the first time I can remember seeing something like this.

My Recovery CD and external harddisk are off-line and are only used in my off-line snapshot, which has no internet connection.
So a malware will have a very hard time to infect these objects.

A malware can infect ShadowProtect under Windows in theory, which is installed in my off-line snapshot, but it has to
1. install itself first in my on-line snapshot and then
2. it has to jump from my on-line snapshot to my off-line snapshot
It has to jump very quickly and before the next reboot or it's removed.

Frankly, I'm not really worried about this. ;D

{QUOTE-> I ran across some malware that corrupted the image backup software itself, though not the image (it seemed). Since it also disabled some other features of windows, we couldn't reinstall the recovery software to restore the saved image we had. Running the software from the bootable emergency CD, which is also supposed to restore a backup image, failed. (Of course, the user was running as admin, though fully updated and using IE7.)

I didn't know if this is common or not, since it is the first time I can remember seeing something like this. <-QUOTE}

Not sure this makes much sense to me. Most of the imaging programs can image in windows, but can't restore in windows unless it's something like acronis setting up a restore, and the rebooting and doing the restore from it's secure zone.

But if you are counting on that you are counting on wishful thinking. Since the whole point really is to restore in case of a failed or totally trashed disk, images should be kept of disk, and the recovery medium should also be off disk, ie a recovery CD. Also this should be tested to make sure it works, before you need it.

That being said there is one piece of malware Killdisk, that can mess up the disk so you can't restore an image right off the bat. What is required is using something like diskpart and deleting the corrupted partition table, Then you can restore the disk.

Pete

Hello,
TestDisk can recover the partition table.
Comes on SystemRescueCD, Knoppix live CD etc.
Also comes in a Windows flavor.
Mrk