Malware that Attacks Recovery Software

Discussion in 'malware problems & news' started by Dogbiscuit, Oct 15, 2007.

Thread Status:
Not open for further replies.
  1. Dogbiscuit

    Dogbiscuit Guest

    Anyone familiar with malware that attacks recovery software, so an image can't be restored if the machine is infected?
     
  2. farmerlee

    farmerlee Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    2,585
    Never had any malware thats specifically done that. There's been a few threads in the past about malware that specifically targets restore/recovery software. If you keep your backup images isolated from your main system you shouldn't have any problems imo.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Most recovery programs have the ability to create a bootable CD for restore operations. Thus, it does not really matter what's on the disk, if anything.
    Mrk
     
  4. Dogbiscuit

    Dogbiscuit Guest

    I ran across some malware that corrupted the image backup software itself, though not the image (it seemed). Since it also disabled some other features of windows, we couldn't reinstall the recovery software to restore the saved image we had. Running the software from the bootable emergency CD, which is also supposed to restore a backup image, failed. (Of course, the user was running as admin, though fully updated and using IE7.)

    I didn't know if this is common or not, since it is the first time I can remember seeing something like this.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    My Recovery CD and external harddisk are off-line and are only used in my off-line snapshot, which has no internet connection.
    So a malware will have a very hard time to infect these objects.

    A malware can infect ShadowProtect under Windows in theory, which is installed in my off-line snapshot, but it has to
    1. install itself first in my on-line snapshot and then
    2. it has to jump from my on-line snapshot to my off-line snapshot
    It has to jump very quickly and before the next reboot or it's removed.

    Frankly, I'm not really worried about this. :D
     
  6. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Not sure this makes much sense to me. Most of the imaging programs can image in windows, but can't restore in windows unless it's something like acronis setting up a restore, and the rebooting and doing the restore from it's secure zone.

    But if you are counting on that you are counting on wishful thinking. Since the whole point really is to restore in case of a failed or totally trashed disk, images should be kept of disk, and the recovery medium should also be off disk, ie a recovery CD. Also this should be tested to make sure it works, before you need it.

    That being said there is one piece of malware Killdisk, that can mess up the disk so you can't restore an image right off the bat. What is required is using something like diskpart and deleting the corrupted partition table, Then you can restore the disk.

    Pete
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    TestDisk can recover the partition table.
    Comes on SystemRescueCD, Knoppix live CD etc.
    Also comes in a Windows flavor.
    Mrk
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.