Can I get infected from a second hard disk on startup?

Discussion in 'other security issues & news' started by dialxdrop, Oct 13, 2010.

Thread Status:
Not open for further replies.
  1. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    Let's say I had two hard disks, a) Clean hard disk + OS and b) infected hard disk.

    If I were to boot up from the clean hard disk, would there be any way for the malware on the 2nd HD to infect my clean HD/System? (Assuming you don't mess with the infect HD once your OS loads)
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    I would say no.

    If your 2nd HD, or indeed another partition, has malware files stored on it, as mine has, unless you actually run them, they just sit there doing nothing ;)

    So as long as your HD/partition with the OS on, isn't infected in ANY way, there won't be any cross contamination :)

    Do you think/know you have malware on your 2nd HD ?
     
  3. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35
    K great that's what I figured. And no I don't think I am infected on that 2nd HD I just wanted to be sure.

    BTW, do you know if a full HD format will eliminate 100% of all malware on that HD? (all types of malware, locations, hidden, bad sectors, rootkit, MBR, First track, etc etc). I understand a full wipe like SecureErase will do the trick but it would be easier/faster with a full format.

    And if so, it doesn't matter if I do a WinXP HD manager format, vs a Paragon HD manager format right?
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  5. katio

    katio Guest

    Actually yes, it's possible. I can think of several different attacks. Using a specially crafted harddisk or filesystem you could try to either exploit the fs driver (though I only know of DOS attacks as in CVE-2006-6053) or exploit the sata driver (I only know of attacks agains usb, and only DOS again, e.g. CVE-2006-2936)
    Then there are the high level attacks like autorun, volume shadow/system restore, the recent lnk vuln, other exploits against Windows Explorer which has a pretty large attacks surface with all the features it got. Anyone notices how Windows Vista/7 likes to put a hidden system partition on a free second hdd if it finds one during installation? Maybe it can be fooled to run code from such a fake partition? Worth an investigation...

    And here's a really nice one:
    If the BIOS is configured to first look for a system on the "other" disk you can launch a very nifty attack. Put a small hypervisor on it which then boots the real operating system. Full access in Ring -1
    Off all the mentioned attacks it's the most reliable and realistic attack, because it already exists in the form of "Blue Pill".

    From a security and forensics standpoint it's never a good idea to attach an untrusted storage device which gets auto mounted. But it's less about security and more about avoiding tampering with evidence.
     
  6. dialxdrop

    dialxdrop Registered Member

    Joined:
    Sep 21, 2010
    Posts:
    35


    Katio, so even if I log into windows from the clean os and not touch the other hard drive I can still get infected? (no accessing the other HD at at all and turn off bios looking for sys on other disk, etc).

    And the dos attacks are only if you somehow access the other drive? If you just start up straight to windows that should be fine right?

    Well can I at least log into a live cd like Ubcd4win or live linux CD, move and transfer my clean data (While the compromised drive is attached), as long as I don't touch the infected drive this should be okay right? Or even if I moved infected data around, as long as I don't activate it somehow it should be fine, correct?
     
  7. katio

    katio Guest

    When Windows starts up it automatically mounts all attached drives, an attack based on a crafted FS would still be triggered even if you don't access it. If you use a different OS and mount it the same applies, only it's probably not possible to attack both the native NTFS driver of Windows and NTFS-3g in Linux at the same time.

    You are fine either way, to my knowledge there's never been such an attack, POC or in the wild. In other words, a BIOS rootkit or a backdoored CPU is more likely than that - or the proverbial meteorite strike... Really don't worry about it. I just mentioned it because I thought these are "cool" exploits, didn't want to scare you ;)
     
Loading...
Thread Status:
Not open for further replies.