Detect hidden volumes (not TC)

Discussion in 'other security issues & news' started by gambla, Oct 9, 2011.

Thread Status:
Not open for further replies.
  1. gambla

    gambla Registered Member

    Joined:
    Sep 4, 2007
    Posts:
    161
    Location:
    Frankfurt, Germany
    Hi guys,
    is there any way for "Power Users" (not Computer Forensic Technicians) to detect any hidden volumes as described below ? For sure it's not possible within the compromised OS, but what about Boot CDs ?


    "The developers who created ZeroAccess were "very smart," in that they used various "creative" low-level methods that made it almost impossible to remove the malware without somehow damaging the host operating system, said Koziol. The rootkit uses device drivers to create hidden volumes on the hard drive that are virtually impossible to detect using normal techniques. The hidden partition is still there even if data is deleted or if the volume is formatted. "

    cheers,
    gam
     
  2. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I know that you can see hidden Windows Restore volumes (Dell, HP, etc.) using a Linux Live CD and GParted. I do not know about the ZeroAccess hidden volumes.

    I do not have enough experience with the Partition Wizard bootable CD. I would guess that it would show hidden volumes. I know that it has options for destroying data ("zero" write, "one" write + "zero" write, etc.). I am not sure if you can destroy data on just one volume or if it only destroys data on the whole hard drive.

    http://www.partitionwizard.com/partition-wizard-bootable-cd.html
     
  3. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    The hidden volume is used for storage and works with the driver and although an interesting approach isn't to important in the removal of the infection - to see the virtual volume use forensic tools :). For damage, I haven't looked at recent Zeroacess/Max++ samples but in x64 version there BSOD on reboot if the autorun was deleted without repairing the registry key.
     
Loading...
Thread Status:
Not open for further replies.