So killdisk virus will kill FDISR and make disk unrecoverable?

Discussion in 'FirstDefense-ISR Forum' started by Horus37, May 9, 2007.

Thread Status:
Not open for further replies.
  1. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    Was reading somewhere that FDISR is vulnerable to the killdisk virus? So even if we hava an offline archive it won't help? What do you do to protect from killdisk then, just shadowprotect image?
     
  2. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes FDISR itself is very vulnerable for killdisk virus.
    Even the Recovery CD of an Image Backup software can't be used.
    You first have to zero your harddisk and then you can use a Recovery CD to restore an image from your external harddisk.

    Sandboxie was able to stop killdisk.
    I don't know what kind of file killdisk is, if it is an executable, Anti-Executable will stop it as an unauthorized executable on my computer.

    I consider killdisk as peanuts. Not a problem.
     
  3. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I'd like to run killdisk virus against powershadow to see what happens. However I'll leave that up to someone else that has vmware and can do the test inside a vm.
     
  4. EASTER.2010

    EASTER.2010 Guest

    Theres a lot of stir lately due to KillDisk virus tests that mention zeroing the disk. Can someone please post an example link to the program or programs that safely & completely zero the drive? I assume it must be run from a DVD/CD or even floppy, thanks.
     
  5. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Peter uses DiskPart. I think it's also on a CD, because Peter's disk was heavily corrupted by killdisk. Even his Recovery CD of ShadowProtect didn't work.

    I use a tool from Western Digital, which can only be used on these harddisks :
    WD Raptor WD740GD HDD 74gb 10000rpm SATA 8mb Cache 4.5ms.
    I downloaded an iso-file and burned it on a CD.
    It zeroes my harddisk in 20 minutes, after that it's like a new harddisk.

    If I was you I would go to the manufacturer's website of your harddisk(s) and see if it provides tools to do things to your harddisk. If not, you have to use a general tool to zero your harddisk. :)
     
  6. EASTER.2010

    EASTER.2010 Guest

    WoW. That's rough indeed. Scary thought.

    Thanks, i'll do that. I think i even have DiskPart somewhere here in this stack of HD's, it's just a matter of digging it out.
     
  7. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Yes indeed scary, I couldn't even believe it, you don't expect this at all.
    After zeroing his harddisk, Peter's Recovery CD worked again and he could restore an image from his external harddisk.

    I prefer to zero my harddisk after each malware attack because you never know for sure, if there are any leftovers on your harddisk.
     
  8. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I've used Darik's boot and nuke that completely nukes your hard drive with anything you want, zeros' or random data. I think you can make it from Eraser ver 5.82 as well.

    This is a huge list of disk zeroing utilities.


    http://dban.sourceforge.net/
     
  9. EASTER.2010

    EASTER.2010 Guest

    Thanks Horus37

    I didn't know that Darik's was the same as say a DiskPart in it's zeroing function, and since i been using Eraser since it's inception i have their Nuker too. I'll just use that.

    Regards EASTER
     
  10. kennyboy

    kennyboy Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    404
    Just in case, the Seagate Diagnostic program available from their website will zero any drive apparently. Not just their own drives.
    This Killdisk sounds terrible!!
     
  11. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Killdisk is terrrible. Not quite completely true the the ShadowProtect CD wouldn't recover. No it won't recover with the standard restore techniques, but it does have a partition editor, and all you have to do is open the editor and replace all the random numbers with zero's and the go back and do the restore. That works fine.

    Problem is most software that works with partitions use the Microsoft calls to do anything with the partition, even just to checking it's presence. If the partition is corrupt, they just fail. Great.

    What this does really highlight though is you should image your whole disk. If your disk has a c: drive, which you image frequently, and say a d: for data as well as a hidden recovery partition as many do, then you are in a bit of trouble, as zeroing out the partition zero's out the disk, and if all your image has is c: thats all you get back.

    Finally Powershadow. I suspect it will fail just like FDISR. Eazfix and Rollback survive as they don't really use the windows file system, which can be good and bad. I do believe Powershadow, like FDISR does use the windows file system, and if so I'll bet it will be taken out.

    Pete

    PS I'll test it if someone can point me to an "easy" way to get a copy. From reading the posts I get the feeling of having to jump thru chinese language whoops to get it and I just don't feel like doing that.
     
  12. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328
    I doubt it can take down powershadow. Kill disk can't take down some sandbox type applications and I'm assuming that since this powershadow runs virtualized I'd lean towards 51% that it will survive an assault.

    Here is a link to powershadow for a free 30 day trial.

    http://powershadowsecurity.com/default.aspx

    Just download the 2.6 version that only runs on XP NOT vista. It is fully in english so you don't have to worry about chinese.

    When you initially run it it will install a preboot like FDISR does. The very first time you see this preboot screen you have to select the normal UNSHADOWED seletion to go into first so it installs correctly the first time. After that, the next time you boot and see the preboot screen you can pick the single shadow mode first. Then have at it. Even if it locks up the computer or BSOD's the computer the computer will still be protected by powershadow. I don't know if it works on raid 0 though.

    Sounds like a good test for Easter to try. He's more familiar with it. Why don't you sent him the kill disk virus and see. Either way I'd be surprised if it can take down powershadow.
     
    Last edited: May 9, 2007
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    I only have to know if killdisk virus is an executable or NOT.
    If it is an executable, Anti-Executable will stop it and AE is on my computer.
    If AE isn't able to stop it. No problem. ShadowProtect will solve it after zeroing my harddisk. I'm getting tired of repeating myself.

    Peter has experience with the killdisk virus.
     
  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    I've got the download, thanks. I would suggest Easter not try unless he's got a good virtual machine. I run this thing only in the VMware virtual machine which is a great test, but doesn't but the system at risk.

    Erik, I got it as an executable, but I don't know how it comes if it was in the wild.

    Horus Sandboxie stops it because it blocks the install of a service. If you can say install KAV in a shadowed situation, knowing you'd lose it, I suspect PS will fall. Will test later.

    Pete
     
  15. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. It doesn't really matter. I will kill it anyway. Thanks for the info.
    It's a pity that killdisk doesn't zero my harddisk. ;)
     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Well I am surprised, but for Power Shadow users delightfully so. Power Shadow like Sandboxie shrugged off Killdisk and kept right on truckin.

    I tried running it on my Desktop(raid 0) It didn't run, although I suspect it wasn't the raid but some other conflict.

    Anyway test over and PS passed.
     
  17. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    Just a quick question about killdisk. Shouldnt most AV´s detect it nowadays?
     
  18. Horus37

    Horus37 Registered Member

    Joined:
    Jan 4, 2007
    Posts:
    328

    Easter has thrown some nasty stuff at it too and it didn't do anything to powershadow either. I've landed on some bad websites that planted a few viruses on me and when I logged out of powershadow it erased it like coming out of a sandbox on reboot, nothing. It erases Before shutdown unlike a frozen snapshot that does it after a reboot. Not bad for powershadow being it's free. I'm a bit surprised though that killdisk didn't at least lock it up or BSOD the puter. Feel a little better now. All this talk of boot sector viruses and kill disk and cmos chip virus and bios viruses makes one a bit on edge.

    How do you know it executed correctly and fully implanted into the system with a full killdisk load? Since powershadow is only a virtualizer and not a denier of running services or executables I'm wondering what happens when killdisk unleashes on an unprotected computer? Does it need a reboot to do it's thing?
     
    Last edited: May 9, 2007
  19. Long View

    Long View Registered Member

    Joined:
    Apr 30, 2004
    Posts:
    2,295
    Location:
    Cromwell Country
    Peter2150 how did you managed to get Killdisk ? was it as part of your testing or
    did it happen naturally ?
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Absolutely. I have to disable KAV to run the thing. KAV won't let it run even if I tell it to.
     
  21. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    Horus

    Once it runs it shuts the system down. When you reboot, you get an "Invalid Partition Table" errof

    Pete
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,057
    I acquired it from some one who was testing it. One shouldn't play with this stuff unless you are really equipted to deal with it. This one isn't a simulator you can uninstall, it really does trash your disk. I ran it in a VMware machine.

    Pete
     
  23. EASTER.2010

    EASTER.2010 Guest

    Looks like yet another WINNER! Go Power Shadow!!! :thumb:

    I suspected it would pass also but don't have the KillDisk trojan to test it on. BTW, i have a test box with XP Pro plus VMware so i would take steps accordingly. In case anyone hasn't experienced it or even run into it, i turned loose a pretty good disaster virus named HardDrive Killer which i would almost bet KillDisk is patterned after. It sunk my laptop at a time when i was still rather green in this area. Time & testing makes for great experience and precaution. LoL
     
  24. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    As long I can fix it with FDISR and Image Backup, I'm not scared of any infection.
    I'm only afraid of hardware infections, because I can't handle them and there isn't much info about them either.
    The rest is peanuts as long you keep your archives/images up-to-date.
     
  25. EASTER.2010

    EASTER.2010 Guest

    That is oh so true Erik and is the KEY to it all.

    I keep my archives completely up-to-date but i'm ATM limited to a single Image backup right now. That will change soon. I envision storing at least 3 FULL BACKUP IMAGES on 3 separate external media (METAL), to have at disposal, to turn to in the event of any major disaster.
    I'm waiting only another day or so (the 10th) to pick up another Hard Drive 60GB to run a test restore on because i don't dare chance an upset to my current structure that FD-ISR has so masterfully made possible.
     
Thread Status:
Not open for further replies.