[dundee] Researchers discover an 'indestructible' botnet

Robert Ladyman it at file-away.co.uk
Tue Jul 5 22:43:55 UTC 2011 

I think you should re-read my post. Strangely I did not suggest copying the virus-laden MBR.


"gordon dunlop" wrote:
> On 5 July 2011 22:04, Robert Ladyman <it at file-away.co.uk> wrote:
> 
> > I don't see it as a major problem - you can copy an MBR using dd either to
> > or
> > from the drive.
> 
>  You don't want to copy the MBR with the virus code. If you dd it to remove
> the code sector you have to nominate 440 bytes as this is specified code
> area within the MBR as the rest of the sector to 512 bytes is made up of
> partition tables, MBR signature, etc. which you do not want to remove.
> 
> 
> > If the virus can write to the MBR, then so can you.
> 
> There are programmes for editing the MBR.
> 
> 
> > Not only
> > that, you could just use another hard disc (the MBR is on the disk, not the
> > PC).
> >
> The easiest thing to do this to overwrite the MBR with re-installing GRUB or
> an independent boot manager (if used) if the virus affected these booting
> methods. Using another hard disk would not solve the problem as the virus
> would be re-installed into the nominated MBR of whatever disk you are using
> when you again re-boot into the Windows Partition (you would have to get
> your windows partition cleansed first).
> 
> Apologies for not clearly stating in my post what I was looking for. It was
> to know if the virus code affected the booting of Linux systems ( I am now
> looking at what the code does). Seemingly, from trawling the internet, it
> does not affect the booting of Linux systems. I was just wondering if any of
> the ethical hackers had studied it and knew how it worked. Thanks for the
> reply.
> 
> Gordon
> 
> 
> 
> >
> >
> > --
> > Robert Ladyman
> > File-Away Limited
> > 3 Ralston Business Centre, Newtyle, Blairgowrie
> > Perthshire  PH12 8TL SCOTLAND
> > Tel: +44 (0) 1828 898 158
> > Mobile: +44 (0) 7732 771 649
> > http://www.file-away.co.uk
> >
> > ============================================
> > Registered Office: 32 Church Street, Newtyle, Blairgowrie
> > Perthshire, PH12 8TZ SCOTLAND
> > Registered in Scotland, Company Number SC222086
> >
> >
> > _______________________________________________
> > dundee GNU/Linux Users Group mailing list
> > dundee at lists.lug.org.uk  http://dundeelug.org.uk
> > https://mailman.lug.org.uk/mailman/listinfo/dundee
> > Chat on IRC, #tlug on irc.lug.org.uk
> >
> 
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>

More information about the dundee mailing list