[dundee] Researchers discover an 'indestructible' botnet

gordon dunlop zubenel at fedoraproject.org
Tue Jul 5 22:17:33 UTC 2011 

On 5 July 2011 22:04, Robert Ladyman <it at file-away.co.uk> wrote:

> I don't see it as a major problem - you can copy an MBR using dd either to
> or
> from the drive.

 You don't want to copy the MBR with the virus code. If you dd it to remove
the code sector you have to nominate 440 bytes as this is specified code
area within the MBR as the rest of the sector to 512 bytes is made up of
partition tables, MBR signature, etc. which you do not want to remove.


> If the virus can write to the MBR, then so can you.

There are programmes for editing the MBR.


> Not only
> that, you could just use another hard disc (the MBR is on the disk, not the
> PC).
>
The easiest thing to do this to overwrite the MBR with re-installing GRUB or
an independent boot manager (if used) if the virus affected these booting
methods. Using another hard disk would not solve the problem as the virus
would be re-installed into the nominated MBR of whatever disk you are using
when you again re-boot into the Windows Partition (you would have to get
your windows partition cleansed first).

Apologies for not clearly stating in my post what I was looking for. It was
to know if the virus code affected the booting of Linux systems ( I am now
looking at what the code does). Seemingly, from trawling the internet, it
does not affect the booting of Linux systems. I was just wondering if any of
the ethical hackers had studied it and knew how it worked. Thanks for the
reply.

Gordon



>
>
> --
> Robert Ladyman
> File-Away Limited
> 3 Ralston Business Centre, Newtyle, Blairgowrie
> Perthshire  PH12 8TL SCOTLAND
> Tel: +44 (0) 1828 898 158
> Mobile: +44 (0) 7732 771 649
> http://www.file-away.co.uk
>
> ============================================
> Registered Office: 32 Church Street, Newtyle, Blairgowrie
> Perthshire, PH12 8TZ SCOTLAND
> Registered in Scotland, Company Number SC222086
>
>
> _______________________________________________
> dundee GNU/Linux Users Group mailing list
> dundee at lists.lug.org.uk  http://dundeelug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/dundee
> Chat on IRC, #tlug on irc.lug.org.uk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/dundee/attachments/20110705/95294282/attachment-0001.htm>

More information about the dundee mailing list