Focus on Linux
Write-protect sctors? Aug 25 2006 06:18PM
scott (redhowlingwolves bellsouth net) (2 replies)
Re: Write-protect sctors? Aug 28 2006 04:44PM
Florian Specker (florian specker li) (1 replies)
Re: Write-protect sctors? Sep 06 2006 02:55PM
Alex Butcher (alex butcher bristol ac uk)
RE: Write-protect sctors? Aug 28 2006 04:01PM
Bill Church (Bill Church bsius com)
It sounds very crazy. Did you ever actually identify if there was a rootkit installed? Did you try booting to a live CD of another distribution and investigating the disks from that live CD?

Remember that partitioning does modify the existing data on the disk, just the partition table, unless you chose to do a full format that data is still there. However, the chances of it actually being able to effect anything that's not directly referencing that data by executing it seems improbable. I wouldn't think that simply copying a file over that location couldn't spawn a process, of course nothing is impossible.

There is a BIOS function that is supposed to protect the boot sector, it's usually disabled by default on most systems. I imagine it would be possible for someone to modify the CMOS and protect any sectors they wish, but the attacker would undoubtedly need to have advanced knowledge of your system, BIOS, hard disk and geometry to make this attack possible. I highly doubt this is the case.

It sounds like you may have a defective hard disk, I would try a disk diagnostic first, or maybe attempt to install another OS or distribution.


----- Original Message -----
From: scott
Sent: Mon, 8/28/2006 11:23am
To: focus-linux (at) securityfocus (dot) com [email concealed]
Subject: Write-protect sctors?

I had a probable rootkit in ubuntu dapper that proved to be more
persistent than I thought possible.I did rkhunter and showed some
anomalies in /dev/...Trying to track those dir's down proved
elusive,even with root enabled(in ubuntu,root is disabled by default.You
can still sudo, but no su without certain switches,)the dir's
effectively hid from my view.
So I decided to reinstall a clean slate.This is when I encounter
problems that don't make sense.
As the install progresses to the partitioning of the disc,I opt for the
erase whole disc option.It progresses to a certain point and then quits
with an error..repeatedly.
I filed a bug report with launchpad,but my question is this:Can any
malware you are aware of write-protect certain segments of a HD,without
BIOS support?Or is there a BIOS trojan that I'm not aware of in Linux?Is
this even possible with a hardened system?
Is this even possible in any system,Windows included?
What I.m asking is : Can any malware write-protect sectors on a HD that
survive repartioning?
Sounds really crazy,huh?

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus