Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

Malware gets nasty. Wipes drives.

May 5, 2015 3:48AM PDT
https://www.google.com/search?q=Rombertik

I'm running into a lot of folk that even with all the reminders never backup what they can't lose. Now it's getting worse.

Since scanning for the malware can set off the bomb, I wonder how many will take backup seriously. I know I'm going to have to add a preface to my usual advice on scanning for malware due to the changing nature of malware.
Bob

Discussion is locked

- Collapse -
Scans trigger malware?
May 5, 2015 5:07AM PDT

I understand anything new may not register as malware on Day-1 attacks, its hard to protect against if the very protection used may trigger it. In American colonialism that seems to cover "all bases" and what are we to do. The only protection is waiting until new measures are taken to address this issue. Alas, backups are either done already or truly remembered when its too late.

Thanks Robert, it seems the attacks are only 1-day old.

adios -----Willy Happy

- Collapse -
I think some clients got blown up over the years.
May 5, 2015 5:21AM PDT

This one is pretty new but took a lot of sleuthing to capture it alive.

I'm sure many that work this industry have tales where the HDD contents have become corrupt or vanish by the time they get to the machine. It's hard to tell if some pest did it or was the result of the client running recovery software.

In spite of all the prior stories I still encounter folk that push back when we start with:
"Clone the drive and work on the clone."
Bob

- Collapse -
Military grade...
May 5, 2015 12:16PM PDT

Some of these new attacks and the sources they come from are just too fancy. In other words this is an organized or high level to include anything group/team related that seems to bring a level of attacks far too advanced or heavy hitters. I know there is a term for this, but forget. Considering all the effort at times to get big paybacks or ill-gotten rewards is too high above my pay grade. If any of these got loose into the wild and allowed for plain low players to meddle it maybe the end. Sounds horrific but it can get to that point. Didn't the US side of things try to override I**n computer controls(wink-wink) to mess things up? Which could mean anyone else in the game could do the same in other areas.

tada -----Willy Happy

- Collapse -
help
May 5, 2015 5:27AM PDT
http://www.unixmen.com/save-and-restore-mbr-in-linux/

Easy backup method of MBR and GPT disc using terminal (aka console, konsole) in any linux distro back up the master boot records and partition tables, or the GUID Partition Tables. In addition however for any GPT using EFI or UEFI, the EFI partition or folder should also be backed up.

For three hard drives using old BIOS method of MBR
dd if=/dev/sda of=MBR-sda_May-5-2015 bs=512 count=1
dd if=/dev/sdb of=MBR-sdb_May-5-2015 bs=512 count=1
dd if=/dev/sdc of=MBR-sdc_May-5-2015 bs=512 count=1

For up to 3 hard drives using GPT method

dd if=/dev/sda of=MBR-sda_May-5-2015 bs=2048 count=1
dd if=/dev/sdb of=MBR-sdb_May-5-2015 bs=2048 count=1
dd if=/dev/sdc of=MBR-sdc_May-5-2015 bs=2048 count=1

I'm not sure for advanced format drives using an offset, typically of 2048 bytes.

http://en.wikipedia.org/wiki/GUID_Partition_Table#Legacy_MBR_.28LBA_0.29

While the MBR layout (and also the protective MBR layout) was defined around a sector size of 512 bytes per sector, the actual sector size can be larger on various media such as MO disks or hard disks with Advanced Format. Extra space in the MBR typically remains unused. In operating systems that support GPT-based boot through BIOS services rather than EFI, the first sector is also still used to store the first stage of the bootloader code, but modified to recognize GPT partitions. The boot loader in the MBR must not assume a fixed sector size of 512 bytes / sector.

In the above situation where there's GPT instead of MBR and toss in also a 4K or Advanced Format Hybrid drive, I'd assume 4K sectors for all of them and copy enough that later I could try overwriting in an increasing manner to restore.

For instance to copy;

dd if=/dev/sda of=MBR-sda_May-5-2015 bs=2048 count=10
dd if=/dev/sdb of=MBR-sdb_May-5-2015 bs=2048 count=10
dd if=/dev/sdc of=MBR-sdc_May-5-2015 bs=2048 count=10

which gets the first 5 sectors of a 4K per sector drive, or the first 40 sectors if it's a 512b sector type drive.

Then if the drive description is destroyed by Rombertik, you can first try writing back 512 bytes, then 1024 bytes, then 2048 bytes, and so on, trying a boot between each one, till eventually you'd get the full description written back without damaging other data on the drive, and successful boot and recovery of partitions.

Of course these should be stored on other media, such as a CD or flashdrive.

Alternate would be using drive recovery software like Testdisk.

Decrypting data however would be a whole different process. If you had some large files backed up which were on the drive however, a service would be able to then use that to find it's encrypted version and work to decrypt the other files then.
- Collapse -
Re help
May 5, 2015 6:02AM PDT

Certainly a useful backup, but it's even more useful when you add the commands for a restore to your posts. For Unix laymen it's all abracadabra.

Kees

- Collapse -
hopefully
May 5, 2015 10:11AM PDT

they'd ask, since each situation could need a particular fix. Getting the backup is easy though, and if they have it, then they can ask how to apply it back, and give particulars on their system and type of drive.

Actually though I did give a safe way to step it up till the right restoration was found.

- Collapse -
Don't trust anyone...ever
May 5, 2015 11:55PM PDT

Do you remember who it was that made radar detectors for motorists to evade the old national 55mph limit? It was the same guys that made radar guns for the police.

- Collapse -
Malware
May 6, 2015 5:56AM PDT

If this sort of thing becomes common the scanners that run under Windows are dead.

Example.
I'm not having a problem with the machine.
I don't know I have this bug.
I run an AV deep scan.
Now I have a machine that's busted.
What happened??

Yes you can talk about backups but that's total Greek to 99% of users.
Are we looking at off-line/stand alone scanners?

- Collapse -
Yes. We are.
May 6, 2015 6:00AM PDT

And the number of times the eyes glaze over about off-line/standalone scanners is about the same 99%.

To make matters worse, many PCs are now UEFI'd and don't make it easy to boot from USB/CD/DVD, etc. I consider myself pretty advanced (I write code, solder, design electronics) but have had to try many times to get around UEFI. What I'm found is that it's easier to pull the HDD for scanning on another PC.
Bob

- Collapse -
This sheds some light on it.
May 6, 2015 7:03AM PDT
- Collapse -
And a qualified yes.
May 6, 2015 7:46AM PDT

I've had folk junk a wiped or infected machine because they are not adept at recovery. The shop counter rate here is now an even 150 USD. For 199 you can walk out with a (albeit not top line) laptop.

So it's going to destroy the computer. Not for those that have recovery media, backups (eye glaze!) and a little bit of skill.

But if the shop counter rate is 150, and the restore media you didn't make or order on your own adds another 85 bucks then it did destroy that PC.
Bob

- Collapse -
True Bob...
May 6, 2015 8:04AM PDT

the article did push about backups and folk without those and are not adept, it's a problem. And as you say, shop counter charges are high which is great for the shops.
Dafydd.