Can rootkits hide on backed data on DVDs?

[jpardee]

Greetings all, does anyone know how to scan “backup and restore” discs (DVD) using the TDSSkiller program?  (or really if this is even necessary) The discs were made on a windows 7 home edition machine just before we did a recovery of the machine. With TDSSKIller loaded on the machine I can scan the hard drive but I do not see how to scan these discs. The TDSSKiller program found a rootkit on the hard drive and cured it (after recovery) but I'm concerned the backed up data (made prior to recovery) on the discs maybe infected. Thanks for any advice.

[David H. Lipman]

No.  When you back up data it is just data files.  RootKits are associated with executable structures.  CDs and DVDs  use the Joliet and UDF file systems and are, by definition, Read-Only (unless you are using CDRW or DVDRW in a Read/Write format).  You can't scan CDs/DVDs with Kaspersky's TDSS Killer 'cause there is no need to.

 

There is actually no need to scan the media with anti RootKit scanners.  However data files should be scanned by a fully installed anti virus application which performs "On Access" and "On Demand" scanning.  This will eliminate data file exploits and Wimad type trojans in your data.  "On Access" means that every time a file is written to or read from media it is scanned for malicious code based upon the signatures in the anti virus applications database.

 

The ONLY times where is its necessary to scan Read-Only and/or Read/Write media if TRUE viruses are involved.  That is malicious software that self replicates either by appending, prepending or cavity injecting malicious code into legitimate files or AutoRun worms that can spread by creating reproducible structures on Read/Write media.  That's why it is imperative to have a fully installed anti virus application installed performing "On Access" and "On Demand" scanning.

[exile360]

It's also possible for Trojans to spread this way if a dropper is saved to the media and then executed on a system.

Assuming you're referring to true recovery discs, which include the MBR and all, then yes, a rootkit partition will most likely be backed up along with all other data and partitions (though this depends greatly on the backup software used and the type of backup created). I'm not sure you'd be able to scan such media, but it is likely that the partitions themselves would show up when creating the backups, though identifying them just by looking at them would not be easy.

For a case like this, since you restored the system using the backup media and then discovered the rootkit which you subsequently cleaned, I'd recommend creating a new set of recovery media based on the now clean state of the drive and its partitions (again, assuming these are the types of backups which include the boot files, MBR etc.).

[jpardee]

Thanks for your responses and learned advice it is greatly appreciated!!

 

I wanted to clarify how the recovery was initiated,  the program used, the Operating system and the media type so I do not leave anything out and that others may benefit from this  great website and the uber geeks that help out those of us in need.

The recovery was made from a factory partition on the hard drive by pressing F11 at bootup.

 

Program used to perform backups (prior to Recovery):  Windows 7 Backup and Restore utility, from the Start Orb>Maintenance folder> Backup and Restore>set up backup>save backup on>

 

               Note: from here you select where the backup would be saved, Windows wants you

               to use an external drive but in this case I used Sony DVD-Rs. I could have made a system image

               (which would have included the Windows files, OS) using an external hard drive, I elected only               

   to back up files to DVD-R. The real benefit of a large external drive would be to schedule backups as long as the        external drive remained connected to the computer. 

           

OS used:  Windows 7 Home Premium SP 1.

 

Media used: Sony DVD-R discs.

 

As I mentioned before we had copied pictures and documents to an external hard drive. I then scanned that external drive with Avira antivirus on one computer, with rootkits option ticked and it came up negative. I then attached it to another computer running an updated Panda Internet Security 2013 set to scan all file extensions and to delete any malware discovered. Panda IS 2013 uses the cloud, (probably their servers) it turned up negative. I then (after updating) ran Malwarebytes Pro version 1.51.0.1200 full scan and it turned up negative as well.  I elected not to run the back-ups made on DVDs based on the chance there could be a backed up piece of malware on the discs. I went ahead and copied only photographs from the backed up Documents folder. I turned off system restore and scanned with Avira antivirus after it had been updated and it came out clean. I ran the scanner (after updating) for Malwarebytes and Superantispyware and it came up clean as well.

I’m hoping for the best here after doing a recovery from the partition on the hard drive. I ran the Windows Malicious software removal tool it discovered and removed the DOS/Alureon infection. I rebooted and installed TDSSKiller, ran the scanner, it found and cured the Rootkit.Boot.pihar.c. All other scans by all the above mentioned anti-malware programs came back clean.

If anyone has any constructive comments or advice I’m all ears.

Thanks for everybody’s time and effort on an excellent community of anti-malware crusaders!!

[AdvancedSetup]

After the fact without logs it's very difficult to say.  Even with logs it can often be difficult to say for sure where the entry point was and if you restored it as part of the partition or obtained it at some point after the restore.  Scanning a DVD or external drive or compressed external data is very difficult to locate and mark as infected because many infections rely on a link to a registry entry or multiple file entries that are also link in the registry but since you're now flat file scanning those references are not there.  Then you do the restore and the references are now there along with the files that were not originally suspect but now the scanner has enough information to know it is a bad file or what is wrong.

 

It's also possible that you could have restored with old outdated Java and visited a single site and without even knowing it infected your computer.

 

The best thing to do really is make sure the computer is currently clean and follow advice on how to keep it clean.  Most helpers and other analysts simply don't have time to do a forensic type review of how something happened to the computer in the past for a well known infection.  That type of forensic work is usually used on new threats when an Analyst has it on their own computer and is analyzing how it works and how to neutralize it.

 

 

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks