Jump to content

Will Malware Attack Offline Disks?


Recommended Posts

I have a recently added a 4TB internal hard disk to my Win 7 desktop. I only use it for backups, primarily of other computers, and I want to protect it from attack. If I make it offline using Disk Management is there malware (eg ransomware) that is capable of locating it and attacking it?



Link to post
Share on other sites

If a Read/Write Drive is not seen by the OS as a drive letter then the data is isolated.  That means if the drive is disconnected or turned off then the data is isolated and safe.

If it is an internal drive that is made offline and is NOT seen by the OS as a drive letter than it should be safe as well.  However, I suggest using an External Hard Disk for backup.

Link to post
Share on other sites

Yes, when I make it offline the drive letter is removed and the drive has completely gone according to Windows Explorer. But do you know if there is malware around that looks for all installed drives whether or not they are online, and starts attacking them? (I do use an external USB backup drive too, but it is cumbersome and slow compared with an internal drive.)

Link to post
Share on other sites

While I do not know of any malware that can mount an offline disk, it is possible.

When discussing a "backup" drive speed is not as essential.

In a computer we talk about Primary Storage and Secondary storage.

Primary Storage is Dynamic RAM ( aka; DRAM or just plain computer memory )

Secondary Storage are internal hard disks.

If non-volatile RAM was cheap and as fast DRAM, there would be no reason for Secondary Storage.  However we are not there ( yet ) so Secondary Storage will either be a traditional spindle disk or a Solid State Disk ( SSD ).

Backup storage is Tertiary Storage.  It is meant for fail-safe reasons.  Therefore it does not need to be as fast as Primary or Secondary Storage.  At the same time is can't be too slow.  I've done them all from DLT in Robotic Systems to DAT, ZIP and other kinds of tape.  The important concept is to have a backup.  However if it takes too long to do regular backups, they may not be performed as needed.  Internet backup solutions are just plain stupid.  First you are paying for a monthly subscription but you also have to worry about the Data at Rest ( DAR ) issues of it being out of your control and in the hands of some entity.  It is also dependent upon Internet upload speeds. Therefor it is slower than a drunk snail.  So, Today, traditional spindle disks or a Solid State Drives are the way to go.  Sure USB is slower than SATA.  However there is USB 3.0 and USB v3.1 as compared to USB 2.0.  There is also Firewire and most notably eSTATA.  So having an external hard disk can be almost as fast as an Internal Hard Disk but can be isolated and stored "off premises" or in a fireproof safe.  The important thing about backups is the media must be portable.  An internal hard disk fails that requirement.

So if this is a desktop you can look at an external chassis using he latest USB standard ( USB v3.1 ) eSATA or the latest Firewire standard ( IEEE-1394 b/c/d ).  If the desktop is not equipped with a an external port one can install a PCI/x or PCI/e expansion card that matched the external chassis.  What I am stating is you can move that internal 4TB SATA drive into an external chassis and match the chassis port to a expansion card that will give you very fast backup speeds while physically isolating and protecting the back media.


Edited by David H. Lipman
Link to post
Share on other sites

Thanks Dave. The key thing is that a backup device is normally physically isolated from the live system and only connected up when taking another backup. I don't agree that the media must to be portable (a pair of immovable computers 1000 miles apart can back each other's key files up over a network, for instance), but your suggestions on using eSATA etc. are very interesting, and I will look into this.

Link to post
Share on other sites


That's a VERY broad and non-specific question that needs clarification and specifics.

Malware is an overarching concept of all malicious software that covers; trojans, exploit code and viruses.  Exploits do not spread and neither do trojans on their own.  Viruses spread autonomously.

With that being stated, please rephrase your question being more specific such as what kind of malware would be included in a backup ?

Edited by David H. Lipman
Link to post
Share on other sites

I was just wondering whats to stop something nasty being backed up alongside everything else. I was covering all malware being backed up by mistake is there something that stops this happening? I'm just curious that's all. It was a broad spectrum question I'm not good at technical jargon as you can tell. 

Thanks Dave

Link to post
Share on other sites

Lots of subject matter to cover so let me first consider a "backup".

  • A backup can be considered "raw" in which data is merely copied from the source to a destination.
  • A backup can be performed is such a way that the data is compressed and placed into a singular file or in a file-like structure that is capable of being spanned across multiple media.

In the first case the data will exist in the same format.  Therefore whatever the propensities that may carry on the source will carry-over to the destination.

In the second case the data is segregated and protected.  The file(s) must be extracted and they also might be password protected.

Now lets look at the data...

The data that is being backed-up could simply be the files in your Documents Folder or the entire User Profile and/or selected folders.

In the former case, the data will most likely consist of documents ranging from Microsoft office, Adobe Suite, AutoCad and a myriad of other data file formats including graphics and media files.  For the most part these are not malicious.  Chances are very slim that someone will save a malicious document in the Documents Folder.  However, It is possible.

In the latter case the "data set" may contain executable files in your "Downloads" and thus it is possible to backup malware.

For the most part, a backup will not discriminate between legitimate data, malicious data and direct malware executables.  that would be the job of a traditional anti virus application ( NOT MBAM v3.0 ) in that as a folder is read or as a files are being copied, the traditional anti virus application will scan ALL file types or listed file types as they are being backed-up.

So the use of anti malware software will help mitigate the possibility of the data set containing direct malware or malicious data files.

Now that we have looked at the two types of backups, Raw and Compressed, and we have looked at what a data set may consist of and how it may be traeted, lets look at the media.

There are multiple categories of media that may be used for a data set backup.

  • Tape
  • Flash Drive
  • Spindle hard disk
  • Solid State hard disk
  • Optical

They can be categorized into a few sub-types.

  • Random Read/Random Write
  • Read/Write
  • Read Only

We do  not see Read Only as often any more but a good example would be ti "burn" a CD or DVD.  Since they are limited to 700MB or 4.7GB they won't hold much data albeit DVD's are good for such things as a PST file just as long as one does not allow the PST to grow to a capacity that meets or exceeds the capacity of a DVD.

Tapes are an example of Read/Write because to write to it you either have to append to what is on the tape or it has to be erased and re-written.  To read from a tape you have to start from the beginning and seek where the data is that you want restored. 

Flash Drives and hard disks ( Spindle and SSD ) are examples of Random Read/Random Write as well as DVD RAM.  That means you can read and write to them in any area of the media.

When we talk about malware and the media being "infected" there are only a few vectors.

In the old days of Floppy Disks and File Allocation Table ( FAT ) formats we experienced a Boot Sector Infector virus problem.  Such viruses as the "Form" and "NYB" could infect the boot sector of the FAT formatted drive or disk.  If you inserted a Boot Sector Infector virus infected disk into a clean PC, it becomes infected.  If you subsequently inserted a clean floppy in that PC it becomes infected.  Thus spreading the virus infection from PC to disk and disk to PC.

Today we almost predominately see New Technology File System ( NTFS )  formatted disks.  However they usually are relegated to media 32GB and larger and those that are smaller than 32GB  will be formatted in FAT.  Subsequent to the mass use of NTFS, Boot Sector Infectors have pretty much died-off.

The definition of a virus is malicious software that is capable of self replication.  That is the malware is capable of autonomously spreading.  That definition has not changed and will not change no matter how many times n00bs call anything and everything a "virus".

Besides Boot Sector Infectors there are two other major sub-types of viruses.  They are File Infecting Viruses and Worms.

File Infecting Viruses append, prepend or cavity inject malicious code into legitimates files.  Once infected they can subsequently infect other files thus spreading the infection.

Worms are a type of virus that spread through a mechanism.  The type of mechanism used defines the sub-type of worm.

You'll notice that there are types and sub-types of malware so one can state there is a malware taxonomy.  in other words,  catorgorizing different malware encompasses the description, identification, nomenclature, and classification of the various kinds of malware from Exploit code to Trojans to Viruses and their myriad variations.

Internet worms use TCP/IP protocols to spread.  This can be SMTP ( email ), NNTP ( Usenet ), and others.

AutoRun Worms however use the mechanism of a facility in the windows OS called AutoRun/AutoPlay.  Originally is was created such that when you inserted a MS Office CD/DVD disk or an Adobe Creative suite CD/DVD disk and other software, it will auto run the installer making it easier to install the software on that disk or just play an Audio CD.  however malicious actors usurped that capability to spread malware.  If a PC is infected with an Autorun Worm then when you insert Read/Write media that is clean into the the PC, the AutoRun worm will create the structure on that media that will be interpreted by another computer to autoRun that media and thus infect another computer.  Simply disabling the AutoRun/AuoPlay capability will disrupt the worm and all anti malware should be capable of intercepting and blocking the AutoRun/AuoPlay capability if it is enabled.

My favourite example of how deleterious this can be is demonstrated by the Win32/Agent.BTZ worm.

As you can see this is a complicated subject matter with many twists, turns and forks.  Hopefully I have given you information such that you, and others, can pose more granular questions.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.