# The Ubuntu Forum Community > Ubuntu Specialised Support > Security > [other] Malware + MBR, how to discover/remove?

## hithisisatempaccount1532

Can a virus survive a reformat, running bootrec /fixmbr (both from the install CD), and then installing Ubuntu?
Reformat meaning from the windows disk recovery console, using the format command for all partitions. 

Likewise, would a virus be capable of surviving just the first two steps alone without installing Ubuntu, just re-installing windows?

If one were to have an MBR virus on Windows or Linux, how abouts would you find or remove it without doing an entire disk wipe?
And before someone goes "Linux is immune" take into consideration vulnerabilities on the user end.

Any and all answers will be GREATLY, greatly, appreciated.

----------


## OpSecShellshock

If the MBR has been corrupted, there really isn't an alternative to getting rid of everything on the drive. While booting from a different device and running a cleaning program against the hard disk's MBR will _probably_ fix it, it's hard to say for sure without writing zeroes over the whole thing. Look at it this way, though: depending on the nature of the malware and if it's already been loaded a few times, you can't absolutely trust the existing data on-disk anyway, so you'll need to reload the OS no matter what. At that point, taking the extra step of a full wipe doesn't cause you to lose anything you weren't already going to lose.

----------


## hithisisatempaccount1532

Well I am referring to doing a full format of each partition on the drive, then running the bootrec /fixmbr command, then either installing Ubuntu or re-installing Windows... is it possible for an MBR virus to survive? 

No symptoms have been detected or anything, I'm just paranoid.

----------


## hithisisatempaccount1532

I ran ChkDsk to check what the differences are and etc, it resulted in a +3KB difference versus the actual drives storage capacity in KB...

This was solely checking the C: partition. Is this normal?

Same deal for the default system partition Windows installs too, +3KB difference according to ChkDsk's computations.

By the way, I'm trying to check for strange things as I stumbled upon this article: 
http://support.microsoft.com/kb/82923

----------


## OpSecShellshock

If you don't over-write the MBR sector of the disk, then it isn't going to change. If you wipe and reformat the storage partitions but not the MBR, and the MBR is infected, then it will hit the storage partitions again. You can do a lot with 3k of data, but to really know if the discrepancy there is cause for concern you'd have to know the specifics of your hardware, as the article notes.

----------


## hithisisatempaccount1532

Well, doesn't /fixmbr or installing ubuntu with GRUB overwrite the MBR nevertheless?

And after reading your statement, I've searched around but cannot find the amount of RAM usage my BIOS uses...

Also, the article says it should be 2KB smaller, when mine was 3KB more than it should've been.

----------


## hithisisatempaccount1532

b-u-m-p

----------


## adam814

In theory installing either OS _should_ overwrite the MBR.  If I suspected malware on the MBR I wouldn't trust it without running "sudo dd if=/dev/zero of=/dev/sda bs=512 count=1" from the LiveCD.  Of course that's assuming the disk in question is in fact /dev/sda, you could verify that with "sudo fdisk -l" and making sure it matches if you have multiple disks.  After that it's safe to install whatever OS you want.

----------


## hithisisatempaccount1532

Well the thing is I'm severely paranoid about this, no signs have been seen though... it's just a paranoia. And that command wipes the first 512 blocks of the drive, ie... the MBR/Partition table, right?

Thanks for your response by the way.

Would it be possible to elaborate on why my chkdsk is 3kb larger than what it should be?

I'm considering doing this on my entire network now because I'm that worried.

 :Mad:

----------


## NiGhtMarEs0nWax

> Can a virus survive a reformat


if you wipe the disk entirely? No. if you are dual booting and you just reformat one partition, depending where the bootkit is on the drive, i guess it is still possible to subvert that OS. 
if you wipe the drive entirely then you are also rewriting a new MBR when you install your operating systems.

it might be still on your disk without securely erasing your entire hard drive, but unable to load itself into memory, and will no doubt be overwritten at some point.
on some discs there is an area called the 'host protected area' that is used for storing data on some systems, such as backup data. deleting all your partitions and starting from scratch should disable that, i know 'secure erase' has a feature to disable the HPA.

UBCD - ultimate boot CD has a 'secure erase' feature that also writes to mapped out sectors. but that is probably overkill.

if you write a new MBR and reinstall GRUB/LILO, then format each partition you can be sure it will be gone.

----------


## hithisisatempaccount1532

This is the exact process of what I did with it.

(Windows Installation CD)
Before inserting the instillation CD, I would find the utilities to update the BIOS firmware, once done and updated then I begin the Install CD process.
1. Run bootrec /fixmbr
2. Format ALL partions+removable media on the PC being worked on.
3a. When installing, create new partitions, format them, delete them, create a new single partition and install windows to it.
3b. In my laptops case - Install Ubuntu to entire disk, removing other partitions and creating one large one for Ubuntu to install to, this is the only case where I didn't use bootrec /fixmbr.

----------


## cariboo

Just to add abit to the thread, there is a utility in the repositories called mbr, which cleans up the mbr. You can use it with the Live CD, by installing from the repositories and then running it, of course you will need to reinstall it every time you need it.

----------


## hithisisatempaccount1532

Does this tool overwrite all partition tables too?

and could someone validate my previous post at the top of this page?
I's geddin' skurr'd. D;<

----------


## OpSecShellshock

> Does this tool overwrite all partition tables too?
> 
> and could someone validate my previous post at the top of this page?
> I's geddin' skurr'd. D;<


To be honest, it's probably excessive. It should be fine without updating/flashing the BIOS. As long as the drive doesn't have anything on it anywhere when you start over (including the manufacturer's partition, where applicable), there's nowhere for any data to exist on-disk.

It's only metal and plastic.

----------


## hithisisatempaccount1532

I made sure to remove the stock partitions included on whatever PC's had it. 
>_< 
So you think I'm good and a virus isn't capable of surviving?
 :Razz:

----------


## adam814

You should be fine.  I'm not sure what else you could really do for that matter.

----------


## hithisisatempaccount1532

Well what worries me is people discuss viruses surviving formats from staying resident in the memory/MBR which is extremely alarming to me. :'(

----------


## adam814

If it will give you more peace of mind make sure to actually wipe the MBR with dd.  As soon as you install (before you could possibly be infected with any sort of malware) use dd to back up your MBR (first 446 bytes) to a safe location.  If you suspect you've been infected you can just make another copy of your MBR and use diff to verify that they match.  AFAIK most of the updates to GRUB change the core.img in your boot folder and don't actually touch the MBR, so provided you don't do anything yourself to change the MBR it shouldn't get changed.  All of this can be done from a LiveCD so you can even use it on Windows machines.

In my opinion it's overkill, but I honestly can't think of anything further an end user can do.

----------


## hithisisatempaccount1532

So are you implying that it's not possible for a virus to reinstate itself after formatting/deleting all partitions on the drive and re-installing an OS?  I realize the virus data could still be on the drive but would be inactive and overwritten eventually as things are stored if not formatted/zero'd.

----------


## NiGhtMarEs0nWax

> Well what worries me is people discuss viruses surviving formats from staying resident in the memory/MBR which is extremely alarming to me. :'(



there is a rootkit called NTFS hide, that hides itself in mapped out sectors on NTFS partitions, but it still needs a boot loader of some kind in order to run, other wise it's just a bunch of 1's and 0's on your hard drive. memory resident malware is lost after a reboot (which include those that hide in vram).

I've heard of some kind of malware infecting the BIOS, but to be honest, i think they only exist in lab conditions. the only persistent (non-volatile) place then for malware to live is on the hard drive. the only way it can load itself is either from the MBR or through the operating system. if you got rid of both of them, then the only other place it can live is in your psu with a tinfoil hat on.

----------


## adam814

Yes, after a full hard disk format, an MBR wipe, and a clean OS install the only way a virus can "reinstate" itself is however the system got infected in the first place (either through a user running a malicious executable or exploiting an unpatched OS vulnerability).

----------


## hithisisatempaccount1532

"Full hard disk format"  I didn't do a full HDD format though, I just formatted all of the partitions on the drive, deleted them, and recreated them via the installation CD's.  Also, I believe the virus you're talking about in relation to the BIOS was the "Chernobyl" virus which didn't actually reside in the BIOS, but rather corrupted it making the MoBo useless for most users whom didn't know how to fix the BIOS functionality.

----------


## hithisisatempaccount1532

So is it possible for it to still be active, or am I safe?

----------


## OpSecShellshock

I'm not really sure, but if there's part of the disk that hasn't been written over, I suppose there's a chance. But why go to all the trouble of doing the other steps and not just format the entire disk?

----------


## hithisisatempaccount1532

Because if I motivate myself to do that, then I'll have to do that for every machine on my network.  I also got an OpenDNS warning on March 1st, displaying "Malware/BotNet activity detected!" and when I went to check my stats they were blank for the Malware blocked genre. This has caused me to go into a stage of panic trying to find out what the hell is going on - it has yet to appear again though, so I don't know what to think...

----------


## OpSecShellshock

What that means is that a machine on your network was trying to hit a domain known by OpenDNS to be malicious. It doesn't necessarily mean you have an infected machine on your network. It could just as easily be a blocked redirection that would have gone out to the domain had it been allowed. There is a slight possibility that it's a CnC check-in from a bot-infected host on your network, but if there had been it's probably been wiped out by now. If you have multiple hosts, it's always good to know which one is doing what, though.

----------

