Tag Archives: MBR

Computers

New version of Gozi financial malware bundles MBR rootkit

Leave a comment

Researchers from security firm Trusteer have found a new variant of the Gozi banking Trojan program that infects a computer’s Master Boot Record (MBR) in order to achieve persistence.

The Master Boot Record (MBR) is a boot sector that resides at the beginning of a storage drive and contains information about how that drive is partitioned. It also includes boot code that runs before the operating system starts.

Some malware authors have leveraged the MBR in order to give their malicious programs a head start over antivirus programs installed on the computer.

Sophisticated malware that uses MBR rootkit components, like TDL4, also known as Alureon or TDSS, are part of the reason why Microsoft built the Secure Boot feature into Windows 8. This malware is hard to detect and remove and can even survive operating system reinstallation procedures.

To read this article in full or to leave a comment, please click here

From: http://www.pcworld.com/article/2035763/new-version-of-gozi-financial-malware-bundles-mbr-rootkit.html#tk.rss_all

Linux

Which system calls to move data on a device with mounted partitions?

Leave a comment

By vstrom

I need to be able to move data around a disk that has mounted partitions. I am not touching the data on the mounted partition, the MBR or any other disk metadata, only the freespace and unmounted partitions. At the moment I am using libparted but it causes data corruption sometimes although there are no reported errors.

I am experimenting now with open() on, for example, /dev/sdc while /dev/sdc2 is mounted. That also sometimes seems to have problems with busy partitions on the disk. No errors are reported.

Any suggestions?

Thank you.

Source: FULL ARTICLE at The UNIX and Linux Forums

Linux

OpenBSD fdisk – Linux fdisk compatibility ?

Leave a comment

By vilius

Hello,

MBR partition table made by linux fdisk looks certainly not correct when printed by openbsd fdisk:

Partition table created on linux (centos 6.3):

Code:
# fdisk -l /dev/sdc

Disk /dev/sdc: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x61f77373

Device Boot Start End Blocks Id System
/dev/sdc1 1 131 1052226 83 Linux
/dev/sdc2 132 262 1052257+ 83 Linux
/dev/sdc4 263 1305 8377897+ 5 Extended
/dev/sdc5 263 523 2096451 8e Linux LVM
/dev/sdc6 524 784 2096451 8e Linux LVM
/dev/sdc7 785 1045 2096451 a6 OpenBSD

Same disk on OpenBSD (5.2):

Code:
# fdisk sd1
Disk: sd1 geometry: 1305/255/63 [20971520 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 83 0 1 1 - 130 254 63 [ 63: 2104452 ] Linux files*
1: 83 131 0 1 - 261 254 63 [ 2104515: 2104515 ] Linux files*
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 05 262 0 1 - 1304 254 63 [ 4209030: 16755795 ] Extended DOS
Offset: 4209030 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 8E 262 1 1 - 522 254 63 [ 4209093: 4192902 ] Linux LVM
1: 05 523 0 1 - 783 254 63 [ 8401995: 4192965 ] Extended DOS
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
Offset: 8401995 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 8E 523 1 1 - 783 254 63 [ 8402058: 4192902 ] Linux LVM
1: 05 784 0 1 - 1044 254 63 [ 12594960: 4192965 ] Extended DOS
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
Offset: 12594960 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: A6 784 1 1 - 1044 254 63 [ 12595023: 4192902 ] OpenBSD
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused

OpenBSD fdisk shows separate 4 partition block for extended partition, but result above shows 4 4-partition blocks(instead of 2).

If I create same partition table on OpenBSD from scratch:

Code:
# fdisk sd1
Disk: sd1 geometry: 1305/255/63 [20971520 Sectors]
Offset: 0 Signature: 0x0
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 83 0 1 1 - 130 254 63 [ 63: 2104452 ] Linux files*
1: 83 131 0 1 - 261 254 63 [ 2104515: 2104515 ] Linux files*
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 05 262 0 1 - 1304 254 63 [ 4209030: 16755795 ] Extended DOS
Offset: 4209030 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 8E 262 1 1 - 522 254 63 [ 4209093: 4192902 ] Linux LVM
1: 83 523 1 1 - 783 254 63 [ 8402058: 4192902 ] Linux files*
2: A6 784 1 1 - 1044 254 63 [ 12595023: 4192902 ] OpenBSD
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused

Now if we connect that disk to linux partition table is not recognized:

Code:
# fdisk -l /dev/sdb

Disk /dev/sdb: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

#

Why this is happening ?
How do I create partition table compatible between two OSes ?

thanks
Vilius M.

Source: FULL ARTICLE at The UNIX and Linux Forums