• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

Scanning infected hard drives by hooking them up to another machine

Question

+warwagon    13,504

As a lot of people on this forum probably know, I'm more of the mind set of formatting a machine due to a malware infection.

Just recently I have been testing out some malware removal procedures using a test machine. I installed Windows XP on the test machine and then proceeded to infected it with a TDSS rookit, Koobface , a Fake AV and a few other Trojans.

I then hooked hard drive up to my spare laptop, using an IDE to USB adaptor (also supports sata) I didn't even remove the drive from the computer. I just unplugged the IDE cable and plugged in the adapter instead. Then just turned the computer on and let it power the drive (one less cord I had to deal with). Then proceeded to scan the machine using Avira. I must say it did quite a fantastic job. It got rid of koobface, found the TDDS rookit (because we were scanning outside the Test machine OS) and a few other Trojans. I then did a scan with Malwarebyes which came up with nothing, Avira pretty much found it all.

At the time my laptop was running off a 4gig Flash card using an flash to IDE adaptor. I just installed an 80 gig IDE drive in it. Then installed all the windows updates, Malwarebytes, superantispyware and Avira and all the program def updates.

When I was done I installed

Windows SteadyState with Disk protection.

http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

Which means once the laptop gets done scanning the hard drive, I can then reboot the laptop and any changes done to the laptop is automatically reverted to the previous state. I installed it on the off chance I infect the laptop through the external drive even though I have auto play turned off. (never can be too careful)

I can also turn the laptop on, do the windows updates, and the def updates and then upon reboot tell them to confirms the changes to disk. It reboots windows, saves the changes and then reboots once more.

The Laptop is also connected to the internet via Vlan port on my router so it's completely separate from my home network.

So I would recommend hooking up an infected drive to a another computer to scan it for a few reasons.

1) All the infected files are not active, this there is no buddy system at play (Kill one piece of malware and its buddy starts it right back up

2) Rootkit s are detected during the virus scan. Because we are in a separate OS, the rookit(s)cannot hide from the operating system.

3) Scanning may go faster because the drive is only active scanning and not doing other stuff.

I was looking into Rescure CD's and BartPE options but this is far easier.

Anyway just thought I would pass this on.

Share this post


Link to post
Share on other sites

7 answers to this question

Recommended Posts

  • 0
gdodson    24

I agree that this is a great idea because you can also run chkdsk, etc and not have to worry about releasing all handles to the drive like you would when in a PE. The disadvantage is that the registry hives are not mounted with the method that you describe, so you will want to run an AV on the infected OS so that registry hives can be scanned as well. Although this will still be a lot easier once the infections are gone.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    13,504

I agree that this is a great idea because you can also run chkdsk, etc and not have to worry about releasing all handles to the drive like you would when in a PE. The disadvantage is that the registry hives are not mounted with the method that you describe, so you will want to run an AV on the infected OS so that registry hives can be scanned as well. Although this will still be a lot easier once the infections are gone.

Yep the reg scans with malwarebytes will have to be done in the test machines OS, but that's a pretty quick scan.

Share this post


Link to post
Share on other sites
  • 0
goretsky    1,120

Hello,

You may wish to consider disabling AutoRun/AutoPlay on the PC doing the scanning to prevent accidental running of malware through AUTORUN.INF in the root of the disk volume.

For further security, you could use a different operating system on the computer doing the scanning, such as Linux, to prevent accidental execution of code from the infected hard disk drive.

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites
  • 0
+warwagon    13,504

Hello,

You may wish to consider disabling AutoRun/AutoPlay on the PC doing the scanning to prevent accidental running of malware through AUTORUN.INF in the root of the disk volume.

For further security, you could use a different operating system on the computer doing the scanning, such as Linux, to prevent accidental execution of code from the infected hard disk drive.

Regards,

Aryeh Goretsky

That's what the Vlan, autorun turned off and Steady state reboot should help :)

Share this post


Link to post
Share on other sites
  • 0
Sn00pY    11

Whilst I agree this is a fair idea - I just don't see the point in wasting the time. I'd only bother going to this much hassle (imho adding IDE->USB to laptop mounts etc etc etc is hassle, you may not agree) unless I had some very important data on that particular machine.

Otherwise I'd suggest incremental images/backups and just restore - a bit like what you are doing with SteadyState ;)

Decent guide though, don't let me detract from the effort you put in and the kudos for doing the guide.

Share this post


Link to post
Share on other sites
  • 0
goretsky    1,120

Hello,

D'oh. Just went back, re-read and noticed you mentioned "auto play." :)

I don't think SteadyState is avaliable under Microsoft Windows 7, but installing Windows Vista (if your notebook computer can run it at a decent speed) might decrease the attack surface even further.

Regards,

Aryeh Goretsky

That's what the Vlan, autorun turned off and Steady state reboot should help smile.gif

Share this post


Link to post
Share on other sites
  • 0
Skulltrail    4

Very comprehensive walkthrough. (Y) I've never heard of Windows SteadyState until you suggested it. I thank you for that.

I've have searched for a program like that for quite sometime. My school's IT department uses DeepFreeze which is costly. WSS is a great alternative freeway.

Keep up the good work.

EDIT: Any news on when WSS will be Windows 7 compliant?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.