Warning: The following method for unlocking harddrives will delete all stored data
I am not responsible for any lost data, do not follow this procedure unless you want to delete all data from the harddrive.
Note: there are more advanced methods of unlocking HDDs that claim to save stored data
1) Boot into the Ultimate Boot CD (UBCD)
Download at:
http://www.ultimatebootcd.com/
2) UBCD->HDD->Diagnosis->MHDD 4.6 (or whatever the latest version on the UBCD is)
3) Run the following commands:
FASTERASE
(you will be asked to enter a password, pick whatever you want)
(FASTERASE will take a long time to run, it is erasing all data on your HDD)
(after FASTERASE finishes you will see that the HDD is no longer BUSY)
DISPWD
(choose to enter the user password then type the password you just chose)
Congrats, your HDD should now be unlocked.
For information on HDDs check out:
http://hddguru.com/
Wednesday, October 26, 2011
MBR Rootkit Detection
Additional Background on the MBR:
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
Sunday, July 3, 2011
Safe and Reliable Data Backup Solution
To backup data using this procedure you will need the following:
1) External storage media to transfer files to (ie: external hdd)
2) Parted Magic Boot CD
(download from: http://partedmagic.com/doku.php?id=downloads )
3) Parted Magic Backup Script
(download from: http://www.mediafire.com/?a6a5ppd507qnca9 )
Procedure:
1) Burn a Parted Magic Boot CD using a program like Active ISO
(http://download.cnet.com/Active-ISO-Burner/3000-2646_4-10602452.html )
2) Boot your computer from the Parted Magic Boot CD (you may need to go into BIOS and change preferred boot order)
3) Download the Backup Script and then extract it to the Desktop (location is arbitrary but the Desktop will be used in this tutorial)
4) Open up the Terminal and type the following to start the script:
cd Desktop
./Backupscript-partedmagic.sh
The script should now start and provide you will instructions for backing up your data
Troubleshooting:
Issue:
The terminal says permission is denied to open the script.
Solution:
In the terminal type:
chmod a=wxr Backupscript-partedmagic.sh
Issue:
The terminal says the file was not found.
Solution:
Make sure you are in the correct directory where the script is located
You can change directories in the terminal with the "cd" command
Issue:
The script cannot mount my hard drive.
Solution:
Given that your operating system is not working there is likely an issue with the filesystem for your partition. The best way to recover data from it is to use a program called Photorec (also found on Parted Magic). If Photorec doesn't help you (I will post a tutorial on it soon) then you may need to see a professional data recovery service. Feel free to message me if you aren't sure.
Notes on the script:
-This script will help you backup files from any computer that can boot off of Parted Magic to external media.
-It works off of a preset blacklist. It will copy all files on your computer except for those on my blacklist (which includes things such as Windows or Program Files)
-This script will work best on a computer that is plugged into the internet via an ethernet cord (wireless will work as well but you have to manually configure it)
-The network transfer option in the command requires you to type a command to mount a network drive.
Example:
mount.cifs //markbackup.somedomain.com/backup /media/mtpt -o user=mark, pass=pass
(that isn't a real backup server but the syntax should be correct)
1) External storage media to transfer files to (ie: external hdd)
2) Parted Magic Boot CD
(download from: http://partedmagic.com/doku.php?id=downloads )
3) Parted Magic Backup Script
(download from: http://www.mediafire.com/?a6a5ppd507qnca9 )
Procedure:
1) Burn a Parted Magic Boot CD using a program like Active ISO
(http://download.cnet.com/Active-ISO-Burner/3000-2646_4-10602452.html )
2) Boot your computer from the Parted Magic Boot CD (you may need to go into BIOS and change preferred boot order)
3) Download the Backup Script and then extract it to the Desktop (location is arbitrary but the Desktop will be used in this tutorial)
4) Open up the Terminal and type the following to start the script:
cd Desktop
./Backupscript-partedmagic.sh
The script should now start and provide you will instructions for backing up your data
Troubleshooting:
Issue:
The terminal says permission is denied to open the script.
Solution:
In the terminal type:
chmod a=wxr Backupscript-partedmagic.sh
Issue:
The terminal says the file was not found.
Solution:
Make sure you are in the correct directory where the script is located
You can change directories in the terminal with the "cd" command
Issue:
The script cannot mount my hard drive.
Solution:
Given that your operating system is not working there is likely an issue with the filesystem for your partition. The best way to recover data from it is to use a program called Photorec (also found on Parted Magic). If Photorec doesn't help you (I will post a tutorial on it soon) then you may need to see a professional data recovery service. Feel free to message me if you aren't sure.
Notes on the script:
-This script will help you backup files from any computer that can boot off of Parted Magic to external media.
-It works off of a preset blacklist. It will copy all files on your computer except for those on my blacklist (which includes things such as Windows or Program Files)
-This script will work best on a computer that is plugged into the internet via an ethernet cord (wireless will work as well but you have to manually configure it)
-The network transfer option in the command requires you to type a command to mount a network drive.
Example:
mount.cifs //markbackup.somedomain.com/backup /media/mtpt -o user=mark, pass=pass
(that isn't a real backup server but the syntax should be correct)
Thursday, June 30, 2011
How to: Clone a VM for VirtualBox
The following is the command for cloning a .vdi virtual hdd for VirtualBox
Mac OS/Linux:
Open the terminal
Type:
VBoxManage clonehd source.vdi target.vdi
Example:
Suppose you have a virtual machine with a hdd called: "virtualhdd.vdi"
"virtualhdd.vdi" is located on /Users
You will make a clone of this hdd called: "clone.vdi" on /Users
You will type:
VBoxManage clonehd /Users/virtualhdd.vdi /Users/clone.vdi
Alternatively you could do:
cd /Users
VBoxManage clonehd virtualhdd.vdi clone.vdi
For Windows the command is the same but you must navigate cmd into the directory that contains VBoxManage
Mac OS/Linux:
Open the terminal
Type:
VBoxManage clonehd source.vdi target.vdi
Example:
Suppose you have a virtual machine with a hdd called: "virtualhdd.vdi"
"virtualhdd.vdi" is located on /Users
You will make a clone of this hdd called: "clone.vdi" on /Users
You will type:
VBoxManage clonehd /Users/virtualhdd.vdi /Users/clone.vdi
Alternatively you could do:
cd /Users
VBoxManage clonehd virtualhdd.vdi clone.vdi
For Windows the command is the same but you must navigate cmd into the directory that contains VBoxManage
How to Fix: .exe files won't open on my computer
Hello,
Exe files not opening properly is an issue that occurs commonly after malware removal.
The cause of this problem commonly is an issue in the Windows Registry
First thing you need to do is get into regedit
You can usually still open it by running it as administrator
Once regedit is open navigate to:
HKEY_CLASSES_ROOT\exefile\shell\open\command
the value for (Default) should be (material inside of the quotes): " "%1" %* "
Alternatively I have a simple script below that should correct the default value. To create this right click on the desktop and go to new then click text document. Open the text document and copy in the following (material inside of the quotes)
:
"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"
then save the file as: fix.reg
Open the file and when it asks you if you want to merge the registry click yes
This should fix most issues with opening exe files. If this does not help you verify that your registry value is (material inside of the quotes) " "%1" %* " and or send me msg. Sometimes if you try to fix this issue too early you need to go back and remove malware from the computer first
Mark
Exe files not opening properly is an issue that occurs commonly after malware removal.
The cause of this problem commonly is an issue in the Windows Registry
First thing you need to do is get into regedit
You can usually still open it by running it as administrator
Once regedit is open navigate to:
HKEY_CLASSES_ROOT\exefile\shell\open\command
the value for (Default) should be (material inside of the quotes): " "%1" %* "
Alternatively I have a simple script below that should correct the default value. To create this right click on the desktop and go to new then click text document. Open the text document and copy in the following (material inside of the quotes)
:
"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
"
then save the file as: fix.reg
Open the file and when it asks you if you want to merge the registry click yes
This should fix most issues with opening exe files. If this does not help you verify that your registry value is (material inside of the quotes) " "%1" %* " and or send me msg. Sometimes if you try to fix this issue too early you need to go back and remove malware from the computer first
Mark
ABP + NoScript = Safer Browsing
Web browsing is the primary vector for malware infection.
By making your web browsing experience safer you can significantly reduce your overall risk of infection
One way you can do this is by using the Ad Block Plus and NoScript addons for Mozilla Firefox:
NoScript essentially works by blocking all scripts except those from whitelisted domains (ones you give the ok to)
-It will by default only allow scripts to run on very few websites and it is up to you to decide which ones you think are safe
->Admittedly this gets annoying especially when you first start but if you want an extra layer of protection it is worth it
Ad Block Plus works by creating a blacklist of advertisements on the web
-The danger with advertisements is that some vendors do not regulate content well and sometimes serve so called "malvertisements" which will attempt to infect your computer. If you simply block advertisements then your risk of getting a malvertisement will go down.
->I have seen computers that have been infected by malvertisements served from a variety of ad networks on a range of websites. I believe there was actually a malvertisement on the New York Times main website a while back.
->The drawback of Ad Block Plus is that it might block advertisements that you are interested in viewing. You can disable it on pages of your choice
So when looking at the two together:
-NoScript will minimize your risk significantly and only run scripts on websites of your choice
-Ad Block Plus serves as something of an extra layer of protection for websites you chose to run scripts on. If such a website is in a position where it will infect you it is probably due to a malvertisement so Ad Block Plus would likely protect you in those cases.
**Note**
Running ABP and NoScript together is not guaranteed to make your computer impervious to browsing attacks. Common sense is still your best tool and should not be neglected.
By making your web browsing experience safer you can significantly reduce your overall risk of infection
One way you can do this is by using the Ad Block Plus and NoScript addons for Mozilla Firefox:
NoScript essentially works by blocking all scripts except those from whitelisted domains (ones you give the ok to)
-It will by default only allow scripts to run on very few websites and it is up to you to decide which ones you think are safe
->Admittedly this gets annoying especially when you first start but if you want an extra layer of protection it is worth it
Ad Block Plus works by creating a blacklist of advertisements on the web
-The danger with advertisements is that some vendors do not regulate content well and sometimes serve so called "malvertisements" which will attempt to infect your computer. If you simply block advertisements then your risk of getting a malvertisement will go down.
->I have seen computers that have been infected by malvertisements served from a variety of ad networks on a range of websites. I believe there was actually a malvertisement on the New York Times main website a while back.
->The drawback of Ad Block Plus is that it might block advertisements that you are interested in viewing. You can disable it on pages of your choice
So when looking at the two together:
-NoScript will minimize your risk significantly and only run scripts on websites of your choice
-Ad Block Plus serves as something of an extra layer of protection for websites you chose to run scripts on. If such a website is in a position where it will infect you it is probably due to a malvertisement so Ad Block Plus would likely protect you in those cases.
**Note**
Running ABP and NoScript together is not guaranteed to make your computer impervious to browsing attacks. Common sense is still your best tool and should not be neglected.
Wednesday, June 29, 2011
Trick for speeding up virus removal
Premise: Deleting files is faster than scanning them (especially multiple times)
You can speed up virus removal by running a program such as CCleaner before running any scanners. CCleaner removes a large number of useless and potentially infected files. By decreasing the total number of files that your cleaning programs have to go through you will decrease the length of scans. The more scans that you plan to run the more time you will save if you choose this approach.
Make sure to check the recycle bin before running, some people like to leave surprisingly important stuff in there.
Mark
You can speed up virus removal by running a program such as CCleaner before running any scanners. CCleaner removes a large number of useless and potentially infected files. By decreasing the total number of files that your cleaning programs have to go through you will decrease the length of scans. The more scans that you plan to run the more time you will save if you choose this approach.
Make sure to check the recycle bin before running, some people like to leave surprisingly important stuff in there.
Mark
Subscribe to:
Posts (Atom)