Warning: The following method for unlocking harddrives will delete all stored data
I am not responsible for any lost data, do not follow this procedure unless you want to delete all data from the harddrive.
Note: there are more advanced methods of unlocking HDDs that claim to save stored data
1) Boot into the Ultimate Boot CD (UBCD)
Download at:
http://www.ultimatebootcd.com/
2) UBCD->HDD->Diagnosis->MHDD 4.6 (or whatever the latest version on the UBCD is)
3) Run the following commands:
FASTERASE
(you will be asked to enter a password, pick whatever you want)
(FASTERASE will take a long time to run, it is erasing all data on your HDD)
(after FASTERASE finishes you will see that the HDD is no longer BUSY)
DISPWD
(choose to enter the user password then type the password you just chose)
Congrats, your HDD should now be unlocked.
For information on HDDs check out:
http://hddguru.com/
Wednesday, October 26, 2011
MBR Rootkit Detection
Additional Background on the MBR:
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
http://en.wikipedia.org/wiki/Master_boot_record
Detecting Master Boot Record (MBR) rootkits can be difficult. Oftentimes an infection will intercept calls to read the MBR and return the MBR prior to infection rather than the actual one.
There are many tools which can be run within Windows that claim to detect MBR rootkits but I have seen false negatives more than once in practice and like to do the following:
Boot into a Ubuntu Live CD or Parted Magic (really anything with a half-decent terminal should work)
Open the Terminal:
sudo dd if=/dev/sda of=mbr.bin bs=512 count=1
file mbr.bin >>mbr.txt
Now if you open mbr.txt you have your MBR and don't need to worry that the infection gave you a fake MBR.
Example of infected MBR:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312371200 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 1203331323, sectors 103464193 (volumes > 32 MB) , physical drive 0xd2, reserved 0x4e, dos < 4.0 BootSector (0x0)
This particular computer was infected with the TDL4 rootkit.
The way that this MBR differs from a clean one can be seen here:
physical drive 0xd2, reserved 0x4e
Usually in this area the MBR would have:
physical drive 0x7e
For this example the clean MBR looked like this:
x86 boot sector; partition 1: ID=0x7, active, starthead 32, startsector 2048, 204800 sectors; partition 2: ID=0x7, starthead 223, startsector 206848, 312373248 sectors, code offset 0xc0, OEM-ID " м", Bytes/sector 190, sectors/cluster 124, reserved sectors 191, FATs 6, root entries 185, sectors 64514 (volumes <=32 MB) , Media descriptor 0xf3, sectors/FAT 20644, heads 6, hidden sectors 309755, sectors 2147991229 (volumes > 32 MB) , physical drive 0x7e, dos < 4.0 BootSector (0x0)
Please note that the above example may not be representative of the MBR on any given machine; clean or infected. If you are unsure whether an MBR is infected then my suggestion would be to save the mbr.bin as a backup and to then run fixmbr from the Windows Recovery Console and see if there are any differences (if you have multiple operating systems installed fixmbr may result in you only being able to boot Windows until you restore the MBR to its previous state).
Subscribe to:
Posts (Atom)