LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Viruses and the Master Boot Record (http://www.linuxquestions.org/questions/linux-security-4/viruses-and-the-master-boot-record-820091/)

Steve R. 07-15-2010 09:29 PM

Viruses and the Master Boot Record
 
I have a dual boot computer. The WindowsXP "side" has been infected with a rootkit virus. So far UBUNTU has not been affected to my knowledge. I have not yet been able to remove the virus from the WindowsXP "side". I am thinking of deleting the NTFS partition and have the computer fully dedicated to UBUNTU.

Now for my question. Is there a possibility that the virus resides in the MBR and that I need to "rebuild" the MBR to actually remove the virus?

Even more extreme, should I totally re-install UBUNTU in the name of safety and precaution.

yancek 07-15-2010 10:50 PM

Viruses written for windows won't work on Linux and AFAIK, the reverse is also true. So, do you boot both systems with the xp bootloader or with Ubuntu Grub? If the latter, I would not expect it to be a problem. It is a simple process though, to re-install Grub which would overwrite your mbr.

Reinstalling Ubuntu I beleive, would be unnecessary and total overkill.

Steve R. 07-16-2010 10:37 AM

Quote:

Originally Posted by yancek (Post 4034834)
Viruses written for windows won't work on Linux and AFAIK, the reverse is also true. So, do you boot both systems with the xp bootloader or with Ubuntu Grub? If the latter, I would not expect it to be a problem. It is a simple process though, to re-install Grub which would overwrite your mbr.

Reinstalling Ubuntu I beleive, would be unnecessary and total overkill.

Thanks for the response. I do not know all the steps of the boot process. Looks like GRUB is used to boot either system based on the screens presented. To get into Windows, I have to scroll down to that option otherwise it just goes directly into Ubuntu.

My fear, even though it is a windows virus, is that if it is left on a LINUX based system that it could still be spread to windows based systems. This concern could be unfounded, but in real life some people who carry a virus don't get sick, but can still spread the disease.

Re-installing GRUB sounds like the appropriate solution. Now to read-up on that.

yancek 07-16-2010 11:02 AM

You did not indicate which version of Ubuntu you are using. If you are using 9.10 or newer, you have Grub2. This site has instructions on updating Grub2. If you are using an older version of Ubuntu with Grub Legacy, the instructions won't work.

http://www.dedoimedo.com/computers/grub-2.html

Steve R. 07-17-2010 01:16 PM

Quote:

Originally Posted by yancek (Post 4035424)
You did not indicate which version of Ubuntu you are using. If you are using 9.10 or newer, you have Grub2. This site has instructions on updating Grub2. If you are using an older version of Ubuntu with Grub Legacy, the instructions won't work.

http://www.dedoimedo.com/computers/grub-2.html

Ubuntu 10.04. Using an AMD64. Thanks.

saikee 07-17-2010 01:57 PM

A MS Windows needs to load a driver before it can read a Ext2/3 partition so there is no chance a virus on its own from a unbooted MS Windows can affect a Linux.

Also Ubuntu does not have a root user account and a user does not own the system files. Therefore as long as you are not in root your Ubuntu is safe.

Grub2 is the default Ubuntu 10.04 boot loader supplied in binary form. Virus cannot get inside to change the binary code. If a damage were inflicted it could possibly cause Grub2 unable to boot.

Steve R. 07-18-2010 12:59 PM

Quote:

Originally Posted by saikee (Post 4036494)
A MS Windows needs to load a driver before it can read a Ext2/3 partition so there is no chance a virus on its own from a unbooted MS Windows can affect a Linux.

Thanks. A sigh of relief. I have WindowsXP running again, but I am still going through some steps to verify whether the virus is still there.
Slow and tedious.

wertum 08-07-2010 06:17 AM

reinstall grub for full remove old mbr.
It's true method.

Steve R. 08-08-2010 12:05 PM

Thanks.

saikee 08-08-2010 01:11 PM

The MBR is only 512 bytes large. Out of that the partition table took up 64 bytes. Whatever is left generally can do very little.

MS Windows' MBR does only one thing in life and that is to check the 4 primaries and boot whatever one having the booting flag switched on (marked "active" in Windows or "bootable" in Linux).

When Grub is used to dual boot. The MBR is from Grub. Windows MBR would have been overwritten. Grub's MBR has only one task to perform and that is to load the second stage of Grub. The second stage of Grub is the real intelligence.

In Grub1 stage1 is 512 bytes and stage2 is about 125k. The second stage of Grub is always inside the system partition in the /boot/grub subdirectory.

Grub2 has the equivalent of boot.img in 512 bytes and core.img is only 24k large.

An infected Windows NTFS partition should have little effect to change Grub which is a system-own and cannot be changed by any user other than root.

Reinstalling Grub1 or Grub2 only rewrite the first 512 bytes.

Steve R. 08-09-2010 09:39 AM

Really good information. So far the WindowsXP mode for this computer now seems virus free thanks to the help at the Elder Geek. I seldom use WindowsXP on this computer. It is meant as a "backup" or "second" computer. But then it took only one bad something to catch a virus, even though there was an anti-virus program in operation.

Using Linux (Ubuntu) as the primary operating system.


All times are GMT -5. The time now is 11:18 PM.