LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 07-15-2010, 10:29 PM   #1
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Rep: Reputation: 45
Viruses and the Master Boot Record


I have a dual boot computer. The WindowsXP "side" has been infected with a rootkit virus. So far UBUNTU has not been affected to my knowledge. I have not yet been able to remove the virus from the WindowsXP "side". I am thinking of deleting the NTFS partition and have the computer fully dedicated to UBUNTU.

Now for my question. Is there a possibility that the virus resides in the MBR and that I need to "rebuild" the MBR to actually remove the virus?

Even more extreme, should I totally re-install UBUNTU in the name of safety and precaution.

Last edited by Steve R.; 07-15-2010 at 10:32 PM.
 
Old 07-15-2010, 11:50 PM   #2
yancek
Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 5,115

Rep: Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817
Viruses written for windows won't work on Linux and AFAIK, the reverse is also true. So, do you boot both systems with the xp bootloader or with Ubuntu Grub? If the latter, I would not expect it to be a problem. It is a simple process though, to re-install Grub which would overwrite your mbr.

Reinstalling Ubuntu I beleive, would be unnecessary and total overkill.
 
1 members found this post helpful.
Old 07-16-2010, 11:37 AM   #3
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Original Poster
Rep: Reputation: 45
Quote:
Originally Posted by yancek View Post
Viruses written for windows won't work on Linux and AFAIK, the reverse is also true. So, do you boot both systems with the xp bootloader or with Ubuntu Grub? If the latter, I would not expect it to be a problem. It is a simple process though, to re-install Grub which would overwrite your mbr.

Reinstalling Ubuntu I beleive, would be unnecessary and total overkill.
Thanks for the response. I do not know all the steps of the boot process. Looks like GRUB is used to boot either system based on the screens presented. To get into Windows, I have to scroll down to that option otherwise it just goes directly into Ubuntu.

My fear, even though it is a windows virus, is that if it is left on a LINUX based system that it could still be spread to windows based systems. This concern could be unfounded, but in real life some people who carry a virus don't get sick, but can still spread the disease.

Re-installing GRUB sounds like the appropriate solution. Now to read-up on that.

Last edited by Steve R.; 07-16-2010 at 11:41 AM.
 
Old 07-16-2010, 12:02 PM   #4
yancek
Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 5,115

Rep: Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817Reputation: 817
You did not indicate which version of Ubuntu you are using. If you are using 9.10 or newer, you have Grub2. This site has instructions on updating Grub2. If you are using an older version of Ubuntu with Grub Legacy, the instructions won't work.

http://www.dedoimedo.com/computers/grub-2.html
 
1 members found this post helpful.
Old 07-17-2010, 02:16 PM   #5
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Original Poster
Rep: Reputation: 45
Quote:
Originally Posted by yancek View Post
You did not indicate which version of Ubuntu you are using. If you are using 9.10 or newer, you have Grub2. This site has instructions on updating Grub2. If you are using an older version of Ubuntu with Grub Legacy, the instructions won't work.

http://www.dedoimedo.com/computers/grub-2.html
Ubuntu 10.04. Using an AMD64. Thanks.
 
Old 07-17-2010, 02:57 PM   #6
saikee
Senior Member
 
Registered: Sep 2005
Location: Newcastle upon Tyne UK
Distribution: Any free distro.
Posts: 3,398
Blog Entries: 1

Rep: Reputation: 112Reputation: 112
A MS Windows needs to load a driver before it can read a Ext2/3 partition so there is no chance a virus on its own from a unbooted MS Windows can affect a Linux.

Also Ubuntu does not have a root user account and a user does not own the system files. Therefore as long as you are not in root your Ubuntu is safe.

Grub2 is the default Ubuntu 10.04 boot loader supplied in binary form. Virus cannot get inside to change the binary code. If a damage were inflicted it could possibly cause Grub2 unable to boot.
 
1 members found this post helpful.
Old 07-18-2010, 01:59 PM   #7
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Original Poster
Rep: Reputation: 45
Quote:
Originally Posted by saikee View Post
A MS Windows needs to load a driver before it can read a Ext2/3 partition so there is no chance a virus on its own from a unbooted MS Windows can affect a Linux.
Thanks. A sigh of relief. I have WindowsXP running again, but I am still going through some steps to verify whether the virus is still there.
Slow and tedious.
 
Old 08-07-2010, 07:17 AM   #8
wertum
Member
 
Registered: Jul 2010
Location: usa
Distribution: ubuntu
Posts: 39

Rep: Reputation: 16
reinstall grub for full remove old mbr.
It's true method.
 
1 members found this post helpful.
Old 08-08-2010, 01:05 PM   #9
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Original Poster
Rep: Reputation: 45
Thanks.
 
Old 08-08-2010, 02:11 PM   #10
saikee
Senior Member
 
Registered: Sep 2005
Location: Newcastle upon Tyne UK
Distribution: Any free distro.
Posts: 3,398
Blog Entries: 1

Rep: Reputation: 112Reputation: 112
The MBR is only 512 bytes large. Out of that the partition table took up 64 bytes. Whatever is left generally can do very little.

MS Windows' MBR does only one thing in life and that is to check the 4 primaries and boot whatever one having the booting flag switched on (marked "active" in Windows or "bootable" in Linux).

When Grub is used to dual boot. The MBR is from Grub. Windows MBR would have been overwritten. Grub's MBR has only one task to perform and that is to load the second stage of Grub. The second stage of Grub is the real intelligence.

In Grub1 stage1 is 512 bytes and stage2 is about 125k. The second stage of Grub is always inside the system partition in the /boot/grub subdirectory.

Grub2 has the equivalent of boot.img in 512 bytes and core.img is only 24k large.

An infected Windows NTFS partition should have little effect to change Grub which is a system-own and cannot be changed by any user other than root.

Reinstalling Grub1 or Grub2 only rewrite the first 512 bytes.
 
1 members found this post helpful.
Old 08-09-2010, 10:39 AM   #11
Steve R.
Member
 
Registered: Jun 2009
Location: Morehead City, NC
Distribution: Ubuntu 14.04
Posts: 227

Original Poster
Rep: Reputation: 45
Really good information. So far the WindowsXP mode for this computer now seems virus free thanks to the help at the Elder Geek. I seldom use WindowsXP on this computer. It is meant as a "backup" or "second" computer. But then it took only one bad something to catch a virus, even though there was an anti-virus program in operation.

Using Linux (Ubuntu) as the primary operating system.
 
  


Reply

Tags
mbr, ubuntu, virus, windows xp


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to see master boot record kaushalsingh Linux - Newbie 3 12-04-2009 08:17 AM
master boot record???? harsh.911 Linux - Newbie 10 06-15-2008 09:25 AM
master boot record help sfr7 Linux - Laptop and Netbook 10 04-25-2004 09:52 AM
Master Boot Record linuxuser05 Linux - General 3 01-11-2004 07:57 PM
master boot record dark_light Linux - General 11 07-03-2002 06:21 AM


All times are GMT -5. The time now is 03:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration