Let's say that I have an infected PC. I download a copy of the Windows ISO(obviously clean) and burn it to an USB. Is it possible that the malware on my computer can inject itself in this process/ISO and somehow land itself onto my bootable USB such that even if I reinstall Windows, my PC remains infected?
Asked
Active
Viewed 7,573 times
5
-
1It could simply infect the USB after "burning" ISO. – gronostaj Aug 17 '15 at 16:07
-
2You don't "burn" a USB. You just copy data to it. – jpmc26 Aug 18 '15 at 01:26
2 Answers
9
It is technically possible to write some malware that intercepts the ISO extraction process and then writes a boot sector to the media in order to run some malware before the normal boot sequence to hinder detection.
I do not know whether there are any current occurrences of this type of malware in the wild however. It is probably not worth worrying about unless you would be the target of such an attack because it is not a commonly used technique. Most viruses propagate because they use common attack vectors that are known to succeed on a large scale, and such an attack would be technically harder to achieve (both ISO interception and the installation of a bootloader to launch in memory persistence) so these things are unlikely outside of a targeted attack.
SilverlightFox
- 33,408
- 6
- 67
- 178
-
6
-
I don't know about windows, but in Ubuntu ISOs, the ISO is usually unpacked, then the filesystem (squashfs for ubuntu) has to be unpacked, which is a process. – Michael Bailey Aug 17 '15 at 17:44
8
Is it possible that the malware on my computer can inject itself in this process/ISO?
Practically, I do not remember hearing a virus infecting an ISO file.
Theoretically speaking however, nothing can prevent a virus from infecting an ISO file because, after all, an ISO file is just an archived file. Regarding this fact, viruses have always infected this file family (e.g. A virus has been found in an archive)
... and somehow land itself onto my bootable USB ...?
Well, you said previously:
Let's say that I have an infected PC. I download a copy of the Windows ISO(obviously clean) and burn it to an USB.
Most viruses can infect your USB already by the simple fact your machine (PC) performs a read operation over the USB stick, so you are already in trouble.
Coming back to the title of your question, a virus can easily modify the inde of any archived file and inject itself anywhere such as in the AUTORUN file available in ISO files.
Also you have to consider the case where the ISO file was already infected before you download it (yes, it is common: such ISO files -mainly Windows- are available on Internet -thepiratebay, as an example-, they run normally as an operating system but you can find within them all sorts of malware)
Also in extreme but feasible cases, your ISO file may be compromised -but not infected- when you try to download it and that is why checking the checksum files of the downloaded ISO file is often offered along with GPG files for more serious authors (Kali Linux, for example)
-
The ISO wasn't compromised/modified in any way(checksums were matched). So, what you are saying is that this form of attack is not practically common but is theoretically feasible. Then the only correct solution is to create a bootable media from another PC and then do a clean reinstall? – Mayank Singh Aug 17 '15 at 10:51
-
First, I mentioned I was not talking about infection (modification), but then why checksums are useful is already a discussed question [here](http://security.stackexchange.com/questions/82716/whats-to-stop-someone-from-just-mitming-a-checksum) for example. Regards @MayankSingh – Aug 17 '15 at 10:55
-
The Windows ISOs can be validated; but the bootable dvd/usb,can it be validated as well( no checksums related to it are found). Any tampering with it( due to malware) will then cause the checksum to change and the user could be aware. Since the bootable drives are made from similar sources, won't their checksums be the same(in which case, why aren't their checksums listed anywhere on the web). – Mayank Singh Aug 17 '15 at 11:12
-
Checking the devices is problematic because there are a lot of different ways to "burn" the OS distribution on to a storage device. – Display Name Aug 17 '15 at 15:16
-
4@MayankSingh A sufficiently advanced virus could have intercepted your attempt to checksum the file and showed you whatever checksum value you were expecting to get. Once a system is compromised you can no longer trust anything it says. – Boann Aug 17 '15 at 16:36
-
2It might even happen that your infected system modifies the securitySE web pages you read and turn all answers into "ll is fine, stop worrying ..." – Hagen von Eitzen Aug 17 '15 at 21:45