ZeroFill, a good idea?

Hello everyone.

On Windows I used to do a ZeroFill in order to make sure no virus would get re-activated once I “formated” with Windows.

I’m interested to know if I download a virus with openSUSE (specially via WIne) and somehow it deletes my home folder, it would be a good idea to do a ZeroFill, because some viruses can re-activate themselves after a normal fomatting since normal formatting doesn’t really erase any data.

The scenario would be:

Wine installed
Downloaded a Steam game (I don’t play nor run pirated software)
Joins a server
A server file is infected (happened on Windows, since the server admins have full folder-access depending on the game)
The virus gets access to my home folder

Then, after “formatting” with suse DVD and re-installing Wine (thinking I’m safe now that my system is “formated”) the virus get back on.

Any thoughts?

Thanks in advance.

A windows virus running in Linux?
Or you mean with the assistance of wine?

If you are really that concerned. I’d make a test install. And try to get it to happen as you describe.
Wine is contained within .wine (mostly) (I have seen wine apps store data outside there)

If the virus is/was in /home
Formatting would delete it

According to wineFAQ a virus could do anything it would do on Windows, including accessing and deleting everything in your home folder. BTW I can’t see how normal formatting would delete anything apart from what is overwritten on the drive.

write zeros if you wish, it’s very time consuming
or perhaps

dd if=/dev/urandom of=/dev/sd*

I never had a virus yet so I’m al’right Jack.

A deleted file isn’t visible to the system as such, and isn’t going to get the opportunity to execute either is it?

Some virues can get themselves running again even after system re-installation

No, once a file is deleted, it is essentially dormant. Only the conscious effort of a user is able to undelete it and make it visible to the system again. How do you suppose anti-virus software works?

I don’t have AV… should I be worried

From what I understad, once you delete a file you don’t actually delete it and that’s what those Recovery companies love about = deleting a file is simply making it avaliable to overwrite, but the data is still there. The same applies to OS re-install.

For any security issue, you need to figure out what the risk is.

Renaming the file and moving it to an inappropriate directory will stop casual examination by somebody who isn’t computer-savvy.
Deleting the file will stop anybody from looking at it without easily available special tools, and will make it time-consuming for them to find it.
Overwriting the file will probably leave nothing findable through the operating system, but that won’t guarantee it. If you’ve processed the file, there might be a partial or complete copy in swap space or equivalent on the drive, and I’m not quite sure what to do about that. Still, failing that, it’s probably secure against a reasonable forensic search.
Disk drives no longer present a raw view to the computer using them, though, and it’s always possible that the disk wrote part or all of the file on a chunk that it later decided was bad. In that case, removing the disk controller and substituting something more primitive might find a piece of the file. This is getting into very pricey data recovery.
Finally, it’s always possible that somebody will be able to read overwritten disk sectors, with some amount of reliability, at some point in the future.
If you’re just protecting the mainstream porn from the occasional visiting girlfriend, hiding it in the file system will probably work just fine. If you’re terrified that the NSA might possibly be able to read it within the next twenty years, destroy the disk (some of the more paranoid types on Slashdot report fun results with thermite). For most purposes, overwriting the file a couple of times (including at least one 0 and one 1) will do very nicely.

My concearn is if I re-install the system, re-install Wine and the same process access the same file on the folder I’ll be infected again.

Sorry for being too paranoid, on Windows I used Kaspersky Internet Security along with MalwarebytesPRO and Thor, also on the most “insecure” cases I’d run 4 VM’s (one inside another) to make sure nothing would scape (Windows > Linux > Windows > Linux). And now with this “not needing AV” + the risks of Wine is really making me go insane.

While deleting a file doesn’t involve anything other than flagging the space as available for being overwritten, it would be drawing a long bow to imagine how an infected file would be unintentionally recovered, and executed.

OMG!
It must be like going swimming with lead weights.
Thank heavens I left that behind years ago.

All I see of windows is dealing with customers machines and I usually put MSE in place for them.
That assumes that Microsoft know how to protect their own system… but I could be assuming too much!

My system does SHIFT+Delete

I can’t remember how exactly, I’m sorry. I read about it a long time ago and it was in another language, looking for it will take a long time. But it’s possible, I guarantee

Yeah, it was slow like a turtle, first VM = 3GB of RAM. 2nd = 2GB. 3rd VM = 1 GB.

MS knows how they could protect their system. They just don’t do it.

Anyway, I’m too paranoid about this stuff. I guess just re-installing the system will do it.

>
> Sorry for being too paranoid, on Windows

my opinion:

1. it is impossible to be “too paranoid” on Windows

2. it is EASY to be “too paranoid” on Linux, even when running windows
   code in WINE…

i don’t run any Anti Virus software which looks for and protects from
Microsoft viruses…and i have not done so in YEARS, and do not worry
about it, at all.

i can’t find it on the web now, but three to five years ago a guy spent
a lot of time trying to get Windows viruses to do some damage in a linux
machine…he never was able to mess up /home, or anything else in any
way, and gave up…

ymmv, but you are (imo) wasting a lot of time and worry over nothing.

otoh: backup early and often, and learn the real ways to protect your
system (like using root as little as possible, never ever browse as
root, run a firewall, run a correctly setup root kit detector, etc etc
etc etc)

all that said, i still recommend: Keep the GAME code on the GAME
operating system, and keep the important stuff (bank and broker access
codes, etc etc etc) on the secure, industrial strength operating system!

–
dd
openSUSE®, the “German Engineered Automobile” of operating systems!
http://tinyurl.com/DD-Caveat

On 2013-01-22 10:46, amarildojr wrote:
>
> deano_ferrari;2520874 Wrote:
>> No, once a file is deleted, it is essentially dormant. Only the
>> conscious effort of a user is able to undelete it and make it visible to
>> the system again. How do you suppose anti-virus software works?
> From what I understad, onde you delete a file you don’t actually delete
> it and that’s what those Recovery companies love about = deleting a file
> is simply making it avaliable to overwrite, but the data is still there.

Yes, the data can be retrieved. But for that, on any system, you need
direct access to the disk structures and be sure that nothing is
accessing the disk during the process - in Linux that would be umounting
the affected filesystem -. More, we are talking of Windows software
under Wine, which resides on an ext4 filesystem… that software will
not know how to undelete files on that system.

Then, there is another issue. A Windows virus may survive a format
provided that some other code does the resuscitation. Maybe we are
talking of viruses residing as boot code, but a deleted file can do
nothing by itself. It can not run till some other running malware
undeletes it, and then also calls it. Even on Windows.

> My concearn is if I re-install the system, re-install Wine and the same
> process access the same file on the folder I’ll be infected again.

No, the data can not be accessed by user space software.

> On 2013-01-22 10:56, amarildojr wrote:

> Sorry for being too paranoid, on Windows I used Kaspersky Internet
> Security along with MalwarebytesPRO and Thor, also on the most
> “insecure” cases I’d run 4 VM’s (one inside another) to make sure
> nothing would scape (Windows > Linux > Windows > Linux). And now with
> this “not needing AV” + the risks of Wine is really making me go insane.

You can run Wine under a different user, diferent home folder. Thus the
malware would not be able to delete your Linux home, only another home,
sacrificial.

On 2013-01-22 11:26, amarildojr wrote:
> deano_ferrari;2520879 Wrote:
>> While deleting a file doesn’t involve anything other than flagging the
>> space as available for being overwritten, it would be drawing a long bow
>> to imagine how an infected file would be unintentionally recovered, and
>> executed.
> I can’t remember how exactly, I’m sorry. I read about it a long time
> ago and it was in another language, looking for it will take a long
> time. But it’s possible, I guarantee

No, it is not. Some running code has to intentionally undelete those
files, so you have first to contaminate your system with that type of
malware a second time - and it would not be able to undelete and ext4
filesystem. Even if it knows how to do it, it needs root permissions.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

Total fiction. You’ve been mislead somewhere.

On Tue, 22 Jan 2013 09:26:01 +0000, deano ferrari wrote:

> amarildojr;2520869 Wrote:
>> BTW I can’t see how normal formatting would delete anything apart from
>> what is overwritten on the drive.
> A deleted file isn’t visible to the system as such, and isn’t going to
> get the opportunity to execute either is it?

Well, technically, it can - some older viruses ran from specific blocks
on the drive rather than as files (boot sector viruses were very popular,
for example - but I also had seen some that were stored in blocks around
the partition table and were called even after a warm boot by virus code
that was still in memory - that’s old DOS stuff, though, and not common
these days).

But I would also say that not all viruses are going to work in WINE,
either - many depend on undocumented functionality, and while WINE
implements a fair number of undocumented APIs, those APIs are Windows APIs
and not, say, low-level I/O functions.

I would be inclined to use a Linux-based AV solution to scan the WINE
directory and see if something infected is there.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Well, technically, it can - some older viruses ran from specific blocks
on the drive rather than as files (boot sector viruses were very popular,
for example - but I also had seen some that were stored in blocks around
the partition table and were called even after a warm boot by virus code
that was still in memory - that’s old DOS stuff, though, and not common
these days).

Yes, but in general we’re talking about user-space files, and not a virus that may be resident in memory. The question was being asked as to whether deleting a virus was sufficient, as opposed to overwriting with zeroes…