[spinjector]

I want to create a PC that is unquestionably and undeniably 100% sterile and free from any malware or rootkits, for the purpose of slipstreaming Windows XP with all the usual patches & updates, up to the most current state.

Are there any known varieties of malware that are written to infect Windows installation files they find in I386 folders, as well as Hotfixes & Security Updates downloaded from Microsoft, such as those that would be saved for the process of slipstreaming? For instance, EXE & CAB files with "KBxxxxxx" in the name, such as WindowsXP-KB951376-v2-x86-ENU.exe, the patch for the Bluetooth stack vulnerability.

We know how devious & pervasive the Conficker worm is. If I was a devious & thoughtful malware author, I would do just what I am trying to prevent - make my malware infect Windows installation files & patches. I'd build in a CAB & Archive decompressor/compressor to inject my code into installation programs and archuives as much as possible.

So, I want to avoid the possibility that the very installation & hotfix files I'm using are infected with anything. There are so many sneaky worms and rootkits out there, you just never know what may be sneaking around undetected. Blah, I sound like one of those banner ads for scare-ware. =-/~

I have a PC that I've set up that's not connected anything; no network connection; it's completely standalone. I've meticulously and methodically wiped it clean and set it up as follows:

• System booted into Recovery Console from original factory-produced MSDN Windows XP SP-"Zero" CD. (I think this is called "XP-Gold"..?)
  
• All partitions deleted, then FIXMBR.
  
• BIOS flashed from flash utility & ROM on original utility CD from the PC manufacturer. Used option to "Clear settings and set default Values after flash process".
  
• PC powered off by yanking the cord to avoid triggering shutdown subroutines, then Windows installed from the MSDN CD using a valid key that I have rights to use.
  
• SP3 installed using non-bootable CD burned from original ISO available on the Microsoft web site.
  
• Install Norton Ghost v14.0 from original CD and save an image so I don't have to do all this again.

Note: The reason I am not simply installing directly from a Windows XP SP3 CD is because the key I am using only works on SP0, SP1, and SP2. So I have to start there and patch it up to SP3.

...and that's where it sits. Next steps are to globally disable Autorun and start transferring files for the slipstreaming. But then the pollution starts, and that's what I want to keep under control.

So - how do I verify that all of the Windows Updates & Security Updates that I download from Microsoft are intact and not infected with anything, and get them onto that PC without any bugs tagging along...?

Perhaps I should be asking, "Is it *possible* to infect Microsoft update files...?"...

If this is possible, do I use MD5 to verify them, and if so, where can the signatures be found...? Or...what...?

Etc, etc, etc... Blah, blah blah... LOL

Thanks.

[Romeo29]

All updates downloaded from Microsoft are digitally signed using a security certificate issued by Microsoft. You can check properties of every update and click on tab Digital Signatures. If file is altered you would see : "one of the countersignatures are not valid".

[spinjector]

Ahh thanks... But that probably wouldn't be the case during slipstreaming though, or would it..?

[ricktendo64]

Not during slipstreaming no but during setup yes, %windir%\setuperr.log will let you know if any system file has been tampered with

Also all MS hotfixes are digitally signed, if you right click the hotfix and choose properties you can verify its from MS

BTW you can use sigverif.exe to verify/test the digital signatures of your hotfix files http://www.ryanvm.ne...opic.php?t=7790

This post has been edited by ricktendo64: 29 November 2009 - 10:01 AM