spinjector Posted September 24, 2009 Share Posted September 24, 2009 I want to create a PC that is unquestionably and undeniably 100% sterile and free from any malware or rootkits, for the purpose of slipstreaming Windows XP with all the usual patches & updates, up to the most current state.Are there any known varieties of malware that are written to infect Windows installation files they find in I386 folders, as well as Hotfixes & Security Updates downloaded from Microsoft, such as those that would be saved for the process of slipstreaming? For instance, EXE & CAB files with "KBxxxxxx" in the name, such as WindowsXP-KB951376-v2-x86-ENU.exe, the patch for the Bluetooth stack vulnerability.We know how devious & pervasive the Conficker worm is. If I was a devious & thoughtful malware author, I would do just what I am trying to prevent - make my malware infect Windows installation files & patches. I'd build in a CAB & Archive decompressor/compressor to inject my code into installation programs and archuives as much as possible.So, I want to avoid the possibility that the very installation & hotfix files I'm using are infected with anything. There are so many sneaky worms and rootkits out there, you just never know what may be sneaking around undetected. Blah, I sound like one of those banner ads for scare-ware. =-/~I have a PC that I've set up that's not connected anything; no network connection; it's completely standalone. I've meticulously and methodically wiped it clean and set it up as follows:System booted into Recovery Console from original factory-produced MSDN Windows XP SP-"Zero" CD. (I think this is called "XP-Gold"..?)All partitions deleted, then FIXMBR.BIOS flashed from flash utility & ROM on original utility CD from the PC manufacturer. Used option to "Clear settings and set default Values after flash process".PC powered off by yanking the cord to avoid triggering shutdown subroutines, then Windows installed from the MSDN CD using a valid key that I have rights to use.SP3 installed using non-bootable CD burned from original ISO available on the Microsoft web site.Install Norton Ghost v14.0 from original CD and save an image so I don't have to do all this again.Note: The reason I am not simply installing directly from a Windows XP SP3 CD is because the key I am using only works on SP0, SP1, and SP2. So I have to start there and patch it up to SP3....and that's where it sits. Next steps are to globally disable Autorun and start transferring files for the slipstreaming. But then the pollution starts, and that's what I want to keep under control.So - how do I verify that all of the Windows Updates & Security Updates that I download from Microsoft are intact and not infected with anything, and get them onto that PC without any bugs tagging along...?Perhaps I should be asking, "Is it *possible* to infect Microsoft update files...?"...If this is possible, do I use MD5 to verify them, and if so, where can the signatures be found...? Or...what...?Etc, etc, etc... Blah, blah blah... LOLThanks. Link to comment Share on other sites More sharing options...
Romeo29 Posted November 26, 2009 Share Posted November 26, 2009 All updates downloaded from Microsoft are digitally signed using a security certificate issued by Microsoft. You can check properties of every update and click on tab Digital Signatures. If file is altered you would see : "one of the countersignatures are not valid". Link to comment Share on other sites More sharing options...
spinjector Posted November 29, 2009 Author Share Posted November 29, 2009 Ahh thanks... But that probably wouldn't be the case during slipstreaming though, or would it..? Link to comment Share on other sites More sharing options...
ricktendo Posted November 29, 2009 Share Posted November 29, 2009 (edited) Not during slipstreaming no but during setup yes, %windir%\setuperr.log will let you know if any system file has been tampered withAlso all MS hotfixes are digitally signed, if you right click the hotfix and choose properties you can verify its from MSBTW you can use sigverif.exe to verify/test the digital signatures of your hotfix files http://www.ryanvm.net/forum/viewtopic.php?t=7790 Edited November 29, 2009 by ricktendo64 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now