3

After burning an .iso to a dvd, is there any "free space" left on the dvd, where malware could hide that was already on the dvd BEFORE the burn?

Assuming that the .iso is smaller than the #GB for the dvd-r or dvd+r (only, no rw).

Brasero "finalized" the disc and I "am guessing" wrote the OS to the entire disk, but this I am not sure of.

Since the size of the .iso is smaller than the size of the dvd, couldn't there be free space that the .iso / OS is not covering?

Please note: this question is not about adding anything AFTER the burn, rather, before and during the burn.

As a sidenote: can a dvd+r be partitioned "before" the burn?

UPDATE: I do not want to add anything after the burn. I am trying to determine if I put a blank, never used dvd-r into an infected computer and then burn a clean iso, and the checksum for the dvd comes back good, could there be malware in the "free space". So maybe the iso would burn to the parts of the dvd-r that didn't have the malware and the malware is left in the free space.

I don't want to take a dvd that I just burned an iso to, with all good checksums, and then put it in a new computer whereby it might spread the malware, if present, to the new computer, thereby infecting the new computer.

88species
  • 39
  • 1
    Did you use the option "Leave the disc open to add other files later" to create a multi-session DVD? Not sure whether it is available for burning an iso project. https://documentation.suse.com/sles/12-SP4/html/SLES-all/cha-gnome-burn.html#sec-brasero-multisession – Roman Riabenko Sep 27 '20 at 14:37
  • You should be able to check if it is still possible to write to disk: https://askubuntu.com/questions/1004141/how-to-check-if-dvd-r-is-closed – Roman Riabenko Sep 27 '20 at 14:38
  • Thanks. I do not want to add anything after the burn. I am trying to determine if I put a blank, never used dvd-r into an infected computer and then burn a clean iso, and the checksum for the dvd comes back good, could there be malware in the "free space". So maybe the iso would burn to the parts of the dvd-r that didn't have the malware and the malware is left in the free space. Thanks again. – 88species Sep 27 '20 at 14:43
  • ... I don't want to take a dvd that I just burned an iso to, with all good checksums, and then put it in a new computer whereby it might spread the malware, if present, to the new computer, thereby infecting the new computer. – 88species Sep 27 '20 at 14:48
  • @RomanRiabenko Thanks Roman. Please see my comments above. – 88species Sep 27 '20 at 14:49
  • Well, then terdon's answer is enough. You cannot write anything to the already finalized DVD. – Roman Riabenko Sep 27 '20 at 14:52
  • Please, move your comments to your question itself because they are actually clarifications to the question. – Roman Riabenko Sep 27 '20 at 14:57
  • This answer explorers possibility of writing to a finalized DVD: https://superuser.com/questions/826098/can-finalized-dvd-be-rewritten/826099#826099 – Roman Riabenko Sep 27 '20 at 15:31
  • @RomanRiabenko The issue with terdon's answer and your link is that it is talking about AFTER the burn. I'm not talking about after the burn. I'm talking about before the burn and possibly during the burn. But thank you both. – 88species Sep 27 '20 at 15:34
  • You will have to have some malware on the second computer already which will trick the computer's drive to read from the "free" space of the DVD. Otherwise, it won't happen as discussed in the answer I already referenced above: https://superuser.com/questions/826098/can-finalized-dvd-be-rewritten/826099#826099 – Roman Riabenko Sep 27 '20 at 16:08
  • @RomanRiabenko Thanks. I can ask this as a separate question if preferred, but it seems to be a yes/no question. Simply, can sophisticated malware write to a completely blank dvd-r/+r (that has never had anything written to it yet)? – 88species Sep 27 '20 at 17:31
  • 1
    @88species The literal answer to your last comment has to be "yes", if we assume the Brassero code is tainted, it could write anything anywhere on the disk. The question is, at the time the disk is tested to match the checksum, can the computer which boots that disk be instructed to read data that is not "officially" part of the disk's content? If we assume that all "official" bits are correct, then it seems the new computer will never have a reason to read any of the malware. – Bit Chaser Sep 28 '20 at 00:58
  • @RomanRiabenko Thanks - very good post that link. So, yes, it is possible to write to the free space even with "finalized". Seems like one thing that can be done is to write gibberish to the free space. The question is how? Also, if this is done AFTER the burn, technically it seems that there could already be malware in the free space, IMO. Thanks. – 88species Sep 28 '20 at 09:40
  • 1
    @88species That's like writing malware on the cover of the DVD. It is not a useful vector for attack, unless you provide means for reading and running it, like embedding it in a QR-code. Why are you concerned that malware can be written to the "free" space of the finalized disk if a computer normally do not read from it? – Roman Riabenko Sep 28 '20 at 09:48
  • @RomanRiabenko Thoroughness would be my best answer. – 88species Sep 28 '20 at 09:57

1 Answers1

5

If you're not using a rewritable disk and if the writing has "finalized" as you say, then although there may technically be free space in that not all of the disk's capacity was used, this space isn't actually usable.

So, practically, no there is no free space left. Optical disks don't behave like hard disks. You can only write one thing to them, a single image. If that is smaller than the full capacity of the disk, then you just wasted the rest of the space. You cannot write anything extra to them.

Zombo
  • 1
  • 5
  • 44
  • 63
terdon
  • 242,166
  • please see my "comments" above. – 88species Sep 27 '20 at 14:50
  • 1
    The statement in this answer saying "You can only write one thing, a single image" is wrong with this wording. Multi-session disks (see sessions explicitly break this rule. So a mention of that and what "finalised" means for multi-session disks would be appropriate in this answer. – Philip Couling Sep 27 '20 at 19:25