0

I have an USB drive that probably is infected. I have a PC where currently I have not any partition, just an "empty" PC and I have a CD with Ubuntu 22.04. I would like to copy USB data, format the USB and copy data back to USB.

To format the USB I will use dd:

sudo dd if=/dev/zero of=/dev/sdX bs=1k count=2048

I took this from here: https://askubuntu.com/a/185827

I was thinking of these ways to protect the formatted USB when I will insert it back to copy back the data:

First way: (Ubuntu Live and an empty partition)

  • Launch Ubuntu 22.04 Live with the CD
  • Create an empty partition on my PC just to put data
  • Mount the partition
  • Insert the USB and copy data to partition
  • Format the USB
  • Restart the Live
  • Mount the partition where I copied data before
  • Insert the USB and copy back data from the partition to the USB

I think that the problem of this way is that: The malware could to exploit an Ubuntu Live vulnerability and replicates itself from the USB to the partition, then when I will restart the live and mount the partition, it will replicate back from partition to the formatted USB. Also, I think that when you run Ubuntu Live, you don't have latest security update.

Second way: (Using installed Ubuntu)

  • Install Ubuntu 22.04 on the PC and start it
  • Insert the USB and copy data on the user Home
  • Format the USB
  • Restart the OS
  • Insert the USB and copy back data from Ubuntu to the USB

In this way, I think that the problem is: The malware could to exploit an Ubuntu 22.04 vulnerability and replicates itself from the USB to the OS, then it will infect the OS and when I will insert the formatted USB back, it will replicate back from the OS to the formatted USB.

Third way: (Use installed Ubuntu and the live)

  • Install Ubuntu 22.04 on the PC and start it
  • Insert the USB and copy data on the user Home
  • Shutdown the OS
  • Start Ubuntu Live with the CD
  • Insert the USB and format it without to mount the Ubuntu Partition
  • Restart the Live
  • Mount the Ubuntu Partition (the partition where Ubuntu is installed)
  • Insert the USB and copy back data from the Ubuntu partition to the USB.

I think this is the longest but safest way, but I don't know.

Which is the safest way? Is there another way?

Yes, I know it's very paranoid question, but I want to try to make 99.9 % sure that the USB will not be reinfected back once I formatted it and copied back its data to it.

  • 1
    Why do all this? I think you've put more thought into the whole OS options thing and not enough into the actual threat you're facing. If you delete the infected files, you're fine. If the firmware is infected, then none of this will work. Why do you think that just plugging in a USB will infect the host OS? "The malware could to exploit an Ubuntu 22.04 vulnerability and replicates itself from the USB to the OS" -- how? – schroeder Dec 12 '22 at 16:28
  • OP, are you concerned about the virus propagating from the infected USB drive to the host OS in a manner like the one described here:: https://www.cisa.gov/uscert/ncas/tips/ST08-001 – mti2935 Dec 12 '22 at 18:34
  • @schroeder I think the threat maybe a malware on USB that could replicates on the PC, then when I will format the USB, it will replicate again from the PC on the USB that got formatted. If there is a virus in the firmware, does DD delete it? Because in the topic that I posted it is the solution. If it is not the solution, how can I to format an USB and make sure that it will not contains virus after the formatting? – woyim46107 Dec 12 '22 at 19:36
  • @schroeder I know that viruses on Linux system are pretty rare, but they do exists. https://askubuntu.com/a/1130279 in past there were some vulnerabilities, so it can't be 100% safe (obviously I know that there isn't a system that is 100 % safe, everything have vulnerabilities) – woyim46107 Dec 12 '22 at 19:38
  • please edit your q to describe your data – brynk Dec 12 '22 at 20:07
  • You will only get a virus if you *run the virus*. Just having files is not enough to get infected. And `dd` does not touch firmware. So this is why I'm saying that you do not need to do any of this, if your drive's firmware is infected, then don't plug it into anything. – schroeder Dec 12 '22 at 20:51
  • OP, It sounds like your main concern is a 'BadUSB' attack, where the firmware of a USB drive has been modified, so that when the infected drive is connected to the computer and the code in the firmware is run, the code emulates some other device, such as a keyboard, which then sends keystrokes to do something malicious, such as running a malicious program. See https://security.stackexchange.com/questions/251791/how-to-safely-use-a-possible-badusb for some interesting reading on how these types of attacks can be mitigated. – mti2935 Dec 12 '22 at 21:53
  • 1
    @schroeder Well, in theory malware could exploit a kernel driver vulnerability that could be triggered only by plugging in the USB stick, but that's highly unlikely to be a real risk for OP. – forest Dec 12 '22 at 23:23

1 Answers1

0

As also mentioned in the comments of your question, by inserting the USB stick to your computer, your OS can be infected in the following ways:

  • execute a malicious program (e.g. run/autorun malware)
  • a vulnerable (but legit) program loads/interprets malformed data from the USB stick that, in turn, instruct the program to do something malicious (e.g. malformed picture interpreted by a vulnerable version of ImageMagick)
  • the USB stick's firmware is infected or malicious (e.g. see Rubber Ducky) and executes commands on your computer as if it were a keyboard

You may also have to deal with a mixed threat attack (i.e. your USB stick tries to infect your computer using more than one approach).

So, what you can do? It depends on how critical the data in your USB drive are, and what type of infection do you deal with:

  • infected firmware is really difficult to mitigate (if at all), but even if it were I don't think it worths the trouble; the easiest solution is to dispose the infected USB stick and use another one
  • infected files should be scanned using an antivirus before you proceed to copying them, otherwise you'll end up copying the malware too. NOTE: scanning the data with an antivirus does not guarantee that you'll find all or any malware, but it is better than not doing it at all.
  • if the data in the USB stick are of low value, you may want to just dispose the stick and not expose yourself to any risk at all

However, if you want the data, a relatively safe approach would be the following:

  • Boot from a live medium. The reason is that if the OS is infected then you minimize the probability that the infection will persist (infections can still take place and persist after reboots, even with live images, depending on the type of malware and its infection method(s))
  • update the system
  • Block all outgoing traffic and allow incoming traffic from (and established connections initiated by) a specific local IP ("trusted") that is used by another box that you'll use to copy the files to
  • Allow SSH connections from the trusted IP/box
  • mount your USB stick read only
  • scan the USB data with an antivirus (e.g. clamAV)
  • copy the data to /tmp
  • copy the data to the trusted box from the trusted box, not from the exposed box to the trusted box
  • ditch the USB drive, reboot your exposed system (the one where you put your USB stick)

The above approach does not protect you against advanced attacks, like if there's a kernel exploit and a malware modifies your boot partition or the kernel or your exposed system's firmware, or even from malware that will flush all your firewall rules and propagate like a worm, but for the most common cases it provides an adequate level of protection.

Spyros
  • 1,451
  • 1
  • 14
  • thank you for the answer. The second point is what I was worried about, a virust that could to exploit a vulnerability from the OS who is reading the USB, so it could to propagate even without to run anything from USB. I hope the firmware is ok, I know that there are malware that can infect USB firmware, but they are pretty rare. I have some questions: continue in the next comment – woyim46107 Dec 13 '22 at 18:24
  • when you say: `The reason is that if the OS is infected then you minimize the probability that the infection will persist (infections can still take place and persist after reboots, even with live images, depending on the type of malware and its infection method(s))` How can it do so? I'm using a CD-R, so it can not be overwritten. But do you mean that a malware can to infect the PC Bios? – woyim46107 Dec 13 '22 at 18:25
  • Also, you say `update the system`, the problem of having Ubuntu Live, is that it does not have latest updates. I mean, if I download the Ubuntu 22.04 ISO and burn it on a CD, it will not have the latest security fixes, but just the fixes that were released originally with Ubuntu 22.04, right? – woyim46107 Dec 13 '22 at 18:25
  • sorry for the many comments, this is the last xD: `copy the data to /tmp copy the data to the trusted box from the trusted box, not from the exposed box to the trusted box` What do you mean? Should I to install Ubuntu on PC then start the Live with the CD and copy data from USB to the Ubuntu partition? Or should I just to create an empty partition on the PC? Thank you and sorry for these comments – woyim46107 Dec 13 '22 at 18:26
  • @woyim46107 when you boot from a live image, the image is extracted/expanded on a temp filesystem in the computer's main memory (RAM). A malware can infect the live OS, but can also access everything else in the system, e.g. mount your hard drive and infect files on it. You can update the OS as usual (e.g. `apt update && apt upgrade`) but when you reboot, the updates will be gone. Finally, there's also a `/tmp` directory residing in RAM, as part of the temp filesystem structure created for the live OS. You can create files there as usual (e.g. `cp /path/to/usb/* /tmp/usb_files/`). – Spyros Dec 13 '22 at 20:11