17

I repair a lot of computers with viruses, malware, and what not, and I have one problem that I am struggling to find a solution for. Whenever I connect my USB stick that has the tools I need for the repair process it gets infected and especially the exe files, so after the repair is done i have to scan the USB stick.

My main problem is that sometimes the infections at my USB stick are so bad that I can't disinfect the exe files and I have to copy them all over again. It is very inconvenient since I have around 8GB of programs on it, and copying it all over again is consuming & wears out my USB stick.

I need a solution that would prevent the infected computer from writing to my USB stick in any way. I have had one program that I have had run before I connect the USB to the infected computer and the program would fill the USB stick with empty file so that there isn't any space left to write anything, but that solution isn't good for me since it wears out the stick very fast (it is a Patriot Extreme which isn't the cheapest at the market).

So if you know about a way to protect the USB stick from being written while it is connected to the infected computer, please give me your advice.

UPDATE:

I prefer to use my current USB stick, I know about the hardware slide that some USB sticks and SD cards come with, but I prefer my USB.

joshuahedlund
  • 107
  • 3
Hanan N.
  • 1,119
  • 5
  • 12
  • 22
  • The solution would be to use a media disk, to get the system into a situation that won't infect your flash drives, I find it strange there is software that is infecting existing files that normally does not happen. – Ramhound Dec 07 '11 at 21:15
  • 3
    Use a business card CD ;) – Wayne Werner Aug 03 '12 at 18:55
  • Try manipulating the USB stick firmware itself like BadUSB does –  Nov 28 '14 at 22:01
  • Fixing the firmware by yourself might be possible but too hard for an average administrator. This could be a good answer if you mention tools or approaches to achieve this result. – Thomas Weller Nov 28 '14 at 22:32
  • Install portable apps suite -- http://portableapps.com/ and then install portable antivirus (keep it running) http://portableapps.com/apps/utilities/clamwin_portable u can browse other apps -- http://portableapps.com/apps –  Dec 06 '11 at 20:53
  • If you don't want transmittable diseases on your stick, you need to use a condom. https://www.zdnet.com/article/protect-your-devices-with-a-10-usb-condom/ – Luc Sep 24 '19 at 10:01

6 Answers6

17

Since you don't want to change USB sticks to one with a write-protect switch (don't know why, they're cheap), perhaps you should look into getting yourself a USB write-blocker (aka a Forensic disk controller).

These are generally used by forensics experts when gathering data from a suspect's drive, where they're not ALLOWED to write back to the drive or it will spoil the validity of the evidence, so they have these devices to prevent the computer form writing back to the USB device.

Here's one for example.

The UltraBlock Forensic USB Bridge brings secure, hardware-based write blocking to the world of USB mass storage devices. The UltraBlock USB Write Blocker supports USB2.0 High-Speed (480 Mbit/s), USB 1.1 Full-Speed (12 Mbit/s) and Low-Speed (1.2 Mbit/s) devices conforming to the USB Mass Storage "Bulk-only" class specification. The UltraBlock USB Write Blocker works with USB thumb drives, external USB disk drives, even USB-based cameras with card-reader capability.

techie007
  • 286
  • 1
  • 6
  • nice! but it is pricey isn't? is there a one that have multiple hardware support (SATA, IDE, USB, SD and so on), it should be awesome for me. – Hanan N. Dec 06 '11 at 22:36
  • 2
    Yes - there are ones with multiple hardware support, and yes - they are pretty expensive :-) – Rory Alsop Dec 07 '11 at 13:12
12

It is possible to get a USB drive that has a write enabled switch. If you flick it, no computer will be able to write to it, just read.

Here is a listing of makes and models that have such a switch.

EDIT: With regard to your update:

There is no way that a software only solution will work with any guarantees. Filling the drive for example can be bypassed by just overwriting content/deleting files that are already there. Encryption generally does not prevent data from being written to the drive but not read, so if you use that, then one you allow the computer to read the files it can also write to them.

With regard to the SD card switch. This is NOT actually a write disable switch. It simply sends a signal to the OS that it should treat the device as read only (see the link above for more details). The SD card has no way of enforcing this.

soandos
  • 533
  • 3
  • 14
  • i know that, but i prefer to use my current USB stick, because its speed and the rareness of the protected USB devices out there. – Hanan N. Dec 06 '11 at 20:54
  • 6
    Then what you ask is impossible for all intents and purposes. There is no software solution that can ensure that the device can only be written to from your computer. All solutions must have a hardware component. That component could do something other than disabling writes (like asking for a password) but that has to be done on a hardware level to be fully effective on other machines. – soandos Dec 06 '11 at 21:02
  • @HananN. see edit. – soandos Dec 06 '11 at 21:26
8

As @techie007 has pointed out, there exist various commercial forensic write-blockers on the market. Forensics Wiki has an article listing several examples. However, these are all (AFAIK) closed-source in some or all respects.

If you are willing to trust a proprietary solution, that's fine. However, if you wish to audit the write-blocker's firmware, then you will need an open-source solution. These seem to be limited to DIY options at present, but include:

  • Philip A. Polstra, Sr.'s solution for making USB mass storage devices read-only. (Code is here.)
  • The FIREBrick, which is less portable than Polstra's devices and acts as a write-blocking FireWire-SATA bridge IIUC, although I guess it could perhaps be extended to support USB write-blocking.
sampablokuper
  • 1,971
  • 1
  • 20
  • 33
6

I work in Linux + windows hybrid environments. When a USB drive has been connected to a Windows PC the next step is to examine it on a Linux machine.

It is very easy to detect viruses (hidden files named recycle, autorun, or folders labeled as driver are the most common methods to propagate viruses through USB drives) and your Linux computer has no risk of getting infected.

If you want to be sure, you can have a file containing a md5 sum of your disk contents, so you can easily confirm that the contents of your drive has not been modified.

jap1968
  • 213
  • 2
  • 7
  • 9
    This is the approach I use, however your sentence "your Linux computer has no risk of getting infected" is incorrect. Currently it is a low risk, sure, but the risk exists that the USB stick will gain a cross platform infection, so take care no matter what platform you use! – Rory Alsop Dec 07 '11 at 13:13
2

A portable external CD-ROM drive, with your tool suite burned to a sealed CD-R, is a simple way to keep your toolkit immune to infection. And as you can pick one up for under $10 on amazon, they're far cheaper than most forensic write-blockers on the market. They're not as durable or small as a thumb drive, but they're trustworthy.

John Deters
  • 33,897
  • 3
  • 58
  • 112
0

If a USB disk is infected, scan it using any updated anti virus, and delete the detected threats, then follow these steps:

  • Do not open the USB drive. Go to the command line (CMD).

  • Type the drive letter of your flashdrive i.e." F: " (without "")

  • Type attrib -s -h /s /d and click enter then wait at least 1 minute or until command prompt stops scrolling.

  • Open your flash drive

  • Delete files which you don't recognize.

Adi
  • 43,953
  • 16
  • 137
  • 168
eduard
  • 1
  • I am not asking on how to clean infected USB stick. My goal is how to prevent it from being infected in the first place. – Hanan N. Jan 24 '14 at 12:02