16

I inserted my USB stick into a friend's PC which was full of viruses, malwares and adwares. Therefore I suppose they attacked my USB device as well. Now I want to use my USB device on my PC without running the risk of being infected by the viruses on it.

Can I avoid such risk by previously scanning the device (with Bitdefender, Malwarebytes and Spybot S&D) without opening the folder? In other terms: given that my device (D:) contains some viruses, do they immediately attack a PC when the device is inserted into its USB port, even when I don't open the D: folder?

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
franz1
  • 481
  • 1
  • 6
  • 13
  • 2
    I'm just curious: Was there some kind of marketing from any of the products that you mentioned that led you to believe that a filesystem wouldn't mount when it was inserted into a USB drive on your machine? – mkingsbu Apr 11 '16 at 16:23
  • no, there wasn't... – franz1 Apr 11 '16 at 16:44
  • 2
    Ah, okay. You wouldn't be the first person to misinterpret something like that. Some of these security products are really good at painting a picture that isn't quite accurate. If there was something that you saw, it would definitely be worth knowing about just in the event someone else thinks the same thing and winds up with an infected machine. – mkingsbu Apr 11 '16 at 17:01

4 Answers4

28

Referring to my answer to this question (before it was migrated):

No, scanning the drive without "opening the folder" isn't a secure way to protect against viruses on the drive. It's very risky to insert what you believe to be a compromised USB device into your PC, no matter what AV you have installed.

If you desperately need files from the drive (to quote myself):

you should attempt to only insert the drive into a secondary PC running some live version of a linux distro, preferably one you wouldn't mind completely wiping afterwards.

If not, just cut your losses and physically destroy the pendrive. USB viruses are extremely efficient these days, and are more frequently able to persist in hardware between wipes (either on small partitions on the pendrive, or by loading themselves into the firmware of the infected machines hardware).

The point is, there is no guaranteed way to insert that drive without risking further contamination.

Community
  • 1
WorseDoughnut
  • 761
  • 5
  • 18
  • 10
    I really like Raspberry Pis for this. The worst case scenario is that you shred the micro sd card once you are done. Even if the hardware fries it only cost 35 USD, – AstroDan Apr 11 '16 at 15:27
  • 1
    @AstroDan Exactly. We've got a stockpile of a few Pi2s that we started using just for this purpose after we started getting paranoid about the risk persistence in hardware on our test bench. Agreed, well worth the 35 bucks for the peace of mind. – WorseDoughnut Apr 11 '16 at 15:39
  • 3
    @WorseDoughnut nowadays, you have the Pi Zero, cuts the cost to 1/7th! –  Apr 11 '16 at 18:13
  • 1
    @spudowiar wow, how did I miss that? Thanks for the heads up, definitely gonna switch over to those next time we run out! – WorseDoughnut Apr 11 '16 at 18:16
  • @WorseDoughnut AFAICT, they are currently one per person due to the, inevitable, high demand –  Apr 11 '16 at 18:20
  • @spudowiar Makes sense, otherwise I doubt they'd be able to keep up. – WorseDoughnut Apr 11 '16 at 18:22
  • 7
    Since the root cause of the trouble with USB drives is the fact that they can pretend to be whatever they want and the kernel can't know any better, it seems like the obvious solution would be a custom Linux kernel that requires the user to specify what kind of device they plug-in and deny any additional functionality. Which seems exactly what [http://cise.ufl.edu/~butler/pubs/acsac15.pdf) seems to be doing, so I'd say use that one when recovering data. – Voo Apr 12 '16 at 06:53
  • @Voo great find, definitely checking that out ASAP. – WorseDoughnut Apr 12 '16 at 12:44
  • _"If you desperately need files from the drive you should attempt to only insert the drive into a secondary PC running some live version of a linux distro..."_ That prevents your primary PC from being infected automatically by just the plugging-in the USB. What if the files you want to recover from the drive are infected themselves, or is it not possible to infect e.g. a pdf document? – mucaho Apr 12 '16 at 16:07
  • 1
    @mucaho tbh we tend to consider the files a lost cause, and only attempt to mount the drive so that the files can be logged (so clients can figure out what they might have lost, and to figure out which backups need top be pulled if possible). A few times we've had clients physical print the documents and scan them back in as PDFs for future use. `not possible to infect e.g. a pdf document?` It's hard to say honestly, because that almost always depends on the software reading the files (ie vulnerable to buffer overflow), but I'm sure there's malware that can edit EXIF or header data on the fly. – WorseDoughnut Apr 12 '16 at 16:44
  • Wouldn't deleting and re-creating the partition of the pen drive using GParted be able to get rid of the virus? Even if it is the type of virus that can "able to persist in hardware between wipes (either on small partitions on the pendrive, or by loading themselves into the firmware of the infected machines hardware"? Since these are windows viruses, I guess they won't even run when plugged into a Linux machine, so we could just run GParted. – Nav Sep 09 '17 at 17:45
6

It depends. In older times there was an autostart facility when inserting a data DVD/CD-ROM or USB stick but on modern systems this is usually no longer active by default. It might still be possible to corrupt the file system on a stick in a way which causes code execution when the system tries to access the device, and there are USB sticks with a writable controller which could have been modified to be a Bad USB device.

While antivirus works in lots of cases it is not a foolproof thing and there are methods to bypass it. If you must assume that your USB device is infected I would not recommend it to put into into your system any longer, no matter if you have antivirus or not.

Sonickyle27
  • 368
  • 3
  • 11
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
3

Depends on what it has on it. There are some attacks and malware which affects the signals that the device sends to the computer - most famously the BadUSB attacks, which let flash drives claim to be input devices - in which case merely plugging a device in could allow it to do things ranging from the annoying (hitting enter at random) to the malicious (loading web pages containing drive by malware).

Safest thing is to replace the USB drive, but you could try examining it using a liveboot environment, although bear in mind that even that could result in problems if you miss anything, or if the live CD mounts your actual system drives.

Matthew
  • 27,233
  • 7
  • 87
  • 101
  • what if the usb device is mounted on the Linux live distro but I don't open any folder in it, just right-click and format it? Can I recover it that way without infecting the C: drive ? – franz1 Apr 11 '16 at 15:45
  • 1
    Can't say - if the firmware is infected, no, formatting won't sort it. The only absolutely safe thing at this point is to replace it, unfortunately. – Matthew Apr 11 '16 at 15:52
  • Thanks. But is there any way to check either it did occurr or not, and then decide if it's necessary to replace it? – franz1 Apr 11 '16 at 16:07
  • 2
    You can investigate whether it happened by using a disposable device, such as a Raspberry Pi with a cheap SD card, as mentioned above, but unless it's a really big USB stick, you'll spend more on checking it than on just replacing it. It might be fine, it might infect your PC as soon as you insert it, but you can't check that without risking the machine you plug it into. – Matthew Apr 11 '16 at 16:12
  • ok...My usb stick also contains launchable linux ISOs, included LSP which doesn't mount the other drives. So, let's suppose I launch this lunux distro, without any risk that C: and the other drives will be opened, and everything seems to work fine, and I will use it as a bootable media only from now on: should I replace it even in that case? – franz1 Apr 11 '16 at 16:31
  • 1
    Are you saying that your infected USB stick contains GNU/Linux ISOs and you want to boot from them? If so, that's quite a bad idea… – Léo Lam Apr 11 '16 at 16:54
  • 1
    @robertalrp the real risk is from a hardware/firmware scenario. There are USB-based malware than can persist in your hardware between reboots and "wipes" (although a solid `dd` might clear lesser versions). Besides, there's no way to confirm that the malware won't infect the live session itself (which could be even worse). – WorseDoughnut Apr 11 '16 at 17:35
  • 1
    Also, `"what if the usb device is mounted on the Linux live distro but I don't open any folder in it"` is definitely not a safe route either. Mounting the drive is a terrible idea. You clicking on a folder isn't what allows malware to run. – WorseDoughnut Apr 11 '16 at 17:37
2

The answers already in provide some good technical advice on how to go about doing what you propose while minimizing risk to whatever machine you would be using to attempt the sanitization (ie. run a live distro of a different operating system type than was on your friend's infected computer, preferably after physically removing or disconnecting the normal writable storage disks/drives inside your machine, if practical). Instead, let me address the question of whether it's actually worth trying to do that.

This situation has a kind of an implied premise here that we ought to pay attention to: if that USB stick was/is contaminated by something--or especially, by somethings, in the multiple--can you really be very confident that even using multiple anti-malware programs will detect & remove every bit of nastiness that may be on there? Considering what we know in general about the false negative (ie. when malicious stuff is missed) detection rates of even the best anti-malware programs against modern threats (even Norton will tell you how often traditional anti-malware scanning doesn't catch malware these days)... well, let me humbly suggest that the most prudent way forward might be just taking the USB stick, wrapping it in a post-it note that says "good chance infected", putting it in away in a drawer, and forgoing any recovery work on it unless & until a day ever comes when you realize you seriously need some files on there.

Especially with the costs of new USB drives ever shrinking, let me suggest that barring some unusual factor being in play here there's a good chance that the risk of getting your machine infected is not going to be worth the possibility of saving & reusing the USB stick.

mostlyinformed
  • 2,715
  • 16
  • 38