3

This is specifically for Ubuntu, but if you'd like to include a reply that'd help Windows users, please do.

Background:
I'm working on the suspicion that there's malware on my neighbour's laptop, desktop PC and a external HDD. I've scanned them with ClamAV and found nothing. It's suspected to be a Windows virus/worm or a boot sector virus, and the source of infection is another Desktop PC which I've scanned with ClamAV (from live Ubuntu) and found more than one virus and three worms. That PC had only Windows installed, so I suspect that all the malware was for Windows only (symptoms of infection was that the system would sometimes restart randomly or when booting or when reaching the Windows login screen). I used my pen drive on that system (before knowing it was infected, and used the pen drive on my neighbour's computers only in Ubuntu) and also used another friend's pen drive which when I tried opening with GParted on my neighbour's laptop, GParted just crashed, and in one instance ended up corrupting my neighbour's EFI partition. Just by opening the pen drive with GParted.
When my neighbour's desktop PC restarted on boot twice simultaneously and his laptop restarted on boot once, I suspected his computers were infected.

What was done:
Wiped entire HDD of PC with DBAN and reinstalled Ubuntu from a DVD.

TL; DR
Now I need to backup some large files from the Ubuntu laptop (which I suspect is infected, although ClamAV found nothing), onto a pen drive so that I can transfer it to the Ubuntu desktop PC.
Am working with the paranoid assumption that if there's a Linux worm in the laptop which antiviruses can't yet detect, then it'd copy itself into a new pen drive automatically if automount is enabled.
So the question is: Will it help to disable automount and manually mount the pen drive? Is there any chance there's a lesser chance that a worm could infect a pen drive if mounting is done manually? If no, then how can I safely transfer those 7GB+ files to the desktop PC from the laptop?

Nav
  • 351
  • 2
  • 9

1 Answers1

2

A mount is a mount, and from the perspective of software (malicious or otherwise), it doesn't matter whether or not the mountpoint was created manually or not. If your /media/your-usb-stick directory is writable by a given user, then any program running as that user will be able to save files to it. Automounting does not change that behavior.

Worms work by spreading over the network, using vulnerabilities to infect machines. It must be executed so it can attempt to exploit other computers through the network. Malware that simply exists as a file on an external drive poses no realistic threat.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Ok, but if I know which files my pen drive is supposed to have, then by doing an 'ls -altrh', would I be guaranteed to see the worm as an extra file that isnt supposed to be there? I know a virus couldnt be found this way coz it attaches to an existing file, but a worm could, right? – Nav Nov 30 '17 at 12:34
  • A true virus is very rarely found now days. Usually there are trojans instead. A worm doesn't need to store itself as a file. It can reside entirely in memory and spreads via network vulnerabilities, not simply via a file. And `ls -altrh` would find any executable, but theoretically you could have a two-stage payload where the malicious code is found in an xattr or even internal filesystem metadata, with the first stage extracting and executing it. – forest Dec 01 '17 at 02:33