6

I've personally seen it recommended that every time a user inserts a USB thumb drive into a computer, that the thumb drive be scanned for potential malware and malicious code.

However, if all that's on the thumb drive is an empty FAT-32 or NTFS filesystem, does the threat remain? Is there a way to manipulate firmware or something along these lines on a USB thumb drive to do something more nefarious?

AviD
  • 72,138
  • 22
  • 136
  • 218
Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75

1 Answers1

12

A USB device with "manipulated firmware" can sure do evil things. For an extreme case, see this answer: the USB device may tell to the OS "hey, I am the FireWire-to-USB converter X.Y, please download my driver from your vendor, then grant me full DMA access when I say so". Though theoretical yet, this is not science-fiction, and it sure is scary.

For more mundane setups, including some which actually occurred, see this answer.

Even if the USB device is "just" a USB drive with an honest firmware and an empty filesystem, it still has a boot sector (first sector, the one containing the partition table) which is code; but that one will be activated only if the user tries to boot his machine over USB (this worked wonders in the floppy disk era, because most machines would try booting off the floppy if present; nowadays, if almost all PC can boot off an USB drive, most will not try by default).

Community
  • 1
Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Of course, Windows XP (and possibly higher) come with the *delightful* default of attempting to automatically execute certain files if they exist on a newly mounted drive. I *think* they changed that default behaviour somewhere down the line but it's still inexcusable that it was there to begin with. – Shadur Dec 30 '13 at 21:57
  • Excellent answer: more specifically, is it possible to apply such hacks without physical access to it? For example, let's say a virus compromises computer A, with thumb drive B in it. Can software on computer A get access and attempt to modify the firmware on thumb drive B, provided that the thumb drive is physically present at computer A of course? – Naftuli Kay Dec 30 '13 at 22:59
  • Don't forget that you can simply partition it. While a boot sector is very likely to be scanned by antivirus, the 60+ sector padding between the partition table and the first partition rarely would be, nor would any un-partitioned space on the stick. That's a wonderful place to hide stuff. You might find some interesting ideas at the following link. It's not specifically about malware but is instead about data hiding on drives: http://www.berghel.net/publications/data_hiding/data_hiding.php – David Hoelzer Dec 30 '13 at 22:59
  • 1
    @NaftuliTzviKay: if the thumb drive allows for its firmware to be reflashed, well then it can certainly... be reflashed ! This would be done from the host. Reflashing interfaces for USB drive firmwares are vendor specific and not documented, but it seems plausible that at least some USB drives allow for such reflashing. – Tom Leek Dec 30 '13 at 23:09
  • @Shadur Actually, it is "Windows XP *and lower* which will autorun when you plug in a USB device (assuming that you have the drivers for said device - which you must install yourself in Windows 2K or older). Vista and newer will see that the file is there and prompt you for whether you want to execute it. – Moshe Katz Jan 01 '14 at 02:17