18

I'm about to distribute some relatively cheap promotional usb drives to some of my company's clients. I'm fairly confident the company I purchased them from wouldn't intentionally implant malware on the drives - but they were pretty cheap - how can I be sure that they do not have some sort of malware or rootkit secretly installed on them from the manufacturer?

Myer
  • 279
  • 1
  • 2
  • 7
  • 11
    I was also fairly confident that Sony wouldn't put rootkits on their CD's, but guess what... – Dog eat cat world Nov 02 '11 at 21:49
  • 3
    Actually the risks of USB devices are deeper than just checking the filesystem. Do a search for "BadUSB". Example: http://arstechnica.com/security/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/ – m0j0 Apr 07 '15 at 01:27

5 Answers5

7

You don't need anti-virus. Simply look at the contents of one of the drives. Are they empty? Fine, then you are ok. Pull random samples out and check them.

If you asked the vendor to put files on the drive, such as promotional materials for you company, then makes sure that the files match precisely.

Remember: do this from a machine with the latest patches. For example, you don't want to do this with a Windows machine with autorun enabled, or the virus will hop to your machine, infect it, then hide its files from you. A recent Mac or Linux machine will probably be safe.

Beware that USB drives can have multiple "partitions", one of which might appear as a CD-ROM drive. Check not just the one you expect, but these additional partitions as well.

All this assumes the device acts as a normal flash drive. Hackers can do something more nefarious, such as pretend to be a keyboard and inject keystrokes that log the hacker in. It's so unlikely that you don't have to worry about it, but if you do, then you'd have to hire an expert to test them.

Lastly, because of these security concerns, promotional USB drives are a very bad promotional items. Most Fortune 500 corporations and the military have rules dictating that such drives should be destroyed, and never plugged into a computer.

Robert David Graham
  • 3,883
  • 1
  • 15
  • 14
  • 3
    I'm going to downvote this answer because I have no idea what the author is talking about regarding partitions, but I have evidenced malware that was not visible on USB drives that was able to execute. A very, very poor answer. – atdre Feb 06 '19 at 19:59
6

The simplest option is actually to set up a machine with a couple of antivirus/antimalware products on it, with no connectivity to other networks, and plug the devices in.

It is not foolproof by any means, but to get a deep assurance you would have to examine the driver files and that is likely to be time consuming and uneconomic. Depending on where you are, you may have a strong contract with the company that sold them to you, but even if not, if you find malware, you could offer them the option of providing you with clean ones or never getting your business again...

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
5

The easiest way would probably be to reformat them all. Might take some time though, depending on how many you have.

shutefan
  • 183
  • 5
1

Edit: since this was written more sophisticated USB malware has appeared. There seems to be no perfect way to avoid USB malware. Use good security hygiene such as no plugging in unknown USB devices and not lending out a USB drive. In other words after using it to give a file to a colleague just tell them to keep it.

I have seen viruses spread via USB sticks in an lab environment. Windows computers can be set to automatically run software off a USB stick and there might be an autorun.inf file and an executible on the stick that you are concerned with.

What you want to do is quickly look at the USB stick with a computer that is safer than the PC's you are going to be using with the sticks later. You can use a Mac, Linux box, or a secured Windows PC with autorun disabled. The Mac method is easiest and Macs are pretty common.

Using a Mac: create a file on the desktop called autorun.inf. To do this open Terminal.app from the Utilities folder in the Applications folder. Type cd ~/Desktop then touch autorun.inf to create the file. Now type sudo chmod 444 autorun.inf or sudo chflags uchg autorun.inf or both. Now you have a locked file you are going to place on the USB sticks to resist or prevent spreading of viruses.

Plug in a USB stick. Only one icon should appear in the sidebar or on the desktop representing the stick. If you have multiple icons you have one partition probably holding autorunning software or possibly hidden, and since this is unexpected behavior go ahead and reformat the USB stick. I like Macs for this because they read every common format, can format to FAT/ExFAT for PC's to read, are immune to PC viruses, and they ignore autorun.inf.

If you want to browse the file structure on the stick you can. You expect nothing there and any existing folders or directories should raise a red flag. You can scan the stick with ClamAV or similar on the Mac if you have it. If everything looks OK then drag copy your autorun.inf file from the desktop to the USB stick icon. It just takes a moment and then eject it and move on to the next. This will work on a recent Mac regardless of the format of the USB stick, generally FAT or ExFAT. If there is an autorun.inf already there overwrite it (there shouldn't be one!) Finally, just drag copy autorun.inf to all the rest of the sticks if the first one doesn't look suspicious because now you are just preventing future infection.

geoO
  • 310
  • 1
  • 5
  • 1
    You've "locked" the autorun file, but you haven't locked the directory you put it in, as evidenced by your ability to put it there. It can be replaced by renaming it. – WGroleau Dec 23 '16 at 13:28
  • I add autorun.inf to the root level of the USB stick on the Mac/Linux machine. The malware might not have the sufficient permissions on the subsequent infected Windows computer insertion to erase/overwrite/rename that file, at least without some message to the user. Testing now with Win 10, let you know how I make out. – geoO Dec 24 '16 at 16:34
  • I once had to fix a bug at work in a root-owned file. No one with the root password was available and I couldn't remember it. So I renamed the file (which changes the directory, not the file) and put the replacement in as the original name. – WGroleau Dec 24 '16 at 16:43
0

Are they in original packaging? Based on the specs and general quality of the brand, are they "cheap" from a quality standpoint?

If the answer to the first question is "no" or if the answer to the second question is "yes," then it's probably not a good idea to give them away as gifts to people/businesses with whom you want to maintain a relationship. Giving a cheap gift will make you appear as though you don't value the relationship with the customer or associate. And liability goes way up if the gift is infected with malware, esp if it is not in original packaging.

Garrett
  • 324
  • 1
  • 4