7
3
I'm going to be connecting a notebook SATA drive to my computer via USB. This drive may be faulty so it may not work at all, however before it went supposedly "bad" it had a virus on it.
My computer is currently running Windows7. I'm guessing that the best way to open this up would be just to boot a LiveCD of Ubuntu and go from there?
Mike Hagstrom
Posted 2011-10-12T19:08:23.533
Reputation: 231
15
Using LiveCD is indeed the best and safest way. Here's why:
If you're using Windows Vista or XP, you might need to disable Autorun feature, so your computer doesn't try to execute anything from the infected hard disk automatically. This Microsoft KB article says:
Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.
In Windows 7 this "feature" was disabled by default, and this fix was backported to Vista and XP, so if you're running Vista or earlier, you need to be fully updated or download and install this update manually. This is how Microsoft "tactfully" says that the malware from your USB disks will not run:
Users who install this update will no longer receive a setup message that prompts them to install programs that are delivered by USB flash drives. Users will have to manually install the software.
If you don't execute or view or open anything (yes, including office files!) on your infected disk, the chance of infection is very small, but still non-zero. Here are some examples of how it could happen:
Vulnerability in the thumbnail preview in Windows Explorer. For example, exploit Win32/CVE-2010-3970. Microsoft says:
Exploitation can occur by simply browsing to a folder containing the malicious file - no further user interaction is required.
Other vulnerabilities in Windows itself or in any of the Explorer extensions that you have installed. For example, some shell (explorer) extensions are still vulnerable to DLL Preloading remote attack.
You must remember to disconnect it from your computer if you reboot, so your computer won't try to boot from the infected disk.
Because of the issues outlined above, I think the safest way is to use a bootable ("live") CD, scan the disk with an antivirus, then cherry-pick the files you need and copy them selectively to other media.
haimg
Posted 2011-10-12T19:08:23.533
Reputation: 19 503
1
Ubuntu or other non-windows LiveCD will give you a lot of protection, as it would have to be multi-OS malware, so the likelihood here is negligible, but...
Various forms of malware DO have the ability to hook into lower level activity and jump from your hard disk without you thinking you have executed, viewed or opened anything - if you are running Windows, as it tries very hard to be helpful.
The examples from comments below include Stuxnet and Autorun (which should be patched anyway, in an up to date Windows) but there are others.
Rory Alsop
Posted 2011-10-12T19:08:23.533
Reputation: 3 168
1Any source for this? I'm really interested in reading up on how a process is going to fire up from a non-booting drive (if nothing pokes or invokes it). – Kara Marfia – 2011-10-12T19:43:09.783
1@Kara - it can't. But there are a lot of things that do poke without you thinking you have. Especially under windows. That was kind of my point. Running Linux from a LiveCD obviates this issue. – Rory Alsop – 2011-10-12T19:46:03.307
There's no magic in Windows. You'll need to back your claim of "hooking and jumping" by some evidence or reference. – haimg – 2011-10-12T19:54:26.827
I will hunt down a few. You covered off the simple one with your edit :-) The problem is with windows 'magic' though. It tries to be helpful, which opens files. – Rory Alsop – 2011-10-12T19:59:48.473
@RoryAlsop: According to a Microsoft Security Intelligence Report AutoRun is often used for automatically jumping off an external medium, other than that there doesn't exist much magic so have fun hunting as you won't find your claim. The only one you will likely find is the PIF/LNK vulnerability used by Stuxnet which has been patched since...
– Tamara Wijsman – 2011-10-12T21:09:57.977@RoryAlsop: So, this leaves only the flaws that are left in Explorer as possible. But the chance to have malware that specifically targets that is very small; and when it occurs on a large scale it's probably patched before you get it too, given that it's shared through external drives which slows the reproduction... Click here for the report.
– Tamara Wijsman – 2011-10-12T21:13:37.580@RoryAlsop: You're right about the "magic". I changed my answer somewhat. – haimg – 2011-10-12T21:30:23.650
@haimg: Good point on linking those from 2010, I forgot about them. Seems Stuxnet and AutoRun are not the only ways to do it, it's nice that those got fixed. I wonder if shell extensions really can be exploited... :) And then it's still a matter if 64 bit also has the problem. – Tamara Wijsman – 2011-10-12T21:32:57.237
Alright this would work to see if the disk is detectable. I like your answer the best I'll mark it accepted. – Mike Hagstrom – 2011-10-12T19:51:46.860
using the cmd prompt with
dirandcdcould prevent 1 and 2 from happening – ratchet freak – 2011-10-12T23:32:56.887