There were many options to open it, but in case of safety concern it will consume more time:
- Open it up through some live CD version of Linux. If the USB flash drive was infected it would infect only the OS on the live CD.
- Boot the OS in a virtual machine and test the USB flash drive[Note: You can set the guest OS to detect USB first which would disable the host USB detection].
- If you are using a Windows machine: Disable
autorun.inf
on a local computer.
- If you are on mac mount the USB as readonly
- You could disable autorun in mac by following this steps :
You need to remove the auto launch job with the launchctl
command.
For example, in my case I have already installed a modem manufactured by ZTE. So I searched for LAUNCHD listings using the launchctl list
command and grepped for those modem strings.
launchctl list | grep -i zte
Showing:
5681 - cn.com.zte.usbswapper.plist
If you do not find your app, then output all the jobs to a file. This awk command tries to overcome the chance that you may have spaces in your launchd job name.
launchctl list 2>/dev/null | awk '
{ x="\""substr($0, match($0, $3), 100)"\""; print x; system("launchctl list " x) }
' > launchList.txt
Open launchList.txt. The name of the launchd job will be shown in "..." above the {} block where you hopefully find a "Mobile Partner" or "AutoOpen" string.
Perhaps inspect the item to be more confident before removal. Surround by "" if there are spaces in the job name.
launchctl list "cn.com.zte.usbswapper.plist"
Then just remove it. This is the command to stop the auto load. Be very sure you are removing the correct agent or deamon.
launchctl remove "cn.com.zte.usbswapper.plist"
Add it again if you want, using the full path of the PLIST file.
launchctl load /Library/LaunchAgents/cn.com.zte.usbswapper.plist
Scan through a computer and all USB flash drives regularly.
Note for BADUSB :
When you plug a USB device into a computer, the device tells the
computer what sort of thing it is, so the computer can select the
appropriate driver. For example, a thumb drive declares itself as a
"USB Mass Storage" device, while a keyboard is a "Human Interface
Device".
BadUSB is a technique for re-writing the firmware of a plugged-in USB
device from the computer. For example, it could make a thumb drive
identify itself as a mouse and cause the pointer to jump around at
random. Or it could make the thumb drive identify as a USB hub with
connected keyboard and mass storage, that when plugged in types a
sequence of keystrokes that causes a program on the thumb drive to be
run.
If you were using linux and wish to prevent against badusb :
BadUSB attacks are based on the fact that computers allow and enable HID devices on all usb ports. Faked network adapters are no real danger. My answer tries do describe how to use udev to temporarily disable the addition of new HID devices
For preparation, create a file /etc/udev/rules.d/10-usbblock.rules
with the content:
#ACTION=="add", ATTR{bInterfaceClass}=="03" RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/../authorized'"
If you want to block other classes too, then look up the class number, and copy the line, and change the class.
Now you can block all new HID devices using the command
sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
and unblock with:
sed -i 's/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
Before you shut down, always unblock, as the setting is persistent, and your "good" HID devices would be rejected on reboot.
I don't know whether you can edit the temporary rules directory, but if changes there affect the behaviour, you should edit that instead, as then you don't need to unblock before shutdown.
BADUSB Credits source : Security DMZ
1My 1st thought is you boot the PC up with a liveCD – David Dai – 2015-10-08T04:21:31.693
1
@Moab This question has answers listing lots of dangers of untrusted USBs that can indeed jump off the drive into a PC.
– IntrepidPig – 2015-10-08T04:30:02.0432use virtual machine and open the pendrive – BlueBerry - Vignesh4303 – 2015-10-08T06:10:19.553
@moab exactly opposite - there are still code execution bugs found in filesystem mounting, autorun.inf handling etc. – DarkWanderer – 2015-10-08T07:33:35.447
1Find somebody you don't like and plug it in their computer. – Fiasco Labs – 2016-04-06T03:40:43.517
Use Virtual machine, find it mounted first in the host OS and oh, ooops! – Fiasco Labs – 2016-04-06T03:41:29.597
Related: Safely opening a suspect USB Drive, Is there any way to safely examine the contents of a USB memory stick?, What is the danger of inserting and browsing an untrusted USB drive?, How can a flash drive spread a virus?, and How can USB sticks be dangerous?, and probably more.
– Scott – 2017-05-06T22:03:12.837