Plugging an infected USB/HD into a Puppy

For discussions about security.
Message
Author
purple379
Posts: 157
Joined: Sat 04 Oct 2014, 22:23

I only submit what I was told. I am not expert.

#31 Post by purple379 »

I seem to recall one of those programs had a Linux version. Is that version just a GUI for DD, I do not know. Seems unlikely that there is any program that Linux can not already emulate, if I chose the right program and right options.

To better explain what my concerns. To go back in time a bit. Used to be that Malware (in Windows) on a USB key would automatically install itself on Windows, and proliferate in both the Windows system, and to other USB keys that were plugged in. I know that some current Windows Security programs scan all USB keys plugged into system, but I am unclear whether that actually catches the latest current version of USB malware. Keeping in mind that the USB Malware might be the carrier for several different type of Malware.

I know some folks are going to say, but M$ said they fixed those things, and why are we talking about Windows here. Because I am not sure the same problems will not proliferate in Linux. Guessing that the it is the basic to the OS that is being corrupted, by the time I plug in the USB, how can be sure that the format will write over everything on the USB key.

I also thought that it might be a different program to format a USB 3.0 key versus USB 2.0, so it seems possible that some other things are possible in formatting USB keys.

Nope, I do not know any OS that will explicitly write over, what used to hide in the boot sector of the USB key, and not clobber my personal data. But if the malware can infect the OS at the first read of the USB key by the OS, I may be writing the Malware back onto the USB key myself.

My concern in writing Kingston, which because I was using TOR at that moment, ended up in Europe, not the US, was that I had several USB keys that showed substantially less space that they used to. Kingston first expressed that different OS's show different sizes. However, I have not updated my Apple- OS X in some time, and it showed less space. Once though, I once formatted some of these keys to NTFS, which I believe would take up space for a boot sector. However, Formatting them back to FAT did return the larger space. And I read that the OS X Disk Utility did not function as it once did.

So Yeah, I am looking a security blanket assurance that when I format a USB key, I have gotten rid Malware. Keeping the primary OS on the hard drive, Linux or Windows free of USB malware is likely always a moving target. I also wonder, since SSD's have sections to take care of bad spots on the drive, that its firmware can not be re programmed, and used to deliver a malware load.

You are correct in suggesting I know little of what I am talking about.

User avatar
Burn_IT
Posts: 3650
Joined: Sat 12 Aug 2006, 19:25
Location: Tamworth UK

#32 Post by Burn_IT »

Does such a program actually exist? For any type of OS (Windows, Mac, all flavors Linux)???
No! Magic does not exist.


editd to add quote for clarifiction.
Last edited by Burn_IT on Wed 29 Nov 2017, 16:04, edited 1 time in total.
"Just think of it as leaving early to avoid the rush" - T Pratchett

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#33 Post by jamesbond »

I hope I don't scare you too much on my previous post.

To continue this thread - I need to emphasise that what I wrote about BIOS/UEFI-level of infection is at "plausible" level.
There are indeed malware that works like what I described above; but they don't come very often.
Usually at this level of infection, you don't call them malware anymore - you call them rootkit.

But does it mean that that putting an infected USB while the computer is off, and then plugging it on, automatically infects it?
The answer is of couse, "it depends". It depends on your BIOS settings, it depends on what kind of malware is inside the infected USB, etc.
It depends on the infection. Ebola is pretty nasty but cold will just give you an excuse to stay in bed for a few days.
If you know for sure that the infection is your typical Windows virus, then most of the time it would be okay because they can only infect when they are loaded and run properly as Windows programs.
It is worrisome to me that many of Murga here, over the years, keep telling people that they use a usb-installed Pup to fix and/or clean their broken and/or infected machines. and the advice is they are telling people to plug the Pup-usb into a BIOS motherboard that is set the way you described---with the internal sata/ide HD looked at & spoken to first. I would think people (on Murga here) at a minimum need to educate themselves---based on what you wrote----about the advice they are giving.
This is not the same. There is a difference between plugging an infected USB to a known clean system; and plugging a known clean USB to a known infected system (in its harddisk).

The difference is this: a clean system is normally clean. Plugging an infected USB may harm it, so you take precaution and insert the USB only when the computer is already ON. If you don't, you risk endangering the system. So be careful with what you're doing; because the loss is big (you lose your clean computer).

On a known infected system, all bets is off. The system is by default is already considered toast. Again, unless you know exactly what the infection is, you don't know how much damage is already done. Plugging an clean USB in order to try to "fix" and "clean" the system is valiant attempt; and it may or may not be successful (again, it dependson the infection); but it doesn't, the worst that can happen is that now you have an additional infected USB. Which you can toss away if you're so inclined.

So the advice given in the forum is indeed solid.
If I (or we) are to understand your post correctly, we should not have to worry about any possibly "infected" hard drive connected to any of our machines whether at boot or after the pup/fatdog/ddog is booted up.

Why? Because, since ALL of our pups/fatdogs/ddogs are installed "frugally" and since our BIOS motherboard are told to first look for USB connected devices & boot them 1st, then that possibly connected "infected" internal hard drive isn't even looked at and/or spoken to until after the pup/fatdog/ddog is booted up----and thus when the pup/fatdog/ddog tells you the hard drive is available for mounting.
This wasn't the what the original question was.

The original question (as I understood is) was: "is it risky to put a known infected USB drive?" - which (to me) implies that the your OS is in the harddisk, and you're trying to salvage data from your infected USB drive.

What you wrote above, now, inverts the situation.
You're now asking whether that booting from a known clean USB drive is okay, even if it is known that the harddisk is infected.
Well, I didn't say that previously because I was focusing on the original point.
You are correct to say that "since our BIOS motherboard are told to first look for USB connected devices & boot them 1st, then that possibly connected "infected" internal hard drive isn't even looked at and/or spoken to until after the pup/fatdog/ddog is booted up", but remember, this depends on the infection. See what I've just written above. If the infection is only of the usual kind, then yes it's safe. If your infection is the firmware rootkit type; this gets executed even before the OS starts (any OS for that matter) so all bets are off.
P.S. At our little gang of club meeting last night, we each had tried a test with various of our motherboards using the BIOS firmware installed on usb, cdrom and hard drives, respectively. All to see what happens with that booted. None of us could get our motherboards to even recognize there was a BIOS firmware version there on any device--- even the 13-15 year old ECS ones required you to manually first go into or enter the BIOS, and initiate the BIOS firmware upgrade process, and then tell the BIOS where to look. Otherwise, all non-UEFI BIOSes just ignored a stored BIOS firmware version on any storage device. Maybe it might have to do with the fact we all--based on something we read many years ago---have complex character/number/symbol machine-bios-passwds set up where the BIOS cannot be accessed unless this passwd is entered, or you physically get in there and pop the board's battery while everything is unplugged. So that was a relief, again, based on what you wrote Wink
What I have written in my previous post is "what could plausibly happen"; and it has happened before. It is also true that this kind of attack is rare, because it requires very specific knowledge and it only attacks very specific hardware. So you may be very well not affected. But that doesn't mean you don't take precaution.

_______________________________________

"In order to completely format your USB drives please try to carry out a so-called low level format on the USB drives using a freeware utility such as Active Killdisk, TestDisk or HDD Guru.
I don't know about Acgive Killdisk or HDD Guru.
But TestDisk is definitely not a low-level formatter for USB drive.
"dd" isn't a low-level formatter either.

True generic low-level formatter died with controller-less MFM/RLL harddisk, in early 1990s.
These days, you can only get a true low-level formatter from the harddisk/USB manufacturer.

In modern times the low-level formatter program resides in the harddisk controller - if the manufacturer chooses to put it there.
That's the small PCB board that is attached on the harddisk itself.

To perform low-level format, you need to send secret magic codes to the harddisk controller to active this built-in program.
You can do this with "hdparm" in Linux.
But you must know the magic codes.
Most manufacturers don't share these magic codes.
Instead, the best they would do, is to provide a "advanced diagnostic" program that does it, internally.
And this program is specific to the manufacturer; sometimes, different disks requires different programs.
A low level format goes much deeper than the standard Windows format, removing the tertiary and secondary data layers - only the primary layer remains intact.
Meaningless statements unless they define what exactly these layers mean.

I love startrek but I understand that most of what they say is technobabble.
Be careful of marketing statements disguised in technical terms.
I want a program that explicitly re-sets my computers USB to what it should be, and some where in there, allows me to reset the USB key to normal, while not clobbering the useful data on the Key.
It doesn't exist.
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#34 Post by belham2 »

jamesbond wrote:I hope I don't scare you too much on my previous post.
..no worries, this is just a great learning exercise for me/us.

If I (or we) are to understand your post correctly, we should not have to worry about any possibly "infected" hard drive connected to any of our machines whether at boot or after the pup/fatdog/ddog is booted up.

Why? Because, since ALL of our pups/fatdogs/ddogs are installed "frugally" and since our BIOS motherboard are told to first look for USB connected devices & boot them 1st, then that possibly connected "infected" internal hard drive isn't even looked at and/or spoken to until after the pup/fatdog/ddog is booted up----and thus when the pup/fatdog/ddog tells you the hard drive is available for mounting.
jamesbond wrote:This wasn't the what the original question was.

What you wrote above, now, inverts the situation.
..oops, typo, I did not mean USB but meant Hardrive. Problem is, with nomenclature, having internal HDs and external HDs in abundance, some with USB attached, others still "officially" internal drives even though they sit outside the computer, where they are easily unplug-able and, in some cases, swap-able, I have to remember to keep the terms right. So no "inverting" the situation was intended.


Lastly, found something enormously interesting......we've been using both Windows 10 testing OS that one can download for free (and is good for 3 months) and also using large Linux Distros (Ubuntu/Debian and Fedora) and playing with this plugging USB OSes into them, and booting both at the same time & seeing what happens. One of our club members purposely infected the Window OS with malware, a root worm, and then we tried various scenarios.

1) If you plug a pristine USB frugal installed pup in, they all were immediately infected at boot, and showed the worm upon booting into them with Windows OS waiting to be mounted.

2) But, if the USB frugal pup was booted alone, without the Windows 10 OS Harddrive plugged in, and only after the pup was booted and fully running, and then plugged in the root worm, it seemed it could not infect the pup, and we could clear the infected Windows 10 HD. But boy, if you did it the other way (#1 above, and left the infected Win10 HD plugged in at boot, it basically screwed every USB frugal pup we tried (we tried Slacko64 & XenialPup64).

Interesting: lesson to us is NEVER, if having a suspected drive, leave it plugged in while you are booting a pup-USB loaded thumbdrive up. IT seems too risky.


But, this next thing was even more interesting, or we thought:

We loaded Debian 9 Stretch full XFCE install on an internal HD, and then loaded a Debian 9 USB Ddog USB thumbdrive, left both plugged in, turned on the machine, and chose the Ddog USB, after booting, getting to the OS, then shutting down, to only run the Debian 9 XFCE HD, you no longer had Interent, among a few other things. Why? The Ddog USB completely overwrote all Internet settings that had been saved previously with whatever was in the USB Ddog stick. And the dEbian 9 Stretch full XFCE HD was never even mounted in Ddog! and the "automount" ability of Ddog was specifically removed ahead of time for this test.

So, here we have a case of info changing at boot (from an attached USB OS) where the internal HD was never even mounted during the whole test. This was repeated 3 times, and each time it happened.

I am wondering if the same will happen with Slacko USB and Slacko full HD installs? When OSes and pups are of the same derivative, something funny seems to going on at boot and bootup. There seems to be more info being exchanged, written and overwritten during/after bootups than people realize when using, say, a slacko-pup USB on a full HD slacko install (same goes for Debian, as noted above, and Ubuntu; Fedora, so far, has seemed impervious to everything we've thrown at it, plus not understanding Fedora/OpenSUSE at all makes even harder).


So the investigations continue. :wink:

purple379
Posts: 157
Joined: Sat 04 Oct 2014, 22:23

Implicatons of booting from Optical drive

#35 Post by purple379 »

Keeping in mind the difference to the MOBO in booting an USB plugged in drive in my laptop, and the one in my desktop.

Also guessing that when one writes an Optical disk with an ISO, it can or can not pick up malware on the computer writing the ISO.

User avatar
greengeek
Posts: 5789
Joined: Tue 20 Jul 2010, 09:34
Location: Republic of Novo Zelande

Re: Plugging an infected USB/HD into a Puppy

#36 Post by greengeek »

Well ok this thread has gone quiet but having stumbled across it I shall chuck my somewhat paranoid 2c worth in...
belham2 wrote: Can malware/infections jump across at this level of communication between the plugged-in-infected-drive-that-is-not-yet-mounted and the puppy OS???
Yes, definitely. For two reasons - firstly malware can act at the hardware level - below the level at which Puppy interacts with the drive. Infection can occur without any interaction from Puppy. It depends on bios, mobo, firmware etc etc. Secondly - Puppy does not always wait for you to mount a drive. Sometimes the drive is momentarily mounted then dismounted by Puppy invisibly.

One significant question is - exactly what type of malware exists on the usb stick? Could it be a "made-in-china" stick with embedded spyware? Could it be a promotional usb stick a friend brought back from a trip to Moscow or TelAviv? Is it poorly written Linux code that has the potential to damage your hardware?

For example - Linux code on a usb stick can damage the uefi hardware in the mobo. I suppose this could be called a type of malware. Certainly destructive anyway (and not only limited to Lenovo products):
https://bugs.launchpad.net/ubuntu/+sour ... ug/1734147
(uefi hardware allows the "bios" to be updated by the code run by the usb stick. It is not "fixed" like old style bios used to be)

Also usb sticks are not always what they seem:

- USB sticks are not just non-volatile RAM - they include a hardware controller that can bypass udev. The controller talks to the mobo and bios/uefi much more than it talks to udev.

- Malware controllers in USB sticks can falsify the amount of RAM they contain. This can work both ways - a stick can have 2GB of storage but advertise itself as being a 16GB stick. (There goes 14GB of valuable data constantly being overwritten without errors). Or it can be a 16GB stick that advertises itself as an 8GB stick. It can use the hidden storage for malware purposes.

- Some usb sticks have entire hidden partitions (hard drives can too)
http://www.instructables.com/id/Create- ... ive-which/
Some hidden partitions can be set up by the stick manufacturer and not discoverable by Linux. Hard drives out of scada-controlled machines or out of proprietary imaging devices often have hidden partitions holding hidden code (particularly prevalent in photocopier hard drives where hardwired anti-counterfeit measures are commonplace). DD and Gparted are inadequate at that level.

- Some usb sticks can harbour rootkits.
Even manufactureres with the best intentions can do sneaky things:
https://en.wikipedia.org/wiki/Sony_BMG_ ... it_scandal
If Lenovo made usb sticks I would not be keen to insert them into my PC!
https://thehackernews.com/2015/09/lenov ... virus.html

- Some usb sticks are actually data loggers or audio recorders (even though they look just like a normal usb stick)

- It is possible for a usb stick to have a wifi transmitter inside it and broadcast your information without you realising it is anything other than a normal storage device. Even some SD cards are wifi capable.

- You have no idea if the controller firmware in a usb stick is safe or hacked:
http://au.pcmag.com/opinion/23289/an-ev ... detectably
"At the Black Hat 2014 conference, two researchers from Berlin-based SRLabs revealed a technique for modifying a USB device's controller chip so it can "spoof various other device types in order to take control of a computer, exfiltrate data, or spy on the user." That sounds kind of bad, but in fact it's really, really dreadful."
"He next plugged the just-infected drive into a Linux notebook, where it visibly issued keyboard commands to load malicious code. Once again, the demo drew applause from the audience."

Stuxnet (introduced by infected usb sticks) affected scada devices by autorunning code that redistributed itself. Windows is really susceptible to that sort of thing but Linux can be hijacked too. Some malware is a tool used by "state level" hackers.
https://www.wired.com/2014/11/countdown ... y-stuxnet/

At that "nation state" level they work with hardware manufacturers (MOBO and USB devices etc) to build hacker interfaces into the hardware.

The BIOS itself can be hacked by various methods:
https://cansecwest.com/csw09/csw09-sacco-ortega.pdf
Entirely conceivable that a usb stick could harbour such code.

Although unlikely to happen to you or me, it is possible for state backed hackers to add hardware "malware" into various devices during shipment:
https://www.theverge.com/2013/12/29/525 ... -plant-spy
https://www.theatlantic.com/technology/ ... re/356548/
"NSA hackers have tools to crack systems created by Cisco, Western Digital, Huawei, or any other major cyber security firm. No target's computer is safe."
http://www.spiegel.de/international/wor ... 40994.html

I also recently read that bitcoin algorithms have contained spyware since day one. Something to do with an evergrowing blockchain retaining critical users info. Can't put my finger on the link at the mo.

User avatar
8Geee
Posts: 2181
Joined: Mon 12 May 2008, 11:29
Location: N.E. USA

#37 Post by 8Geee »

And bitcoin miners exist in some websites while you are there... the giveaway is the increased CPU usage (usually pegged at 100% especially on older machines). So youur computer is mining bitcoins for the webby.

my added 2 micro bitcoins
8Geee
Linux user #498913 "Some people need to reimagine their thinking."
"Zuckerberg: a large city inhabited by mentally challenged people."

Post Reply