Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can infected OS hard drive infect the host if connected as USB drive?


  • Please log in to reply
15 replies to this topic

#1 Foldingchair

Foldingchair

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:10:47 PM

Posted 19 May 2015 - 11:46 AM

A little bit of a long title, but this suddenly popped into my head and I just HAD to get an answer to this just in case. I searched around on Google, but I didn't really know what to type in or what to look for.

 

So, here goes. As the title suggests, I'm curious if a hard drive with an infected Windows on it could infect someone else's PC if it were connected as an external hard drive, with USB, for example. I'd assume that it's possible, but in most cases unlikely if all one would do is look at the drive's contents and possibly format it.

 

Did I just answer my own question? Should you still be careful, or can't it hurt as long as no files are transferred from the infected hard drive?


"Peace and blessings be upon you all."


BC AdBot (Login to Remove)

 


#2 rp88

rp88

  • Members
  • 3,059 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 19 May 2015 - 11:52 AM

Depends what sort of infection it is.

If the infection on the hardrive (which is being connected in a way an external data storage device generally would be) is not active, and is just within some of the files then others should be safe and infection fre, and for the host machine to be infected a use would need to run one of the infected files on the HDD.

If the infection on the hard-drive has some sort of autorun system which lets it execute automatically as soon as connected to any device then the host will get infected.

It all depends on the type of infection. Best NOT to try anything like this unless you can be utterly sure the infection is of the first type and that it isn't in any of the files you might want to copy from the HDD.

You might consider plugging the HDD into a machine running a linux operating system, then copying off anything you need to (don't copy off exe, scr or dll files, assume them to all be infected), then using that machine to format the hard drive. If copying off any files you will need to scan them heavily, there are tools which can be run on a linux system to check files for infections which might become active if they were opened on a windows system.

Regarding autorun, some types of auto-rnning are still possible aren't they? In general it isn't but at present there do exist viruses which can write themselevs to USB and then infect any machine they are plugged into without the user needing to delibrately open any files on the USB. There have also been some discoveries of problems within the USB type of connection itself which could be used to put viruses into the firmware of a USB, the principles might be different to traditional autorun but the end result is similar.

Edited by rp88, 19 May 2015 - 12:09 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#3 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:47 PM

Posted 19 May 2015 - 11:52 AM

I would say that it is possible if you launch an infected file from the infected drive.

But if all you do is look at its content using the OS from another machine and then format the drive, I would think that would not cause an infection on the other machine.

(just a thought... do you know that it is possible to format drives using bootable media instead of slaving it to another machine?)

Edit: I see that rp88 brought up the possibility of infections via Autorun. However this function is disabled by default in Windows 7 and later - a good move by Microsoft.

Edited by Alexstrasza, 19 May 2015 - 11:53 AM.


#4 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:10:47 PM

Posted 19 May 2015 - 12:17 PM

I would say that it is possible if you launch an infected file from the infected drive.

But if all you do is look at its content using the OS from another machine and then format the drive, I would think that would not cause an infection on the other machine.

(just a thought... do you know that it is possible to format drives using bootable media instead of slaving it to another machine?)

Edit: I see that rp88 brought up the possibility of infections via Autorun. However this function is disabled by default in Windows 7 and later - a good move by Microsoft.

 

I'm aware of being able to use a bootable media. But the thing is, I'm scouring through a bunch of hard drives I have. One of them contains an image of my laptop that I'd like to mark as to avoid having to look for the drive again, so I have to put them into my USB hard drive bay on the desk to see what's on it. I'm not copying any files of it, running anything from it, or anything like that. As for Autorun, I have that disabled manually through gpedit.msc to avoid it at all cost.

 

 

Depends what sort of infection it is.

If the infection on the hardrive (which is being connected in a way an external data storage device generally would be) is not active, and is just within some of the files then others should be safe and infection fre, and for the host machine to be infected a use would need to run one of the infected files on the HDD.

If the infection on the hard-drive has some sort of autorun system which lets it execute automatically as soon as connected to any device then the host will get infected.

It all depends on the type of infection. Best NOT to try anything like this unless you can be utterly sure the infection is of the first type and that it isn't in any of the files you might want to copy from the HDD.

You might consider plugging the HDD into a machine running a linux operating system, then copying off anything you need to (don't copy off exe, scr or dll files, assume them to all be infected), then using that machine to format the hard drive. If copying off any files you will need to scan them heavily, there are tools which can be run on a linux system to check files for infections which might become active if they were opened on a windows system.

Regarding autorun, some types of auto-rnning are still possible aren't they? In general it isn't but at present there do exist viruses which can write themselevs to USB and then infect any machine they are plugged into without the user needing to delibrately open any files on the USB. There have also been some discoveries of problems within the USB type of connection itself which could be used to put viruses into the firmware of a USB, the principles might be different to traditional autorun but the end result is similar.

 

I assume I don't really have to be afraid of the autorun thing if I have it disabled entirely? (as mentioned above, via gpedit.msc).


"Peace and blessings be upon you all."


#5 rp88

rp88

  • Members
  • 3,059 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:47 PM

Posted 20 May 2015 - 10:06 AM

Disabling autorun won't necessarily protect you from infections in the firmware of an external device, this type is rare but does exist. It can certainly happen to USB memory sticks, but it might not be able to happen with hard-drives connected to a computer through a USB adapter.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:10:47 PM

Posted 20 May 2015 - 10:09 AM

Just FYI... firmware malware do exist, but they are not prevalent "in the wild". So the chance of you getting infected by a firmware malware is minuscule.

#7 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:47 PM

Posted 20 May 2015 - 04:28 PM

To precise, they exist mostly as "PoC", proof of concepts, since they were "created" and tested in controlled environment by Researchers, Analyst or during IT Security conferences. You won't see this in the streets (expression)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 PM

Posted 20 May 2015 - 04:34 PM

Bios (firmware) virus's exist but are very rare. Researchers have demonstrated in a test environment proof-of-concept viruses that could modify the flash BIOS or install a rootkit on the BIOS of some systems so that it could survive a reformat and reinfected a clean disk. This type of malware exists primarily in-the-wild and is not generic...meaning it's vendor specific and cannot modify all types of BIOS. Although in February 2015, Kaspersky Labs reported "persistent, invisible espionage malware inside the firmware of hard drives compatible with nearly all major hard drive brands: Seagate, Western Digital, Samsung". This particular threat targeted government and military institutions, telecom and energy companies, nuclear research facilities, oil companies, encryption software developers, and media outlets.This is a quote from my Security Colleague, Elise who works with the Emsisoft Anti-Malware Research Team.

Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.


These articles explain the complexity of the UEFI (Unified Extensible Firmware Interface), secure boot protocol and exploitation.Fortunately, it's highly unlikely you will encounter a BIOS-level scenario as it is not practical for attackers to use such an exploit on a grand scale. Malware writers would much rather target a large audience through social engineering where they can use sophisticated but less technical means than a BIOS virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:10:47 PM

Posted 20 May 2015 - 06:07 PM

Very interesting quietman7. I was aware of these things, but those articles are a nice piece of information. Last time I checked I'm not part of a military or banking organization, so at least that doesn't worry me.

 

Seriously though, I'm against spying on people, if the NSA is SO curious about what kind of porn I would possibly have stored on my hard drive, or what websites I visit, they could just ask. :thumbdown:

 

But all that aside, thanks for the articles. It's an interesting read.


"Peace and blessings be upon you all."


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 PM

Posted 20 May 2015 - 06:40 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 mremski

mremski

  • Members
  • 498 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:05:47 PM

Posted 21 May 2015 - 06:27 AM

If you have any experience with Linux, boot up a machine with a LiveCD then connect up the external disks.  Chances are good that you will be able to at least look at the contents to figure out if it's the one you want to mark.  This also gives some level of protection against infections on the drive, especially if they came from Windows machines.

 

Of course, in the future as soon as you pull a drive out of a machine you're going to write on it with black sharpie, aren't you?  :)

I typically do this when I put a drive in or make any changes to a machine.  The inside of a desktop case is great for writing things like "21 May 2015 replaced power supply".  It gives you a history as soon as you open the case, even if hardware has failed.

 

Just my opinions, feel free to disagree or ignore.


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#12 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:10:47 PM

Posted 21 May 2015 - 07:45 AM

If you have any experience with Linux, boot up a machine with a LiveCD then connect up the external disks.  Chances are good that you will be able to at least look at the contents to figure out if it's the one you want to mark.  This also gives some level of protection against infections on the drive, especially if they came from Windows machines.

 

Of course, in the future as soon as you pull a drive out of a machine you're going to write on it with black sharpie, aren't you?  :)

I typically do this when I put a drive in or make any changes to a machine.  The inside of a desktop case is great for writing things like "21 May 2015 replaced power supply".  It gives you a history as soon as you open the case, even if hardware has failed.

 

Just my opinions, feel free to disagree or ignore.

 

I usually use small stickers that I put on the connector side of the hard drives. The Linux machine idea is pretty neat, but I don't want to take any chances, like ever. If something's infected, it has to go.


"Peace and blessings be upon you all."


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,729 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:47 PM

Posted 21 May 2015 - 04:29 PM

I use epoxy-putty myself. :wink:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:09:47 AM

Posted 21 May 2015 - 08:24 PM

Very interesting quietman7. I was aware of these things, but those articles are a nice piece of information. Last time I checked I'm not part of a military or banking organization, so at least that doesn't worry me.
 
Seriously though, I'm against spying on people, if the NSA is SO curious about what kind of porn I would possibly have stored on my hard drive, or what websites I visit, they could just ask. :thumbdown:
 
But all that aside, thanks for the articles. It's an interesting read.

The National Security Agency (NSA), https://en.wikipedia.org/wiki/National_Security_Agency should be renamed the National Spy Agency.

NSA Planned to Hijack Google App Store to Hack Smartphones. https://firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/
 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png


#15 Foldingchair

Foldingchair
  • Topic Starter

  • Members
  • 109 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Netherlands
  • Local time:10:47 PM

Posted 22 May 2015 - 03:38 AM

 

Very interesting quietman7. I was aware of these things, but those articles are a nice piece of information. Last time I checked I'm not part of a military or banking organization, so at least that doesn't worry me.
 
Seriously though, I'm against spying on people, if the NSA is SO curious about what kind of porn I would possibly have stored on my hard drive, or what websites I visit, they could just ask. :thumbdown:
 
But all that aside, thanks for the articles. It's an interesting read.

The National Security Agency (NSA), https://en.wikipedia.org/wiki/National_Security_Agency should be renamed the National Spy Agency.

NSA Planned to Hijack Google App Store to Hack Smartphones. https://firstlook.org/theintercept/2015/05/21/nsa-five-eyes-google-samsung-app-stores-spyware/

 

 

They're just as bad as criminal hackers in most cases. Which is a shame, because their power could be used in a good, and fair way. You shouldn't need to want to control everything, it's impossible. :unsure:


"Peace and blessings be upon you all."





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users