Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to check if a USB drive has malware?


  • Please log in to reply
8 replies to this topic

#1 BlueGalaxy

BlueGalaxy

  • Members
  • 83 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:08 AM

Posted 07 May 2017 - 02:09 PM

Hello, I have some USB drives memory sticks and I want to make sure that they have no malware on them. I think that sometimes malicious software might not show up on security scans or be embedded into the device, not showing up in the files view. How can I make sure that the USB drives are clean? Is formatting the memory drive enough? I have the impression that formatting totally overwrites all the contents of a data storage device such as a USB drive. Is the Windows right-click formatting option enough to do this, or is a more sophisticated tool needed?



BC AdBot (Login to Remove)

 


#2 zainmax

zainmax

  • Banned
  • 344 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 PM

Posted 07 May 2017 - 02:22 PM

...

Is formatting the memory drive enough? I have the impression that formatting totally overwrites all the contents of a data storage device such as a USB drive. Is the Windows right-click formatting option enough to do this, or is a more sophisticated tool needed?

If this were the case, how do you imagine the restoration of files after formatting?

For example - 

Recover Formatted Files from USB Flash Drive/Pen Drive

http://www.easeus.com/resource/USB-drive-format-recovery.htm

 

When you format a drive (especially if you use the Quick Format option), Windows erases the hidden index but does not overwrite the existing files until you start saving new data to it.



#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 08 May 2017 - 03:17 AM

To disable potential malware in files on a USB stick, a quick format is enough.

 

Files can be recovered from a quick formatted USB stick, but that requires specialized tools. The Windows OS has no features to do this.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 10 May 2017 - 09:20 PM

To disable potential malware in files on a USB stick, a quick format is enough.

 

Files can be recovered from a quick formatted USB stick, but that requires specialized tools. The Windows OS has no features to do this.

Not necessarily. BadUSB

Basically, USB devices like thumb drives can have their very firmware infected, causing them to act as other devices. That means the USB drive may be changed to identify itself as a keyboard, then repeatedly type "Angry Donkey Porn" into your search bar. 

 

In short, don't ever plug a strange USB device into your computer. Ever. 



#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 11 May 2017 - 02:36 AM

 

To disable potential malware in files on a USB stick, a quick format is enough.

 

Files can be recovered from a quick formatted USB stick, but that requires specialized tools. The Windows OS has no features to do this.

Not necessarily. BadUSB

Basically, USB devices like thumb drives can have their very firmware infected, causing them to act as other devices. That means the USB drive may be changed to identify itself as a keyboard, then repeatedly type "Angry Donkey Porn" into your search bar. 

 

In short, don't ever plug a strange USB device into your computer. Ever. 

 

 

Please re-read carefully what I wrote:

 

 

To disable potential malware in files on a USB stick, a quick format is enough.

 

... malware in files on a USB stick ...

 

This excludes BadUSB. BadUSB infects firmware, not files.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 May 2017 - 07:51 AM

 

 

To disable potential malware in files on a USB stick, a quick format is enough.

 

Files can be recovered from a quick formatted USB stick, but that requires specialized tools. The Windows OS has no features to do this.

Not necessarily. BadUSB

Basically, USB devices like thumb drives can have their very firmware infected, causing them to act as other devices. That means the USB drive may be changed to identify itself as a keyboard, then repeatedly type "Angry Donkey Porn" into your search bar. 

 

In short, don't ever plug a strange USB device into your computer. Ever. 

 

 

Please re-read carefully what I wrote:

 

 

To disable potential malware in files on a USB stick, a quick format is enough.

 

... malware in files on a USB stick ...

 

This excludes BadUSB. BadUSB infects firmware, not files.

 

Since formatting relies on the firmware doing what you tell it, the same would apply. 

 

Also, looking back at the OP, please note the following:

 

 

Hello, I have some USB drives memory sticks and I want to make sure that they have no malware on them. I think that sometimes malicious software might not show up on security scans or be embedded into the device, not showing up in the files view. How can I make sure that the USB drives are clean? Is formatting the memory drive enough? I have the impression that formatting totally overwrites all the contents of a data storage device such as a USB drive. Is the Windows right-click formatting option enough to do this, or is a more sophisticated tool needed?

The user is somewhat aware that there are threats outside the realm of what shows up as files. One of these threats is infecting the firmware, basically "embedding the virus in the device" in the user's parlance. A format would not be enough in that case. 

 

So while you're not wrong really, ignoring categories of threats relevant to the OP isn't terribly helpful. 



#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:08 PM

Posted 14 May 2017 - 04:53 PM

Threats relevant to the OP? Then point us to malware in-the-wild that uses BadUSB. PoC is not relevant to the OP.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 dantose

dantose

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:12:08 AM

Posted 14 May 2017 - 09:21 PM

Threats relevant to the OP? Then point us to malware in-the-wild that uses BadUSB. PoC is not relevant to the OP.

A few years back i recall a story about fraudulent external drives that would report as large capacity, but only had a small capacity flash drive in it with the controller set to falsify the size and loop back when copying larger files. Not really a virus, but certainly shows exploitation of firmware alteration. Stuxnet used a .lnk zero day to execute code as soon as the device connected, which would thus infect the system before any formatting could be done. I seem to recall some stuff about hiding malware in blocks marked as bad which would get skipped with a quick format as well. 

 

 

More broadly though, I'd say that waiting until you become aware of active exploitation to address a vulnerability would be bad policy. Using USB drives of unknown provenance is a security risk. That risk can be mitigated by formatting, but not eliminated. 



#9 Crazy Cat

Crazy Cat

  • Members
  • 808 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Lunatic Asylum
  • Local time:03:08 AM

Posted 14 May 2017 - 09:30 PM

A few years back i recall a story about fraudulent external drives that would report as large capacity, but only had a small capacity flash drive in it with the controller set to falsify the size and loop back when copying larger files. Not really a virus, but certainly shows exploitation of firmware alteration.

See this site. http://www.myblog.bloggybloggy.com/usb-key-fix-mptools-11-05-2008/

ChipGenius is a tool to identify the Controller chip.

http://www.rmprepusb.com/tutorials/repair-your-usb-flash-drive
https://usb-fix.blogspot.com.au/
https://cran.r-project.org/web/packages/mptools/index.html

See flashboot.ru, russian website that has downloads of manufacturer's official tools used to program USB sticks. http://flashboot.ru/files/

Edited by Crazy Cat, 14 May 2017 - 09:30 PM.

 

Two things are infinite: the universe and human stupidity; and I'm not sure about the universe. ― Albert Einstein ― Insanity is doing the same thing, over and over again, but expecting different results.

 

InternetDefenseLeague-footer-badge.png





1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users