Plugging an infected USB/HD into a Puppy

For discussions about security.
Message
Author
belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

Plugging an infected USB/HD into a Puppy

#1 Post by belham2 »

Hi all,

Need your expertise and opinions here. I had posted this in DebianDog thread, then it struck me this applies to Puppies to.

Here's the question/issue:

You know for sure you've got an infected USB and/or HD.

Is it ok to boot up a Puppy, with that infected USB/HD plugged in too, and use terminal to DD-wipe it, then Gparted to format it? Or are you risking infection, in some way, leaping across to the Puppy you're in? Puppy obviously knows the infected drive is there, has in someway communicated with it, otherwise how could Puppy create an desktop icon for us to click on to "officially" mount it? So when Puppy communicates, what is exchanged? At what level? Can malware/infections jump across at this level of communication between the plugged-in-infected-drive-that-is-not-yet-mounted and the puppy OS???



I know most of us would probably use a CD burned Pup to do this, or a "pfix=ram" loaded pup, but what if you've been assuming all this time that it is ok-dokie to just plug in infected drive(s) to a Pup to wipe them? (and the pup either did its automatic save thing, or you went on to do other things and hit the save-on-exit)?

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#2 Post by musher0 »

Hi belham2.

Sincere sympathies. The best I can suggest is:

Boot your Puppy from a CD or DVD and do your cleaning, re-formating, etc. of
your sick drive from there, live, with absolutely no pupsave or pupfolder.

For additional safety, unmount or better, unplug, any internal or external
hard drive, or USB device or stick beforehand.


If you have the time, zero the sick disk before reformatting. Fill it with zeroes with
the shred command before you reformat it. Please see reply # 158 on this page:
https://askubuntu.com/questions/17640/h ... hard-drive )

BTW, if it's a WhineDose infection, the bug could leap on your Puppy system but
could not do it harm. But it could hitch-hike later on a window-ish file and go
infect a correspondent. That is how Linux systems can be vectors for viruses even
if we cannot be harmed by them (mostly).

However with all your HD's unplugged and your Puppy running from a metal disc, no
bug can be transmitted, since it has nothing to "cling" to.

Good luck.
Last edited by musher0 on Fri 17 Nov 2017, 16:10, edited 1 time in total.

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#3 Post by belham2 »

musher0 wrote:Hi belham2.

Sincere sympathies. The best I can suggest is:

Boot your Puppy from a CD or DVD and do your cleaning, re-formating, etc. of your sick drive from there, live, with absolutely no pupsave or pupfolder.

For additional safety, unplug any internal or external hard drive or USB stick
beforehand.


BTW, if it's a WhineDose infection, the bug could leap on your Puppy system but
could not do it harm. But it could hitch-hike later on a window-ish file and go
infect a correspondent. That is how Linux systems can be vectors for viruses even if
we cannot be harmed by them (mostly).

However with all your HD's unplugged and your Puppy running from a metal disc, no
bug can be transmitted, since it will have nothing to "cling" to.

Good luck.
Hi Musher,

It's not for me. Also, I am trying to ascertain a theoretical question about how Puppy's overall deal with an infected-drive that is plugged in?

Even though it is not mounted, can the Puppy be infected?

Does anyone actually know??

Because the Puppy OS must communicate with this infected-drive in some way when it is "plugged in" even though it is NOT YET MOUNTED. So what is communicated? And how? Does it provide an avenue for infection?


To everyone:
Please do not write describing how to deal with this. I already know. This is a theoretical question that applies to all pups and is NOT about how to handle it. Please read the 1st post in this thread closely, or read this one again.

Thank you.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#4 Post by musher0 »

Hi belham2.

Gee, your feathers are easily ruffled today !!! ;)

AFAIK. if the disk is unmounted, there is only some kind of ACK (acknowledgement)
signal exchanged at the hardware level. No data from the disk is actually transferred.
Maybe ask a truly technical guy for confirmation.

And as I said above, if you're running the operation from a system on an "airtight"
metal disc, you're completely safe. If you proceed as I describe above, it doesn't
even matter if the bug tries to infect at any moment, because it simply can't with
such a set-up.

It could try to hide in the RAM, but just leave the computer off for a couple of
minutes after you're done so all electrical current is purged from it. And then you
committed the perfect bug-icide. :)

BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#5 Post by belham2 »

musher0 wrote:Hi belham2.

Gee, your feathers are easily ruffled today !!! ;)

AFAIK. if the disk is unmounted, there is only some kind of ACK (acknowledgement)
signal exchanged at the hardware level. No data from the disk is actually transferred.
Maybe ask a truly technical guy for confirmation.

And as I said above, if you're running the operation from a system on an "airtight"
metal disc, you're completely safe. If you proceed as I describe above, it doesn't
even matter if the bug tries to infect at any moment, because it simply can't with
such a set-up.

It could try to hide in the RAM, but just leave the computer off for a couple of
minutes after you're done so all electrical current is purged from it. And then you
committed the perfect bug-icide. :)

No feathers left on this old body to ruffle, Musher :wink: !

Am trying to help a neighbor out......and then started thinking about pups overall. Metal discs, or pfix=ram, or Vbox loading, along with DD-wiping everything, I already know about and practice whenever faced with something like this. But my neighbor? He just used a USB 'frugal' installed DDog to do it (which, for this purpose, is basically like a Pup in how it doesn't mount anything when plugged in as long as you have it set that way, which he did).

Was just wondering, at the level of when an infected USB/HD is attached to a puppy (but not mounted), can it pass the infection to the pup before it gets DD-ed and re-formatted? Because then it is entirely possible the infection lives in the Puppy for some minutes, then is planted right back on the same USB/HD you just DD-wiped & Gparted-formatted.

Hmmmmm. this seems to be a deep question with possibly no answer unless one of our builder gurus (micko, phil, barry, gyro or a few others) tells us what actually happens in that moment something is connected but not mounted.

User avatar
perdido
Posts: 1528
Joined: Mon 09 Dec 2013, 16:29
Location: ¿Altair IV , Just north of Eeyore Junction.?

#6 Post by perdido »

The BIOS will read the hard drive but not the partition table.

If you plug in a drive/media and it is available for mounting, that means the system can see the file system type. That means it read the partition table and the file system type is supported by the operating system.

Are there partition table virus thingies?
If there are, can they be transferred to memory simply by reading the partition table?


..

peterw
Posts: 430
Joined: Wed 19 Jul 2006, 12:12
Location: UK

udev detects USB

#7 Post by peterw »

I remember that udev detects the presence of the USB https://www.linux.com/news/udev-introdu ... nux-system and whatever that does in communication is most unlikely to transfer the virus.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#8 Post by musher0 »

Hi guys.

It just struck me: some anti-virus programs have Linux versions, to use in cases like this,
I guess. Here is one tally among many:
http://www.makeuseof.com/tag/free-linux ... s-programs

IHTH.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#9 Post by belham2 »

musher0 wrote:Hi guys.

It just struck me: some anti-virus programs have Linux versions, to use in cases like this,
I guess. Here is one tally among many:
http://www.makeuseof.com/tag/free-linux ... s-programs

IHTH.

Musher, you crazy Canadian!

Can you not take a direct hint when I answered you before?

For the 100th time, this thread is not about how to solve an infected drive! We all know how to do that.

This thread is about finding what info is passed to Puppy when an infected-drive is attached but not mounted. Exactly what is communicated? Is that channel of communication susceptible to bringing across a virus??

Start your own thread if you want to talk about and tout anti-virus for Linux.

Dam#, show some courtesy :evil:

p310don
Posts: 1492
Joined: Tue 19 May 2009, 23:11
Location: Brisbane, Australia

#10 Post by p310don »

There are questions.

What is the nature of the infection? If it is a windows virus (as most are), then Puppy won't do anything. It won't be able to execute it's malicious code (maybe in wine).

If a drive is not mounted, it won't do anything anyway.

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#11 Post by musher0 »

@belham2:

:twisted:
If an intelligent person like me can get confused about the nature of your thread, imagine :roll:
what it must be for a common mortal Puppyist with all feathers still unplucked!!! ROFL
:lol:

Just a thought. BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#12 Post by musher0 »

Now let's reason this through:

A computer virus or infection is made of code; it is a malevolent program, but a program
nonetheless. So it will behave outwardly like a coded program, it will have the trimmings
of it. For one thing, it needs to be stored somewhere, and 2) it needs to be launched.

On the other hand, a detection program such as Puppy's < probepart > only checks
for the minuscule electrical current variation in a plug, USB or otherwise, associated with
a drive being plugged or not in said plug.

It's a hardware thing, like an ACK signal; no code is fetched. That is a
difference between a 0 and a 1 in binary for the plug. If the physical parts touch, the
current passes (1), and we know the plug is occupied; if there are no physical parts
touching each other, the current does not pass (0), and we know that there is nothing
connected in that plug.

This ultra-simple on-off switch structure can not harbor any program code to be
transmitted, benevolent or malevolent. It's just an electrical flux-- the flux passes or
it doesn't.

FWIW.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

Gordie
Posts: 153
Joined: Tue 23 Aug 2016, 15:26
Location: Nolalu, Ontario, Canada

#13 Post by Gordie »

Remove hard drive.
Boot live system from CD/DVD or USB flashdrive,
Remove boot media.
Do what you need to do with supposedly infected USB flashdrive.
MOST IMPORTANT -- Put computer in driveway and drive over it. Now burn the crushed computer. Bury the ashes.

Flashdrives are sooooo cheap

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#14 Post by belham2 »

Gordie wrote:Remove hard drive.
Boot live system from CD/DVD or USB flashdrive,
Remove boot media.
Do what you need to do with supposedly infected USB flashdrive.
MOST IMPORTANT -- Put computer in driveway and drive over it. Now burn the crushed computer. Bury the ashes.

Flashdrives are sooooo cheap

Gordie,

As I told Musher, who cannot seem to understand simple English despite telling him twice already and appears to want to become the "New Pelo", this thread IS NOT ABOUT what to do. That stuff is all common knowledge! Please do not post that crap here and muddy this thread up.

Damn people, take 5-10 secs and read the thread!! Stay on topic.

If you cannot add any intel and/or wisdom on what happens in the data exchange during udev (like peterw did) when a drive, infected, is plugged in to a pup, then do not post here.

Start your own thread!

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#15 Post by musher0 »

Hello, belham2.

This is your question:
belham2 wrote:(...)
Here's the question/issue:

You know for sure you've got an infected USB and/or HD.

Is it ok to boot up a Puppy, with that infected USB/HD plugged in too, and use terminal to DD-wipe it, then Gparted to format it? Or are you risking infection, in some way, leaping across to the Puppy you're in? Puppy obviously knows the infected drive is there, has in someway communicated with it, otherwise how could Puppy create an desktop icon for us to click on to "officially" mount it? So when Puppy communicates, what is exchanged? At what level? Can malware/infections jump across at this level of communication between the plugged-in-infected-drive-that-is-not-yet-mounted and the puppy OS???(...)
AFAIK, this is a valid answer to your question.
musher0 wrote:Now let's reason this through:

A computer virus or infection is made of code; it is a malevolent program, but a program
nonetheless. So it will behave outwardly like a coded program, it will have the trimmings
of it. For one thing, it needs to be stored somewhere, and 2) it needs to be launched.

On the other hand, a detection program such as Puppy's < probepart > only checks
for the minuscule electrical current variation in a plug, USB or otherwise, associated with
a drive being plugged or not in said plug.

It's a hardware thing, like an ACK signal; no code is fetched. That is a
difference between a 0 and a 1 in binary for the plug. If the physical parts touch, the
current passes (1), and we know the plug is occupied; if there are no physical parts
touching each other, the current does not pass (0), and we know that there is nothing
connected in that plug.

This ultra-simple on-off switch structure can not harbor any program code to be
transmitted, benevolent or malevolent. It's just an electrical flux-- the flux passes or
it doesn't.

FWIW.
We now need a hardware nerd -- someone who understands hard drive schematics
AND code -- to confirm that reasoning or not.

BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#16 Post by amigo »

Nothing is getting across by itself. Mounting the drive also does nothing except make it available. mount succeeds because the drive is there. It knows it is there because udev has gotten a message from the kernel which has recognized a 'connect' event. udev will normally create the device file and can do other things. You can create custom udev rules to control what happens when something gets plugged in or unplugged.

These infected devices are mainly aimed at windows OS -which nicely has a system which can automatically do arbitrary stuff -it's called the autorun.inf. These are found on lots of CD's, so that when you stick the CD in the MS machine, the OS runs whatever commands are found in the autorun.info file -lovely little feature there!
I think the autorun.info files also work on other removable media like USB, etc. But only under windows AFAIK.

I used to use the 'supermount' kernel patch, which would automaount CD's on insertion, and it included some support for autorun -I think. But that was long ago and far away...

Otherwise, that beasty can't hurt you and your machine/OS -unless it can entice you to click on anything or execute anything there. It coud even have you open a pdf on the drive which exploits a bug in a reader to do evil. But, blasting it with dd and repartitioning it poses no risk.

User avatar
SFR
Posts: 1800
Joined: Wed 26 Oct 2011, 21:52

#17 Post by SFR »

amigo wrote:the autorun.inf
Back then when I was on Windows, I used to use my custom autorun.inf with the following content:

Code: Select all

[AutoRun]
label=SFR
icon=.\SFR.ico
to display my own label and icon in File Explorer.

Sadly, inserting a USB stick with it to a virus infested PCs resulted in overwriting it with virus' own autorun.inf, so I set hidden, read-only and system attributes to that file and soon enough it turned out that this actually prevents most of them (viruses) from overwriting it and therefore spreading via my USB sticks.
IIRC there was only one case when a virus was smart enough to overwrite it anyway.

Ironically, antivirus programs were reporting that custom autorun.inf (most likely the mere exsitence of it) as a potential threat...

Greetings!
[color=red][size=75][O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource[/size][/color]
[b][color=green]Omnia mea mecum porto.[/color][/b]

musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#18 Post by musher0 »

Thanks, guys.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)

jamesbond
Posts: 3433
Joined: Mon 26 Feb 2007, 05:02
Location: The Blue Marble

#19 Post by jamesbond »

Excellent answers from amigo and SFR.

I will just add a little.
Is it ok to boot up a Puppy, with that infected USB/HD plugged in too
Not OK.

DO THIS: (when computer is off) Boot Puppy, **then** insert the drive..
DON'T DO THIS: (when computer is off) plug the USB, and boot Puppy.

Order makes a GREAT difference.
and use terminal to DD-wipe it, then Gparted to format it?
That would work.
Or are you risking infection, in some way, leaping across to the Puppy you're in?
If you want to speak theoretically, the answer is yes it can. If you want to speak realistically / practically, the answer is not it is NOT possible (if you do it the safe way above).
Puppy obviously knows the infected drive is there, has in someway communicated with it, otherwise how could Puppy create an desktop icon for us to click on to "officially" mount it?
The communication is on a side-channel. It does not bring any "infected" information to the system.
So when Puppy communicates, what is exchanged?
Do you really want to know? :) At "Puppy" level, it's the information you see - the "port" it's connected to (sda, sdb, sdc), the volume type, the volume name, size of the disk, etc.
At what level?
You really want to know?
Can malware/infections jump across at this level of communication between the plugged-in-infected-drive-that-is-not-yet-mounted and the puppy OS???
As above. Theoritically, yes. Practically, no.

================

Now the paranoid bit. When does the game changes? When does theoretically possible becomes a practical attack?

a) when somebody founds a kernel exploit by using an oddly/invalidly formatted partition table and filesystem headers.
b) When USB drive firmware can be re-programmed so it is no longer a flash drive, but acts as something else. Example: https://www.jaycar.com.au/usb-keystroke ... r/p/GE4300
Fatdog64 forum links: [url=http://murga-linux.com/puppy/viewtopic.php?t=117546]Latest version[/url] | [url=https://cutt.ly/ke8sn5H]Contributed packages[/url] | [url=https://cutt.ly/se8scrb]ISO builder[/url]

belham2
Posts: 1715
Joined: Mon 15 Aug 2016, 22:47

#20 Post by belham2 »

jamesbond wrote:Excellent answers from amigo and SFR.

I will just add a little.
Is it ok to boot up a Puppy, with that infected USB/HD plugged in too
Not OK.

DO THIS: (when computer is off) Boot Puppy, **then** insert the drive..
DON'T DO THIS: (when computer is off) plug the USB, and boot Puppy.

Order makes a GREAT difference.

Thanks, Jamesbond, for replying.

Could you point me, or give me hints/tips, what I could read about to learn more about this difference in what you wrote for "DO THIS" and "DON'T DO THIS".

I honestly don't understand why if both an infected drive and a puppy OS, both connected, and the bios boots up, and you explicitly choose the "Puppy OS" to boot, why it is important to "DON'T DO THIS"?

I mean, why is that any different than booting only the Puppy OS first (with the infected drive NOT plugged in), and then the infected drive plugged in??

What is happening during the boot process that is so worrisome that both drives cannot be connected where the user is explicitly choosing (through the bios boot choices) to boot the Puppy OS only? Is it something to do with how a Puppy OS starts? Or how all Linux OSes start...are they incredibly vulnerable during the boot process or something?? Is there some exposed exchange of info during boot that is sacred yet--again---vulnerable?? That can make the Puppy OS more susceptible?? Is there hard data to back this up? Industry papers? Cited research/tests?? Links????

I am just trying to learn here....reason being is that across the web, even across home users and across many business users, drives and servers that have been known (or thought) to be infected are never disconnected. They are isolated, yes, from the network. But infected drives are 99.999% times rarely ever turned off. All technicians I know in the industry cannot afford to power them completely off, as things go (and have gone) terribly wrong when they do. It is a $$$$ thing. Thus, these possibly infected drives/servers/etc are cleaned and reset, while they are plugged in and using another OS that is booted up along with them on the same controlling bios board. Heck, many of the servers you cannot even physically reach location-wise, so fixing them has to be done the way I am describing for cost purposes alone as mentioned above.

So I am trying to understand what is so worrisome here about the booting process and/or such. Is it something you are intimate with knowledge-wise, or is this something that is an opinion and is thought to be just "good-practice"?


Thanks very much for any insight!

Post Reply