12

Let's say I have a computer. It's a personal computer - the one you'd typically find in homes. In this scenario, it's running Windows XP SP3, although it could run 7, Vista, etc.

I have a USB drive which runs as a Linux Boot Disc - with something like Ubuntu, Puppy Linux, DSL...

If that USB OS is loaded into the RAM at boot, without any persistence (nothing is saved after each session), how possible (if at all) is it for malware to infect the main system (the Windows XP/Vista/7 system) that the USB OS is running off of?

Also, if a foreign computer is riddled with malware, is it safe to assume that booting the system to a USB OS will keep the USB OS safe from the Windows malware on the machine?

Thanks.

Improve this question
1
  • How are you implementing non-persistance? Is the internal drive protected in any way? i.e. whole disk encryption.
    – this.josh
    Commented Aug 3, 2011 at 17:52

5 Answers 5

Reset to default
17

It all depends on the configuration of your OS, be it USB "stick-ed" or not.

If your live system enable you to write in one way or an other to the physical disk of your home computer, then there is a non null probability that the computer could get infected. Take for example a virus that would copy itself on the MBR of your main disk.

Concerning infection from the main computer to the live OS, it is not impossible too. The thing is that if the malware is a resident one, loaded when you read you disk, it won't be running on your live system because the boot sequence of the infected OS won't be run. But if you have some latent viruses in your files and that virus would know how to target your live OS system, then opening this file with a vulnerable application (or executing it) can trigger infection of your live OS.

In conclusion, it's up to you to configure your OS to take the precautions needed to your operations. In fact, if you don't want to infect or get infected, the best thing to do is to disconnect the drives from the machine. If this is not an option, you would need to take care of the options on the live OS (read-only mode, no exec mode, no auto mounting of disks, running with the least privileges, ...)

Improve this answer
4
  • 2
    "If your live system enable you to write in one way or an other to the physical disk of your home computer" - It is worth pointing out that this condition is likely to be true for almost any reasonable home PC install. (There are exceptions, such as where the on-disk filesystems are all entirely encrypted with full disk encryption, but they are pretty rare in home personal computers.)
    – D.W.
    Commented Aug 4, 2011 at 4:31
  • @D.W.: "...is likely...", "...pretty rare...", ...I don't see any basis for this judgements either. :)
    – Tie-fighter
    Commented Aug 4, 2011 at 13:33
  • 4
    @Tie-fighter, I thought the basis for my judgement would be more or less self-evident to anyone familiar with this field. I alluded to it: namely, at present, very few home PCs are using full-disk encryption on their entire hard drive. I don't have statistics I can cite to quantify exactly what fraction of home PCs have protected their entire hard drive with full-disk encryption, but I'd be amazed if it is over a few percent.
    – D.W.
    Commented Aug 4, 2011 at 20:44
  • One could still infect firmware on such a setup, hardrive or no. There are places where maicious code can remain resident outside of the main system storage.
    – ewanm89
    Commented May 21, 2016 at 10:50
4

How aware is the user? It would be trivial to craft a clumsy poor bit of malware that mounted any local discs and did something; such malware would have to ask for permission, but there was a spate of malware that did pretty much that, and many users clicked Yes. Examples exist of poorly crafted malware that had to ask the user for permission before it could do damage. Very many users gave permission, not knowing what they were doing. It would be trivial to create malware like that. Worse, the attacker wouldn't need to. Malware could make use of privilege escalation or other exploits to cause damage to the local file system.

Puppy runs as root. The Puppy Linux wiki has some interesting thoughts and guidelines about security: http://puppylinux.org/wikka/security

N.B. choice of operating system becomes irrelevant if recommended security precautions are not applied

Improve this answer
3
  • "such malware would have to ask for permission" - I don't think that's right. Malware can mount and tamper with the local hard disk without asking for user permission (e.g., if the attacker gains root access, or uses a privilege escalation bug).
    – D.W.
    Commented Aug 4, 2011 at 4:30
  • D.W. is correct. I worded that phrase poorly. Something like "Some malware asked permission before causing damage, and users gave it permission; but be aware that if the attacker gains root access or uses a privilege escalation attack the malware will not need to ask".
    – DanBeale
    Commented Aug 4, 2011 at 9:25
  • I've edited the answer, but still have a downvote. :-(
    – DanBeale
    Commented Aug 8, 2011 at 11:07
2

It is possible but it is quite unlikely.

However, making sure wouldn't take too much effort: you just need to boot from a read only medium.

This can be achieved by using a USB drive with a 'read only' mode, whilst these are few and far between similar results can be achieved by using an SD card. Most SD cards have 'read only' mode and can be placed in a USB SD card reader. This would make it impossible for a virus to spread from the disk to your portable media.

Improve this answer
3
  • 1
    But it still would be possible for a virus to infect the internal drive.
    – this.josh
    Commented Aug 3, 2011 at 17:50
  • I don't see why you classify it as unlikely. Booting from a read-only medium isn't enough; if you get penetrated while you're running the LiveCD, the attacker could then tamper with your hard disk (even if that's not what you booted from). Nothing stops that.
    – D.W.
    Commented Aug 4, 2011 at 4:29
  • Fair enough, I was focusing on a virus getting from the internal drive over the boot usb but I see now that other avenues needed to be explored.
    – Andy Smith
    Commented Aug 4, 2011 at 8:04
2

If you boot from a USB-based OS, then get infected, the virus can still mount the drives and infect them.

Likewise, a virus can infect the live distro on the USB stick by writing files to the drive, bypassing the normal mechanisms used to prevent this -- unless you have the physical write-protect switch on.

If the system is already infected, it may have a virus lodged in the BIOS (the motherboard BIOS, the video card BIOS, the network card BIOS, etc.). These things are just flash memory, and are updatable by viruses.

Unless you are the NSA, however, you don't have to worry about such things. In practice, booting a "live distro" from a USB stick is perfectly safe for almost everyone.

Improve this answer
2

One way to consider this is to ask yourself "Do I have the ability to mount the host OS disk and modify files?" If you can do it as a user, it can be done as a script. Like others have mentioned, it's unlikely that it will happen, but it wouldn't be impossible for someone to write a script that detects what version of Linux you're using, then check for devices in /dev, then try to mount any of the hard drive devices found, then search those mount points for a "Windows" directory or any other sort of evidence that a Windows system is present. Once all this is discovered, they could then proceed to replace DLLs or delete the SAM file or do any other sort of terror to infect your machine.

Improve this answer
3
  • Good answer, except that I don't see any solid basis for calling it "VERY unlikely".
    – D.W.
    Commented Aug 4, 2011 at 4:33
  • I agree with @D.W. - I think this would be better off with the word "VERY" removed
    – Rory Alsop
    Commented Oct 5, 2011 at 11:53
  • fixed. Removed "VERY". Never say never!
    – Safado
    Commented Oct 5, 2011 at 14:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .