Security: Connecting A Potentially Infected Hard Drive To Linux

I heard this question from time to time online, and it’s not an overly complicated answer, but I wanted to at least talk about this.  So you have a a potentially infected drive from Windows or another system.  What happens next?  Can you hook it up and be sure all will be well?  Read on for more…

As the saying still goes, Linux has zero viruses in the wild right now.  That does not mean there are not what they call “proof of concept” viruses out there, but most of anything requires the user to still pull the trigger.  At some point we have to stop blaming the system, and wonder why were installing super_cool_root_kit.run from a random github repo or some strange site.  While Linux is very secure, you still must be vigilant.  If you wish to be more secure than most, pick a distribution that regular reports security vulnerabilities via their distribution  quickly, such as Fedora, and use official software repositories.  The common pitfall on windows is software that runs automatically on download, media attachment, or insertion to a media drive.  Linux does not do this, and I suspect never will by default.

The best way to really go about this is to mount the suspect drive as a read-only drive.  How do I do that?  With one simple command in the Terminal:
mount -o noexec /dev/sdc1 /media/mointpoint

This effectively mounts the device sitting at /dev/sdc1 only in a read-only status, meaning the OS will block any execution of a binary/run file etc. The safest approach I use is a Live CD of your favorite distribution, which if malware does have some sort of diabolical scheme, it will not by default have admin access to the system.  Once you reboot, the live CD environment is wiped clean, unless you set some key files in persisted storage on a flash drive.  The Live CD runs its own “instance” of the distribution disc you put in your media drive, not your live system.  Be careful about mounting any system centric drives with rw access in this situation.

From there, you can analyze the situation with scan tools, or copy only what you need, being suspect of anything that you do not recognize.  Be careful, despite GNU\Linux being inherently secure.  You never know if that file you copied back is in fact infected, which may do damage again if put back on Windows.

Questions or comments?  Leave them below.

_professor

Advertisements

About professorkaos64

www.libregeek.org

Posted on 20130731, in Security and tagged , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s