Can a virus be transfered from a USB storage device before or after attaching it to a App VM ?

[ME]

Lets say I have a USB storage device which has a virus on it that will infect a Linux pc when it is inserted.

If I insert the USB storage device in my Qubes OS pc after login to Qubes OS, is it then possible for the virus to infect my pc immediately after I have plugged it in before or after attaching the device to a VM ?

[unman]

There are different sorts of malware.
A traditional form of virus or worm can sit on the USB, but will not be
activated until triggered - usually by opening the file or attempting to
run the application containing the virus. The answer here, obviously, is
"No."

Some attacks:
1. Specific USB attacks may emulate a keyboard and issue commands - this
may allow files to be exfiltrated or malware to be installed. This will
affect the sys-usb device *and perhaps dom0*. If you have sys-usb
automatically attach keyboard without prompt you wont notice this.
2. A bad USB may also spoof a NIC - unlikely to be relevant in Qubes unless
you have combined sys-net/usb.
3. A bad USB may attack the controller, and then infect controller chips
of other USB devices connected to the computer. If possible, separate
controllers, and use them for specific purposes - e.g have one
controller attached to an "open" sys-usb and **only** use that for
untrusted devices.
4. A modified USB may detect that the computer is starting up, and boot a
small virus which will infect the operating system prior to boot. Don't
boot your machine with USB devices attached.
5. Other stuff.

So the broad answer to your question is "Yes".
Depending on the type of attack, you can mitigate risk by using
disposable sys-usb qubes, limiting USB device types within sys-usb
using udev rules, separating controllers and so on.
If you think you are a real target, don't use USB - it takes seconds to
physically disable USB ports. Port lockers are also available, if you
*must* have a USB port.

unman

[Ulrich Windl]

I think it depends on how the virus works. For example if it could cause
code execution by overflowing the SCSI vendor/model buffer (I'm not
saying that this is possible, BTW), it could cause execution even before
anything is mounted...

>
> --
> You received this message because you are subscribed to the Google
> Groups "qubes-users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to qubes-users...@googlegroups.com
> <mailto:qubes-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/qubes-users/a3fb1091-e270-49ee-bd8b-b0a239aec5a3n%40googlegroups.com
> <https://groups.google.com/d/msgid/qubes-users/a3fb1091-e270-49ee-bd8b-b0a239aec5a3n%40googlegroups.com?utm_medium=email&utm_source=footer>.

[ME]

When I inserted my USB storage device in my Qubes OS pc after login to Qubes OS, their appeared a small transparent window (before I mounted the USB device to a VM) where I only could see its frame.

I then wondered if it could be caused of a virus that was planted on the USB storage device that I only have used to transfer files between two Qubes OS pc's.

And if so, how can I get rid of the virus or rootkit on the Qubes OS pc ?

[awokd]

ME:

> When I inserted my USB storage device in my Qubes OS pc after login to
> Qubes OS, their appeared a small transparent window (before I mounted the
> USB device to a VM) where I only could see its frame.
>
> I then wondered if it could be caused of a virus that was planted on the
> USB storage device that I only have used to transfer files between two
> Qubes OS pc's.
>
> And if so, how can I get rid of the virus or rootkit on the Qubes OS pc ?

If it was in the top right corner, it was a message from Qubes telling
you a device was connected. Sometimes the text doesn't always show up.

--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots

[ME]

The window appeared about a little bit lower than the middle of the screen.