On Sun, Dec 20, 2020 at 01:27:59AM -0800, ME wrote: > Lets say I have a USB storage device which has a virus on it that will > infect a Linux pc when it is inserted. > > If I insert the USB storage device in my Qubes OS pc after login to Qubes > OS, is it then possible for the virus to infect my pc immediately after I > have plugged it in before or after attaching the device to a VM ? >
There are different sorts of malware. A traditional form of virus or worm can sit on the USB, but will not be activated until triggered - usually by opening the file or attempting to run the application containing the virus. The answer here, obviously, is "No." Some attacks: 1. Specific USB attacks may emulate a keyboard and issue commands - this may allow files to be exfiltrated or malware to be installed. This will affect the sys-usb device *and perhaps dom0*. If you have sys-usb automatically attach keyboard without prompt you wont notice this. 2. A bad USB may also spoof a NIC - unlikely to be relevant in Qubes unless you have combined sys-net/usb. 3. A bad USB may attack the controller, and then infect controller chips of other USB devices connected to the computer. If possible, separate controllers, and use them for specific purposes - e.g have one controller attached to an "open" sys-usb and **only** use that for untrusted devices. 4. A modified USB may detect that the computer is starting up, and boot a small virus which will infect the operating system prior to boot. Don't boot your machine with USB devices attached. 5. Other stuff. So the broad answer to your question is "Yes". Depending on the type of attack, you can mitigate risk by using disposable sys-usb qubes, limiting USB device types within sys-usb using udev rules, separating controllers and so on. If you think you are a real target, don't use USB - it takes seconds to physically disable USB ports. Port lockers are also available, if you *must* have a USB port. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20201220131715.GC28281%40thirdeyesecurity.org.
