I found a worm on my USB
I found a worm on my USB
This is probably not the right community but I haven't found a better one.
So I watched a video from Seytonic where he mentiond that some malware creates a windows link with the name of the usb on a usb. So I checked my usb because I remembered that I had to click 2 times on my usb to opened it. I found a link that contained cmd.exe and a name of a file next to it. Upload to the virustotal showed Raspberry Roblin worm.
I use Linux but my familly uses windows so I will have to go through all familly computers and remove the worm. Where can I find info how to remove this specific worm - Raspberry Roblin? On google I found a description about how the worm works but not specific files it creates and how to remove it.
The first page that shows up is microsoft.com and it says that windows defender detects the worm, but clearly it doesnt.
Edit: The worm was on one computer and it did not have windows defender installed. Seems like malware removed it and also disabled automatic updates. I installed MalwareBytes and sucessfully removed the worm :)
Here’s probably all the info you could ever need:
https://redcanary.com/blog/threat-intelligence/raspberry-robin/
Next, you need to get your systems scanned and cleaned. Malware bytes is likely enough, but I always recommend BitDefender. Their efficacy rates are always fantastic, and they have been leading the industry for several years now. Download the AV on a clean system, put on clean flash drive, and install that way.
Last, you’re gonna need to reset your passwords. Yes, I know that’s toxic af. But this is the reality and why we always need to be veeeery careful with what we do. This worm communicates with a c2 server which means it can update itself which makes detection hard, and it also means that, at one point it may have been spying on your activity (and it likely was if not continues to)
This stuff happens, don’t beat yourself up too much. Live and learn
Thank you for the link, it will help for sure!
I (not me but my family) always used just default Windows Defender but I heard good things about Malware bytes and BitDefender, I'll checked them out.
I'd start with a offline scan.
If possible wipe the drive from Linux and reinstall Windows. Be mindful of any files as documents and other files can sometimes hide things. Make sure you reset all passwords as well. Start with email passwords and then go up from there.
Try to clean your USB stick. Remove the worm and maybe use a cloth to remove the dirt.
In other words, wipe the USB stick.
nowadays there is also malware that actually infect the firmware. Meaning just wiping the content isn't good enough anymore. Same is true for BIOS worms/infections.
Same thing happened to RFK Jr
This was funny, but ugh - I hate when U.S. politics creeps into my tech discussions.
Would you love your USB if it was a worm?
What if it didn't exist? Would you still love your USB then?
Yes.
we've found the early bird.
Lisan al ghaieb!!!
Have you run a full scan using Windows Defender?
Can you confirm that the worm is actually running?
AV software may remove the installed worm from the system, but not from the drive.
Probably a good idea to reformat the USB drive
PS. if all else fails, nuke and pave (reinstall the computers in your household, including your linux machine)
You should do this offline, as in, quarantine the situation.
Windows defender also has an offline scan mode which may be of use here - hard to say, dunno if they ever dropped a rootkit or any other av-dodging/persistence mechanisms
Time to switch to Linux (joking)
That would be a valid option, but only if there are no windows dependencies and the primary user agrees to the change.
With all the Win11 spam in Win10, my grandmother decided to try Linux. She is now a 90-year-old Linux user. Her use case is YouTube and email, and I have to support the system (I had to do that for the win10 system as well).
I'll also toss this hat into the ring - sysmon this is essentially a logging tool thats a bit better/nicer than the windows default, and categorizes all logs into very neat buckets that will make watching out for strange shit much much easier.
Sysmon is part of the sysinternals suite (vetted by the community + microsoft, which is sayin somethin lol) and you can make use this as the config file to use (Uses industry-standard MITRE Att&ck framework) which you can then use to correlate to more threats/malware authors/malware artifacts if you really wanna get your hands dirty/have some fun
To level set, Microsoft owns SysInternals, and has since 2006. None of it is “community vetted”, to me that implies FOSS or something.
Doesn’t virus total display a list of the AV software it triggered?
I generally use Malware Bytes on windows but I don’t know if it’s effective against that particular virus.
Yes it does but I haven't checked whichones do end whichones don't. But half of them do, thats important.
Yeah, use one of those to clean it up. At least that’s where I’d start.
The malware probably turned of defender. Try an offline scan
Actualy the malware somehow deleted windows defender and disabled automatic updates. I install MalwareBytes and run full scan and removed it.
And here I was under the impression that using USB storage for anything else than installing operating systems was a thing of the past.
Out of curiosity, what do you use to transfer files between computers?
Personally, most stuff is in cloud storage. For local stuff I use syncthing.
But for the average person, I'd expect using iCloud, Google Drive, Onedrive, or Dropbox and then creating a shareable link for the other person.
I also can't remember the last time I used a USB drive for anything other than installing an OS.
SMB (NAS), Syncthing, FileBrowser, snapdrop.net, email and sometimes public cloud services...
Syncthing is used if it is not a one time transfer. LocalSend is mainly for one time transfer. LocalSend needs things to be in the same network. The same WiFi router is enough. Syncthing can send files over the internet also.
There are browser based alternatives like ShareDrop . These tools are not as reliable as Syncthing and LocalSend, especially when it comes to single large files (more than a few GBs), like ISOs.
For one time transfer over the internet, another handy tool is Croc . This one also suffers from the large file related issues.
sftp.
Localsend
If I want to quickly share something from my phone, I use NGINX in Termux with autoindex enabled.
No need for anything else than browser on client-side.
Actually, on Play store there's also a simple GUI app called "Simple HTTP server", but NGINX feels fancier.Just a tip if you want to try this:
By default, error logs are kept. One source of errors is interface suddenly disappearing (i.e. your phone got disconnected from network). This error will be logged as quickly as it can be.
What happened (when this occurred)? I found my phone stuck in bootloop. The error log filled internal storage to the last byte causing Android system to crash and unable to reboot, which it tried again, again, again,... Bootloop. I just found my pocket suddenly feeling unreasonably hot.
In my case, forcing it into recovery, turning it off from there and retrying boot up freed 17MB from somewhere, allowing the phone to boot up.
Alternative to that would be a hard reset.Sounds crazy, but any app could fill the internal storage like that.
NVMe in a USB enclosure makes a pretty rad backup target a couple of times a week. The whole job is over and done in <2 minutes.
Yes, that's true but I'm no longer doing that. Everything sync to the NAS using Syncthing that in turn is set with file versioning and weekly snapshots.
Ventoy is very useful for diagnostics too
And rEFInd, GParted Live... SystemRescueCd.
All the time, right now copying 400 MB onto one as an eBook Calibre library backup.
RFKJr can take it in, he's got a free slot