On Sun, 10 Mar 2019 16:18:33 -0400, Paul
wrote:

wrote:
Is there a tool out there that will scan a thumb drive and tell you if
the formatting/partitioning is buggered in a stuxnet sort of way?

One problem would be, the trouble could result instantly from the
stick being plugged in. So a purely passive analysis would
not be enough.

As I understand it, one exploit mechanism is to make
the stick a "composite device", hiding USB Mass Storage
and a virtual optical drive in the same USB device. There
were some U3 sticks which had this feature anyway. Using
USBTreeView, you might see a declaration of "Composite"
in the device config data, on a U3 style stick.

There is a registry entry with Autorun/Autoplay bits,
and Microsoft may leave that, such that optical discs
still work. Others in the industry wanted them to turn
this subsystem off entirely, so it would be a little harder
for these things to happen. One third-party technique
was to use a software restriction policy, such that
could not be accessed, which would "break
the chain" for that style of exploitation.

But I don't know if that covers every possibility or not.

It's an attack surface. That's all I can say for sure.

Paul

When I was looking around I did see things that would stop the auto
run and somewhat protect that host but I was wondering if anyone had
the software to flag a bad USB drive with extra partitions and
malware. I assume a brand new stick from a reputable firm would be OK
but after it is "been around" who knows what it might have picked up.