Hi Everyone,

I have a bootable USB used to image Windows machines, and it is potentially infected with malware. To be safe I'm wiping it in Ubuntu via the terminal, and then I will format it back to NTFS. A few questions:

1. Will running "Sudo dd if=/dev/zero of=/dev/sda count=100" on the 8 GB flash drive be sufficient to remove the malware?
2. Does running "dd if=/dev/zero of=/dev/sda count=100" delete the entire MBR and Partition Table on the flash drive?

Thanks!

Yes, it will. So would using gparted from a live system (or even your own installed system) if you use the Device ->Create partition table menu item and then make a new fat32 partition.
I am pretty sure it will do that, but wait for other answers to be absolutely certain.

1 & 2 : Yes, But there is additional system information in the rest of the first megabyte (mibibyte), so if you have problems creating a new partition table with gparted, try wiping the first mibibyte. I would use sudo.


sudo dd if=/dev/zero of=/dev/sda bs=1024 count=1024

The default block size is 512, so your original command would wipe 51200 bytes (50 kibiytes). It is enough to wipe the first block (512 bytes) to wipe the master boot record and the partition table.

Warning: /dev/sda is often an internal drive. dd is nick-named 'disk destroyer' because it does what you tell it to do without questions, and if you tell it to wipe a drive with important data, that is not backed up ... so double check and triple check that you are wiping the drive you intend to wipe, or use mkusb, which helps you identify the correct drive and decrease the risk. See this link

Ubuntu Forums tutorial "Howto make USB boot drives" (http://ubuntuforums.org/showthread.php?t=1958073)

Thanks so much for the help thus farQ

@sudodus, I just want to clarify, if I run this code on the Flash Drive:

Sudo dd if=/dev/zero of=/dev/sda count=100

Then use GParted to create a partition table, and then use GParted to format the flash drive (I will always use NTFS), will those steps alone always be sufficient to remove malware/virus/etc. from a flash drive?

I have done these steps, and the partition table and format steps complete successfully every time I have tried. I just want to verify the exact steps I should take, as I will be creating a how to for my co-workers and want to keep it as standard as possible and simple as possible

And, if I'm overthinking this and instead can just use GParted to re-format the drive and that will be enough to clean the flash drive of Windows malware/virus/etc, please let me know. Thanks so much!

Thanks so much for the help thus farQ

@sudodus, I just want to clarify, if I run this code on the Flash Drive:

Sudo dd if=/dev/zero of=/dev/sda count=100

Then use GParted to create a partition table, and then use GParted to format the flash drive (I will always use NTFS), will those steps alone always be sufficient to remove malware/virus/etc. from a flash drive?

I have done these steps, and the partition table and format steps complete successfully every time I have tried. I just want to verify the exact steps I should take, as I will be creating a how to for my co-workers and want to keep it as standard as possible and simple as possible


And, if I'm overthinking this and instead can just use GParted to re-format the drive and that will be enough to clean the flash drive of Windows malware/virus/etc, please let me know. Thanks so much!

All files will be removed, and not available by normal methods, when you create a new partition table and or a new filesystem (alias format the partition). But the actual information as zeros and ones sitting in the storage area is still there, and can be found and 'recovered' by a program like PhotoRec.

http://www.cgsecurity.org/wiki/PhotoRec

So if you want to remove something confidential you need to wipe the whole drive. It can be done by overwriting the whole drive with zeros, but it is more efficient to use hdparm according to this link.

best way to wipe a drive (http://ubuntuforums.org/showthread.php?t=2124829)

-o-

I think you can consider a potential infection by malware removed after repartitioning and reformatting the drive with gparted.

All files will be removed, and not available by normal methods, when you create a new partition table and or a new filesystem (alias format the partition). But the actual information as zeros and ones sitting in the storage area is still there, and can be found and 'recovered' by a program like PhotoRec.

http://www.cgsecurity.org/wiki/PhotoRec

So if you want to remove something confidential you need to wipe the whole drive. It can be done by overwriting the whole drive with zeros, but it is more efficient to use hdparm according to this link.

best way to wipe a drive (http://ubuntuforums.org/showthread.php?t=2124829)

-o-

I think you can consider a potential infection by malware removed after repartitioning and reformatting the drive with gparted.

From your link
WARNING: Do not attempt to do this through a USB interface!

Personally I would use gparted and just delete the partition, then create a new one and format it.

If your aim was to irrevocably remove some confidential data from a drive, I would suggest using 'dd'.

However, all you want to do is remove some malware. Removing the existing partition and reformatting as NTFS will do this just fine. Unlike 'dd' it will be quick and put no strain on the USB drive.

However, all you want to do is remove some malware. Removing the existing partition and reformatting as NTFS will do this just fine. Unlike 'dd' it will be quick and put no strain on the USB drive.

Will removing the existing partition and reformatying also erase the MBR of the flash drive, in case there is an MBR virus?

No. But wiping the first block with dd will do it (using count=1 , you need not erase 100 blocks to erase the MBR).

Edit: See my first post (post #3) for more thorough wiping of the bootloader related stuff (wiping the first megabyte). But I do not think it is necessary in this case.

Thanks for all the help! A few more questions as the MAN page for dd is still a bit much for a Linux newbie like me:1. If I wanted to let dd wipe the entire drive, what would be the command?2. If I wanted to wipe some arbitrary number, say the first 10 MB, what would that be?3. IWhat is the "count" flag?4. What is the bs flag?Once again, thanks so much for all the assistance thus far!

sudo dd if=/dev/zero of=/dev/sdx bs=4096

where x is the drive letter.

bs means the block size (number of bytes or with postfixes kB, mB etc). The default block size is 512 bytes.

count means the number to blocks that is written.

bs=1024 count=10240 --> wipe 10 MB (actually Mibibytes)

Often dd is fastest with a block size of 4096 bytes, so use that to write a lot (for example when wiping a whole drive).

Could the dd command to wipe the MBR and partition table also be used to wipe malware from a 500 GB Hard Drive? (I know that it would then require I re-install Windows)

Yes, dd could wipe any writable drive, but it will be very slow compared to hdparm for a big hard disk drive. If you use no count specifier, the whole drive will be overwritten.