Internet Security Blog - Hackology
Bad USB CIRCLean

How to View Malicious USBs Safely

There is a good chance that the USBs you bought are infected with malware which will potentially harm your system or can be used for bad purposes. Lost USB keys have a 66% chance of having malware which can get a person in trouble by performing harmful actions like copying user data which might eventually end up on dark web for sale. When USB Cables can be part of attack vectors how can one think USB drives will be any less harmful?. Hence it is better to use sanitization tools which safely remove the virus before they can affect your system. There are lots of tools to do this, but today we will be talking about CIRCLean, which gives you greater peace of mind. 

What is CIRCLean?

CirClean - USB Cleaner

CIRCLean is an ingenious way to dismantling the potentially harmful files into a different data format that nullifies the dangerous nature of the data (virus) before it reaches your system. Most anti-viruses work inside your computer that detects viruses, so how does CIRCLean remove viruses before the USB reaches your computer? CIRCLean’s software is installed on Raspberry Pi that works as your anti-virus which will remove all virus. 

How does CIRCLean work?

CIRCLean analyzes all the untrusted data inside a USB stick and transforms that data into readable file formats. You plug in the bad USB and a good USB and CIRCLean will copy the contents of the bad USB onto the good USB after cleaning them or analyzing them. Details of how it is done is shared, keep reading.

How to use circlean Usage

Procedure sounds simple enough, but this prevents a lot of problems and can massively help people. A couple of ways it helps :

  • It helps retrieve data from the untrusted USB sticks without them even reaching your computer hence preventing any attacks directly.
  • Raspberry Pi isn’t connected to the internet, but your system might be, which can aid the untrusted USB key to upload your sensitive data or send to other people. 
  • Is safer than VM (Virtual Machines).
  • Most viruses work in specific formats and if we can change those formats correctly without deleting useful data, then our problems will be gone, which is exactly what CIRCLean does.

Another plus point of CIRCLean is that it is open source and you may modify its code in any way you like. CIRCLean was going to be commercialized but that never happened and it is going to be free for use. 

Why is CIRCLean on Raspberry Pi? Installing CIRCLean on a Raspberry Pi seems a logical option as it is a better option to bound the untrusted USBs and to analyze them in a safe environment. For that, Raspberry Pis are perfect as they are cheap and portable.

Why not use Virtual Machines to delete the viruses on the USB? There are several reasons for not using a VM with CIRCLean.

  • The idea to isolate the untrusted data and not to let it reach your system. Because what if the virus masks the USB as a keyboard and your PC allows it to access the terminal.
  • Chances of executing the USB on your host OS rather then the VM are very high and to eliminate the risk of accidental runs, it seemed a viable option to make CIRCLean run on a Raspberry Pi.
  • Virtual Machines need a good PC to run and CIRCLean is far simpler than setting up and running a VM.

CIRCLean Extension Scan Mechanism

The files that will not be changed and will be directly copied to the good USB are:

  • Plain text files (mime type: text/*)
  • Audio files (mime type: audio/*)
  • Video files (mime type: video/*)
  • Example files (mime type: example/*)
  • Multipart files (mime type: multipart/*)
  • xml files, after being converted to text files
  • Octet-stream files

Files that will be copied to good USB after verification:

  • Image files after verifying that they are not compression bombs (mime type: image/*)
  • PDF files after marking as dangerous if they contain malicious content
  • msword|vnd.openxmlformats-officedocument.*|vnd.ms-*|vnd.oasis.opendocument*, after parsing with oletools/olefile and marking as dangerous if the parsing fails.

Files that will be copied but marked dangerous:

  • Message files (mime type: message/*)
  • Model files (mime type: model/*)
  • x-dosexec (executable)

Compressed files (zip|x-rar|x-bzip2|x-lzip|x-lzma|x-lzop|x-xz|x-compress|x-gzip|x-tar|*compressed):

  • Archived files are unpacked but stopped after 2 levels to prevent zip bombs
  • The above rules are applied recursively to the unpacked files.

Alternatives to CIRCLean 

There are a few atlernatives to CIRCLean, but the actual question should be that are they more effective then CIRCLean? Not quite. The project health of CIRCLean is 93 and the best alternative (Bleach) has project health of 85.

How To Setup CIRCLean

CIRCLean can be set up by anyone as it isn’t very complicated. Follow these simple steps to set up your own CIRCLean USB cleaner.

Before we start with the actual process, you have to write CIRCLean to a USB which will be used in the raspberry Pi. You can download the Latest Pre Build Image, but you should always check the latest build on the CIRCLean project website. Once done procedd with the procedure.

Step 1: Unplug the Raspberry Pi if its already connected.

circlean raspberry Pi

Step 2: Connect the untrusted/malicious USB to the Raspberry Pi’s top USB slot.

circlean connect bad USB

Step 3: Connect your trusted / clean USB into the lower USB slot of the Raspberry Pi. Clean USB should be preferably formatted.

circlean clean USB for processing

Step 4: Once both USBs are connected now you may connect the Raspberry Pi’s power cable.

circlean both usb inserted power on

Step 5: Wait before the LED diode to stop blinking if you have a Raspberry Pi model with the LED and if not then you can also plugin your headphones and listen to the music playing through the conversion process. If the music ends, then that means your conversion has been completed. The acoustic signal has been introduced to make it easy for everyone to know when the cleaning process on CIRCLean has been completed. The process can take from 30 minutes to 1 hour.

circlean cleaning process LED

Step 6: Unplug the Raspberry Pi and remove the USBs. The bad USB still stays bad while your clean USB now has the contents from the bad USB but not the malicious content thus making it safe for you to view.

Very straightforward for anyone to use.

Conclusion

CIRCLean is a fantastic project that can help a lot of people given its simplistic yet unlimited possibilities. In a very rare occasion it is possible that the bad USB infects the Raspberry Pi and leaves your CIRCLean incapable of properly functioning however in such a scenario you will also not hear the programmed acoustic signal. Even though something like this happening is very unlikely but it is possible. But let’s hope for the best as the CIRCLean’s project is still advancing with regular updates showing that this project will be updated and available for a long time for everyone. As I covered in Social Engineering attacks, Bad USBs are left intentionally near premises of POIs and some naive employee picks one up and sticks in a network computer.

Add comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get Wise

Subscribe to my newsletter to get latest InfoSec / Hacking News (1 Email/week)
Utopia p2p Ecosystem