BadUSB: Removing Mass Storage Tarnishing

TL;DR

A BadUSB attack disguised as a mass storage device can be tricky to remove completely. This guide shows you how to identify and eliminate the malicious firmware, restoring your USB drive’s normal functionality.

Identifying the Problem

1. Symptoms: Your USB drive consistently appears as a mass storage device even when it shouldn’t (e.g., after flashing new firmware). The drive might also exhibit unusual behaviour like unexpected file creation or modification.
2. Device Manager Check: Open Device Manager (search for ‘Device Manager’ in Windows). Look for your USB drive under ‘Disk drives’ and ‘Universal Serial Bus controllers’. Note any unfamiliar devices or those with warning symbols.
3. Firmware Identification: If possible, identify the original firmware of your USB drive model. This will help you determine if it has been replaced by malicious code. The manufacturer’s website is the best place to find this information.

Removing the Malicious Firmware

The process depends on the type of BadUSB attack and your technical skill level. Here are several approaches, starting with the simplest:

1. Using Manufacturer’s Utility

1. Download: Download the official firmware flashing utility from the USB drive manufacturer’s website. Be absolutely certain you download it from the official source to avoid further malware!
2. Run the Utility: Launch the utility as an administrator (right-click, ‘Run as administrator’).
3. Follow Instructions: Carefully follow the on-screen instructions to reflash the original firmware. This usually involves selecting the correct USB drive and firmware file.
   Warning: Incorrectly flashing firmware can permanently damage your device!

2. Using a Low-Level Formatting Tool

This method erases all data on the drive, including the malicious firmware. WARNING: This will delete everything on the USB drive.

1. Download: Download a reputable low-level formatting tool (e.g., ChipGenius, HDD Low Level Format Tool).
2. Identify Drive: Run the tool and carefully identify your target USB drive by its size and model number. Double-check before proceeding!
3. Perform Low-Level Format: Select ‘Low-level format’ (or similar option) and start the process. This can take a significant amount of time.

3. Using a Dedicated BadUSB Removal Tool

Some tools are specifically designed to detect and remove BadUSB firmware. These often require more technical knowledge.

1. Download: Search for ‘BadUSB removal tool’ online (e.g., USBKill). Exercise caution when downloading from third-party sources!
2. Run the Tool: Launch the tool as an administrator.
3. Scan and Remove: Follow the tool’s instructions to scan your USB drive for BadUSB firmware and remove it. This may involve writing a new bootloader or erasing specific sectors of the drive.

4. Manual Firmware Flashing (Advanced)

This is the most complex method and requires in-depth knowledge of your USB drive’s controller chip and firmware structure.

1. Identify Controller: Use a tool like ChipGenius to identify the USB drive’s controller chip.
2. Find Firmware: Locate the original firmware for that specific controller chip (often difficult).
3. Flashing Tool: Find or create a flashing tool compatible with the controller chip.
4. Flash Firmware: Use the flashing tool to write the original firmware to the USB drive.
   This process is highly technical and carries a high risk of bricking your device!

Post-Removal Verification

1. Device Manager Check: After attempting removal, check Device Manager again to ensure the drive appears correctly.
2. File System Test: Format the USB drive with a standard file system (e.g., FAT32, NTFS) and test its functionality by writing and reading files.
3. Antivirus Scan: Perform a full antivirus scan of the USB drive to ensure no residual malware remains.