Ubuntu / Linux / Windows Virus wrote to my "read only" 20.04.1 Live USB (Twice!) and infected two separate live USB's! How is this possible?

Question

Ok. Hang on to your hats! This is going to sound crazy but I have been attacked by some crazy hacker malware. I believe it started out as a file-less attack on my Widoze 10 Home partition and spread from there. The crazy thing is that it seemed to anticipate, or predict, my moves and to be always one step ahead of me. I noticed that I was infected when the system time changed, then file dates and events in the event viewer were set to future or past dates, not like yesterday or last week, but 2125 and the 1960's. I scheduled a task to open a cmd window when certain things happened and that kept getting triggered by Windows PowerShell opening and running devious scripts as background processes. NOT my scripts! Then temp files started being written and accessed by mystery processes that did not show up in the Task Manager.

So, what does all this have to do with Ubuntu you ask? Let me tell you. Feeling like "I got this," I immediately made Antivirus Rescue boot USB's and Ubuntu Live USB's on what was thought to be a clean PC. I scanned with 4-5 different antiviruse programs (yes, I tried Clamav too) no help - both PC's came up clean time after time, but the malware's presence and effects were obvious. The thing that killed me is that after booting into the Live Ubuntu a couple of times things on the "read only" USB stick were being changed. One boot would be fine, then on the next boot from that Live USB the keyboard would not send any input to the terminal on screen. I booted immediately again using a different Live USB - problem gone. I checked the suspect USB with clamav and it showed "OK" on all files. Then I booted from the suspect "clean" USB and it was ok again.

I am way out of my league here. This is some serious malware that seems to be file-less, infects BIOS/UEFI, Windows, Linux, and boot records and other dark partitions and spaces of /dev/sdx's.

The Questions - I have never experienced any program that could/would attack a linux boot Live system USB. How does this happen and is there any way I can recover from this and make a "safe" Live USB boot device no it never happens again? Also, can I clean and use the current "suspect" live system USB to install Ubuntu on my /dev/sdx without fear that I am installing a corrupted and infected system? Unfortunately, clamav has been no help and the virus blocks it's updates when the system is running. One time it simply deleted the sources file and chmod'ed all the permissions in /var/lib/clamav related to the clam. Right now I have two dead, infected computers, two "suspect" infected Live USB's, and one infected Windows ISO install USB. Is there any way I can install any OS at this point and if so how? I have no other computers and if I did, how do I cure BIOS, MBR/UEFI, Partitions, and Live USB's as my only installation media? Can I boot with infected media and install cleanly from an online source? --help! Thanks for reading my nightmare, and thanks in advance for any suggestions or advice you may offer!

Answer 1

Finally had to contact and hire a security specialist to secure my network and to find and eradicate the problems. Here's what we found. Router was indeed infected and needed to be re-flashed and reset to defaults and then with max security options set (firewall, port closures, etc). Also, 2 of the 4 laptops had BIOS level viruses for both Windows and Linux, 4 of 5 Androids were infected and needed Factory resets, one android seems to be deeply infected even after multiple Factory resets - it will be going the way of the garbage. One work laptop was infected and got re-flashed, wiped and reinstalled. The coauth.exe virus was found in a place related to that laptop. So, in short someone screwed me badly. I admit that I joked with my specialist about whether we could "hack them back" and start screwing with their hard and software. That would be a fun time . . . "Oh no, my PowerShell script isn't working" - the hacker might say.

So, for the record, here's what happened. I was infected by several trojans (one was Brave_Updater.exe, and another coauth.exe) and these delivered scripts for a file-less attack in Windows that disabled Windows Defender during a Windows 10 install and went on to use hidden runs of "PowerShell" and "Command Prompt" to spread the infection. On reboot it would write code to BIOS that would infect the next OS or USB that loaded Windows or Linux. Finally, it would phone home frequently to get C&C instructions from the hacker. What a pain in the ass. I tend to believe in karma and hacker you got a screwing coming - enjoy prison, don't drop the soap . . . on second thought, go ahead and drop it, you've earned it. Fin.