Story image

ESET discovers strange malware targeting USB

24 Mar 16

USB Thief, a new threat to data, is capable of stealthy attacks against air-gapped systems and also well protected against detection and reverse-engineering.

Cyber security specialists ESET is warning people against a newly discovered data-stealing malware on USB devices, dubbed USB Thief.

The malware exclusively uses USB devices for propagation, without leaving any evidence on the compromised computer.

Its creators have employed special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyse, ESET says.

“It seems that this malware was created for targeted attacks on systems isolated from the internet,” explains Tomáš Gardo, ESET malware analyst.

Gardo says USB Thief is a unique data-stealing Trojan that has been spotted on USB devices in the wild, one that is different from typical data-stealing malware.

Each instance of this Trojan relies on the particular USB device on which it is installed and leaves no evidence on the compromised system.

“Because it is USB-based, the malware is capable of attacks on systems isolated from the internet without leaving any traces,” Gardo explains.

“So the victims don’t notice that their data were stolen.

““Another feature which makes this malware unusual is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn't be duplicated or copied,” he says.. This makes it very difficult to detect and analyse.”

“Where other malware uses good old-fashioned approaches like Autorun files or crafted shortcuts in order to get users to run it, USB Thief also uses another technique. This technique depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives,” says Gardo.

Gardo says the malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL).

And therefore, whenever such an application is executed, the malware will also be run in the background.

What MSPs can learn from Datto’s Channel Ransomware Report
While there have been less high profile attacks making the headlines, the frequency of attacks is, in fact, increasing.
Cisco expands security capabilities of SD­-WAN portfolio
Until now, SD-­WAN solutions have forced IT to choose between application experience or security.
AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.