SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
ESET discovers strange malware targeting USB
Thu, 24th Mar 2016
FYI, this story is more than a year old

USB Thief, a new threat to data, is capable of stealthy attacks against air-gapped systems and also well protected against detection and reverse-engineering.

Cyber security specialists ESET is warning people against a newly discovered data-stealing malware on USB devices, dubbed USB Thief.

The malware exclusively uses USB devices for propagation, without leaving any evidence on the compromised computer.

Its creators have employed special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyse, ESET says. “It seems that this malware was created for targeted attacks on systems isolated from the internet,” explains Tomáš Gardo, ESET malware analyst.

Gardo says USB Thief is a unique data-stealing Trojan that has been spotted on USB devices in the wild, one that is different from typical data-stealing malware.

Each instance of this Trojan relies on the particular USB device on which it is installed and leaves no evidence on the compromised system.

“Because it is USB-based, the malware is capable of attacks on systems isolated from the internet without leaving any traces,” Gardo explains.

“So the victims don't notice that their data were stolen.

““Another feature which makes this malware unusual is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn't be duplicated or copied,” he says.. This makes it very difficult to detect and analyse.

“Where other malware uses good old-fashioned approaches like Autorun files or crafted shortcuts in order to get users to run it, USB Thief also uses another technique. This technique depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives,” says Gardo.

Gardo says the malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL).

And therefore, whenever such an application is executed, the malware will also be run in the background.