A stealthy malware which can infect computers not connected to the Internet, leaving no evidence after has been discovered by researchers.
The malware, which is named USB Thief, spreads on USB thumbs and hard drives stealing large volumes with data once it has been connected. The malware uses new techniques unlike what other previously discovered USB malware have been using. The malware makes sure it’s bound to the host drive ensuring that it can’t be easily analyzed and copied.
It uses multi-staged encryption enabling it to get its key from the device it is attached to. Chains of loader files also contain a list of file names which are unique to every instance of the malware. Some of the names of the files have to be the same. Thus, the malware won’t executes its task if the files are moved from different drives other than the one developers chose.
Malware analyst with antivirus company Eset Tomas Gardon wrote that “In addition to the interesting concept of self-protecting multi-stage malware, the (relatively straightforward) data-stealing payload is very powerful, particularly as it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data stealing payload to any other malicious payload.”
From studies, the malware has primarily targeted companies and firms in African and Latin American countries. Rates of detection of the malware are still low and according to Virus Total, a Google-run service which allows companies to track rare malware infections around the globe, the malware is still silent. Gardon could not identify the industries which are most hit.
The malware is similar to some state-sponsored attacks prevalent in the Middle East. The US and Israel targeted the Iran nuclear program and unleashed a worm dubbed the Stuxnet worm. The infection was spread around on USBs because of the lack of internet communication between the targeted computers. By putting the malware on a USB you are bridging a gap called the air gap, and just as Stuxnet bridged a gap for Israel and the US, the USB Thief malware seems to be doing the same.
USB Thief uses a less limiting encryption. The encryption ensures that the original USB drives that carried the malware are the only ones who can inflict damage and act as infection agents. In the study by Eset, there is no indication as to whether one USB can infect a limitless number of computers or not though the fact that the malware is only bound to one USB stick means the developers were narrow target-minded and didn’t want the infection to spread. In essence, the developers prevented copycat attacks and also made reverse engineering of the malware hard.
The report also shows that USB Thief does not rely on autorun features or operating system vulnerabilities to spread. The malware will not install when it senses the presence of the antivirus software Kaspersky Lab or G Data because they slow progress of the malware. This shows that the engineers made a few tests before releasing the malware.