New Trojan Horse Hiding In USB Devices Detected

This post is also available in: עברית (Hebrew)

A new torjan horse malware called USB Thief, which is virtually undetectable before and after penetrating the computer, was detected by ESET. The software was developed in order to steal information from computers that are not connected to the internet – computer found mostly in governmental institutes and security and strategic companies. “The malware hiding inside the USB acts differently compared to former sotware placed in external devices and has a unique way of spreading,” said Thomas Gordon, malware analyst for ESET. “Once the USB is plugged in, the sotware starts working and pulls information from the computer without leaving any evidence od stealing information from the infected computer. The software has a unique mechanism which prevents it from being duplicated or copied, so it is very hard to detect and analyze the penetration.”

USB Thief was created for focused attacks. The software is used in intelligent encryption which guarantees it isn’t spread outside its target surroundings. While common sense assumes that fast-spreading malware is a dangerous threat which attracts the attention of security researchers who immediately take care of fixing it and releasing updates, USB Thief has an offline attack strategy by focusing only on air gapped systems, with no ability to detect it.

The software uses only USB devices to multiply and spread, and enters them when they are plugged in to computers connected to the internet. The information stolen is then transferred back to the USB from computers not connected to the web, and once the USB is plugged in again to a connected computer, the stolen information is leaked to the web and to those interested in it. All this is done without the person, who is turned into an accomplice, ever knowing.

The software easily outsmarts the USB user. USB devices are mostly used to store and transfer applications. The trojan file hides itself as an addition to mobile applications or in the DLL file used by the mobile app. Therefore, when the app is deleted from the device, so is the malware.

“Although this malware is highly sophisticated, its spread can be prevented by closing down as many USB ports as possible in the company’s computers,” says Gordon. “Also, awareness is advised when connecting USB devices from unreliable sources to computers. People need to realize the risks attached to external devices. Several surveys showed that USB devices are treated very carelessly and that people tend to plug in any finger-sized device they find to the compuer without giving it too much though. It is also recommended to encrypt even the company’s data backup, especially when it comes to industrial companies.”