It spreads via USB drives and has a self-protection mechanism that makes the identification extremely difficult. The Thief USB malware seems more a precision instrument that a threat broad spectrum.
Discovered by security researchers a particularly clever to conceal malware that can infect systems not connected to the network without, moreover, leave no trace of their work. The malware was called USB Thief, because it spreads via USB sticks and drives, and stealing large amounts of information once it becomes active. Unlike other malware created to operate via USB, this new threat makes use of a number of new techniques to match himself to the drive that hosts it and make sure as well that they cannot easily be copied elsewhere for analysis.
USB Thief uses, it is learned, of an encryption scheme that is derived from the multi-stage device ID of the USB drive. A chain loader files also contain a number of filenames that are unique to each instance of malware. Some names are based on the precise content of the file and the time when the file was created. Consequently, the malware does not go running if the files are moved on a drive other than the one originally selected by the developer.
Tomas Gardon, security analyst for the company Eset, explained: ” In addition to the interesting concept of self-protection in multiple stages, the data removal system is very powerful, especially because it leaves no trace on the infected computer. After the drive, USB compromise was removed, no one can know that they are missing information. In addition, it would not be difficult to redesign the malware to change his course of action, from stealing all effect other criminal operations data “.
The malware has targeted companies and companies in Africa and Latin America. Currently, the detection rate is extremely low. Virus Total, the service operated by Google to track and particular malware infections around the world has not yet found traces of malware.
USB Thief has some interesting similarities with some known malware supported by governments who for years have targeted critical infrastructure located in the Middle East. Among these, you can remember the famous Stuxnet worm, which the US and Israel are freed in order to neutralize the Iranian nuclear program, also spread via USB drives, since many of the systems taken aim was not connected to the network. Infecting a system whenever a compromise drive is connected to it, Stuxnet has been able to fill the so-called ” air-gap “. The substantial difference with USB Thief is that the latter is connected to the USB univocally on which is ” born “, reason for which the efficiency of spreading is much lower and indicates the will of its creators to operate extremely targeted actions.
Unlike most based attacks via USB, USB Thief does not rely on self-enforcement mechanisms or operating system vulnerabilities. Fits, the chain of command of portable versions of legitimate applications, which are often made from USB drive and are common with applications such as FireFox, NotePad++ and TrueCrypt. The result is that the performance of the portable app also causes the malware running in the background.
It seems also that the developers of USB Thief you are in a particular way focused on testing phase to ensure that the malware was able to operate in various different scenarios and conditions. For example, USB Thief will not install if the target system are active antivirus software Kaspersky Labs or G Data, perhaps because these programs are able to detect the malware or cause it to malfunction.