Smooth Criminal: Meet USB Thief, A Malware That Can Attack Systems Without Leaving Any Trace

Santiago Tiongco, Tech Times 26 March 2016, 10:03 am

Another new malware has surfaced, but this one is unlike the others. This alarmingly stealthy trojan cannot be copied or replicated and it can set up camp in your computer without you ever having a clue.

Nicknamed 'USB Thief' by security experts from the ESET antivirus firm, this new USB trojan is equipped with self-protecting mechanisms that enable it to escape detection. It can even infiltrate air-gapped systems, making it an exceptionally useful tool in industrial as well as cyber espionage.

In relation to this malware's ability to access air-gapped computers - that is, computers not connected to the Internet for security reasons - the trojan is introduced to a system via USB devices that contain portable installers of widely-used applications such as Firefox, NotePad++, and TrueCrypt. USB Thief exploits this trend by penetrating the command chain of these applications either as a plugin or a dynamically linked library (DLL), which is why each time you run the application, the trojan is also executed in the background.

A key aspect of this malware is that it has a highly sophisticated mechanism for self-protection against copying or reverse engineering by employing two operations: AES128 encryption of certain files and generation of filenames from cryptographic elements.

First, an AES encryption key is computed from that unique USB device ID and certain disk details from the USB drive hosting the malware, which means the malware can only successfully run on that one particular USB device. Second, the naming of the subsequent file in the malware execution chain is based on actual file content and its creation time, effectively making the file names different for every instance of this trojan. Because of these techniques, copying or reproducing the malware is virtually impossible.

In addition to the malware's multi-step self-protection and ability to not leave any trace on the targeted computer, its data-stealing payload is also extremely powerful and easily modified.

"It would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload," says Tomas Gardon of ESET.

According to ESET, its statistics show that USB Thief is not very prevalent as of late. Unfortunately, its peculiar ability to bypass air-gap security shows that it may have been designed for unauthorized targeted attacks.

Photo: Tony Austin | Flickr