A new USB-based malware has been identified which has unusual powers to evade detection, and which can also leverage the mobility of ‘portable’ applications such as ‘standalone’ versions of Firefox Portable, Notepad++ and TrueCrypt.
The malware, called Win32/PSW.Stealer.NAI or ‘USB thief’, was spotted by ESET, whose researcher Tomas Gardon explains that the code is not only intended to exist exclusively in the environs of a USB stick (rather than attempting to replicate itself onto the host system), but that it resists copying to any other USB stick than the one it is found on, indicating a targeted attack.
USB Thief is oriented towards air-gapped systems which have no internet connectivity, and its lack of reproductive capability represents an unusual signature and intent. The report notes that it is ‘bound to a single USB device, since it is intended that the malware shouldn’t be duplicated or copied. This binding, combined with its sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it, makes it very difficult to detect and analyse.’ USB Thief employs encryption not just to hide itself from scanners which are based on heuristics or signatures, but also to prevent itself running on ‘unauthorised’ USB sticks.
The malware is designed to exfiltrate data from the target system, although no details are provided regarding how it communicates with any control server that might be in play. If there is no control server, the low-network approach of USB Thief would seem to indicate a ‘hands on’ campaign, where the communication of the device takes place at a personal or ‘insider’ level.
Perhaps the most surprising element of the malware is the tight integration with portable versions of applications such as Firefox – and especially the portable version of TrueCrypt. USB-based applications are intended to minimise their footprint on host machines, so an attack on their library features undermines the security mind-set behind them.
‘The USB Thief uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on. It can be stored as a plugin source of portable applications or just a library – DLL – used by the portable application. And therefore, whenever such an application is executed, the malware will also be run in the background.’
The report advises that USB ports be disabled wherever possible, and where not, that strict policies should be enforced regarding their use – which is a problematic philosophy in the age of shadow IT and BYOD.