ESET, a digital protection company, discovered a new data-stealing Trojan malware called USB Thief (Win32/PSW.Stealer.NAI) that affects Windows computers.
USB drives purporting to contain valuable content are infected and generally salted by cyber criminals around victim’s offices. This is important as the USB device also can collect information – the computer need not be connected to the internet – requiring someone to repatriate it to the cyber-criminal.
Once inserted, it uses Auto-run (executes on insertion) or shortcuts to get users to run it. USB thief has been found portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt but it could infect any .exe file by inserting malware into the command chain via a plugin or a dynamically linked library (DLL).
It doesn’t leave any evidence on the infected computer. Users can have their data stolen without even noticing and without being online.
It also has mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyse. “It seems that this malware was created for targeted attacks on systems isolated from the internet,” comments Tomáš Gardo, ESET Malware Analyst.
“Because it is USB-based, the malware is capable of attacks on systems isolated from the internet without leaving any traces. So the victims don’t notice that their data were stolen,” Gardo says.
“Another feature which makes this malware unusual is that not only it is USB-based, but it is also bound to a single USB device since it is intended that the malware shouldn't be duplicated or copied. This makes it very difficult to detect and analyse.”
How to protect against this threat:
- Do not use USB storage devices from non-trustworthy sources!
- Turn off Auto-run – but that will not help if you click to execute the program
- Format all ‘stray’ USBs on a sandboxed computer – if you don’t need the content
- If you suspect a USB stick use it on a sandboxed computer with no important information on it
- Be aware that targeted organisations will require someone to repatriate the device to the cyber-criminal. They pay well for this service.
- Regularly backup your data
- Ask your organisation to implement policies for external digital storage devices to avoid information theft
- Warn colleagues and your organisation to carefully work with USB storage
- If you have very sensitive data to protect, protect USB devices with ESET or another antivirus application that specifically checks USB drives