USB Thief Malware Targets Air-gapped Systems

usb-thiefA unique USB-based data stealing malware was discovered recently targeting air-gapped systems. Based the findings of malware analyst Tomas Gardon, USB Thief is capable of stealing huge volumes of data once it takes hold of a machine. The malware has several distinct characteristics that are different from traditional malware programs, which usually infect via USB storage devices and Windows Autorun feature. The malware is notable for its capability to infect PCs—even those without an Internet connection—while leaving no traces of compromise. As Gardon notes, “This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze”.

USB Thief uses a series of novel techniques to attach itself to the host system to avoid detection. It infects USB drives thru inserting itself into the command chain of portable installations of legitimate applications such as FireFox, NotePad + +, or TrueCrypt. It is copied as a plug-in or DLL (dynamic link library) and is then executed in the background.

In a big picture scenario, the USB Thief could be a bigger component if infected Internet-connected computers used by employees plug their infected USB sticks back into their computers after using them on air-gapped systems. Attackers would then be able to retrieve the stolen data.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.