Stealthy malware targeting air-gapped PCs leaves no trace of infection
Researchers have discovered highly stealthy malware that can infect computers not connected to the Internet and leaves no evidence on the computers it compromises.
USB Thief gets its name because it spreads on USB thumb and hard drives and steals huge volumes of data once it has taken hold. Unlike previously discovered USB-born malware, it uses a series of novel techniques to bind itself to its host drive to ensure it can’t easily be copied and analyzed. It uses a multi-staged encryption scheme that derives its key from the device ID of the USB drive. A chain of loader files also contains a list of file names that are unique to every instance of the malware. Some of the file names are based on the precise file content and the time the file was created. As a result, the malware won’t execute if the files are moved to a drive other than the one chosen by the original developers.
“In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer,” Tomáš Gardoň, a malware analyst with antivirus provider Eset, wrote in a blog post published Wednesday. “After the USB is removed, nobody can find out that data was stolen. Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.”