USB Thief Infects ‘Air-gapped’ Computers And Leaves No Trace
Gareth Andrews / 8 years ago
Malware (short for malicious software) is a type of program that is intended to cause harm to a system, be it in the form of ransomware, like that which has hit several hospitals in the US, or just you generic popup creating malware. A new malware named USB Thief, looks to break the chain of common threats by hiding itself and infecting systems even when they aren’t connected to the internet.
The internet is a wonderful thing but the problem with everyone being able to share and talk to one another is that sending something nasty is as easy as clicking a button (or in some cases, the software even does this for you). USB Thief avoids this by working on USB sticks, the very same ones you use to send information to and from your computer to your parents or even your friends.
The software hides by only executing under a certain set of rules, that is using a key created from the original USB drive it was created for. Even when it does spread it uses a unique key created using the ID of the USB stick and the time, meaning that traditional attempts to copy and discover the malware fail when suddenly it has unknown hardware in the mix.
Not only does it mean it won’t always execute, breaking the common rule of repeated behaviour is traceable behaviour, but it doesn’t leave any evidence on the infected computer, meaning your data could be stolen and you wouldn’t even know it. USB Thief lives up to the second part of its name, with it at the moment only working to steal data, but Tomáš Gardoň, a malware analyst with antivirus provider Ese says that “it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload”.
By avoiding the internet and focusing on the more traditional method of using USB drives, the virus is able to infect systems similar to how Stuxnet worked, enabling it to infect ‘air-gapped’ system (those which aren’t connected to the internet). With the USB lock in place, only the original USB created by its designers can infect systems, meaning if you didn’t create the original you won’t be able to use it.
If that wasn’t enough the USB Thief’s developer seems to have done its homework as it only runs as part of a command from portable versions of legitimate applications like Notepad++ and Firefox. If you’re running Kaspersky Lab or G Data though you should be okay as the malware won’t install itself on your system, a feature that was no doubt down to results from some initial testing.