USB Thief Malware Doesn’t Need Internet to Spread

usbMost people are concerned that that their computers will be infected through malware picked up on the Internet. Some people know enough to avoid phishing scams by not clicking on malicious links in emails. Now a newly discovered USB-based malware can infect networks. This new malware is spread entirely through devices that plug into computer USB ports. The malware, called “USB Thief,” can be used for targeted attacks on networks that are connected to the Internet.

The malware is virtually undetectable since it cannot be reverse-engineered or copied. USB Thief acts like a plugin source of portable applications, though. For example, if someone executes an app like Firefox portable, then the USB Thief malware is run with the app. According to the research company that discovered USB Thief, it is a multi-stage malware that covers its tracks. Once the USB is removed, it is difficult to figure out what data was stolen.

Each malware sample is installed onto a particular USB stick, and then bound to that stick. If someone tries to copy and paste a sample of USB Thief onto another device to study, that sample will not run. The filenames in the execution name for the malware are different and linked to when the file was created. Copied samples will have the same name, but different file creation times, so they will not run. Some of the individual files in the malware are protected through encryption, and the encryption key is tied to the USB’s device ID. This prevents the malware from running on a different device.

Right now, the malware can only steal files, but it could be redesigned to do other things. The Trojan is bound to a single USB device, which means most people are safe from this particular threat. However, this malware is alarming because it can be introduced to computers that are not connected to the Internet for security reasons. Examples include government computers that store sensitive data, but other air-gapped targets are located in the energy sector. USB Thief can target critical infrastructure systems that control equipment at power plants and nuclear facilities.  The USB Thief malware can also be useful in conducting cyber espionage.

Government agencies should be concerned about data protection, malware detection, and endpoint security, now that they are vulnerable to malware that doesn’t need the Internet to infect networks. Government agencies need to make sure that their networks are clear of malware, especially now that malware like USB Thief can infect networks and go undetected. Promisec Endpoint Manager (PEM) offers ways for government agencies to keep their networks secure, and below are three tips that can help:

  1. Monitor Networks Continuously: Government agencies can use PEM to monitor their networks for suspicious activity. PEM can inspect all aspects of endpoint assets, instead of just what’s running in memory.  By continuously monitoring networks for cyber threats, agencies can avoid a malware infection.
  2. Install Security Updates: PEM can automatically install all necessary security updates, which prevents malware from exploiting vulnerabilities. PEM preemptively blocks ways for malware to infect a network through patch updates.
  3. Remediation: PEM offers advanced remediation capabilities, which allows agency IT teams to address gaps in operations health and offers endpoint protection. PEM can fully integrate with incident response processes and allows security professionals to fix issues remotely.