Not another USB propagated malware!
Not long ago we faced the BadUSB threat and now, security researchers have discovered another sophisticated malware which can spread through USB devices. The “USB Thief”, as it is called, seems to be a highly specialized “thief”, since it can penetrate networks undetected, leaving no traces and working only on the USB drive on which it was injected by the attacker. According to the Eset researchers, it is also empowered with mechanisms that prevent the reproduction that could be used for malware analysis or discovery.
How it works
When connecting an infected USB device, the malware executes simultaneously with portable applications and runs in the background, posing as a plug-in or a DLL file. It makes its way into the user’s computer to steal data and, in no time, it vanishes, with no evidence of the damage it made. It is also capable of protecting itself against reverse-engineering or analysis through an AES-128 encryption algorithm that also serves to bind the Trojan to a specific device. It works in 4 stages – execution of the Trojan on the USB device via portable applications and checking if the device is writeable, verification of the name of the parent process to make sure it’s not running in an analysis environment, inspection for the presence of an antivirus with real-time protection and, finally, the fourth stage is when the data is actually stolen.
How can infection be prevented
We are talking about a very intelligent Trojan that is difficult to detect and to destroy; however, there are some prevention measures that can ensure the USB Thief doesn’t invade your company’s computers “breaking and entering”, or in this case, it should be “entering and breaking”.
- Make sure your staff is aware of the existence of this malware and how it works and they do not connect any USB device from an unknown source; it has been proven in several experiments with strategically placed USB devices that people’s curiosity determine them to connect USB sticks to their computer to see their content without considering they might be infected
- Implement Device Control solutions that can control the use of portable storage devices like USB sticks, external HDDs, and others and restrict the use of USB devices. Moreover, having the option to create policies per device, per user, per computer, group and even enforce only the use of encrypted devices or company issued devices, employees’ day to day activities will not be interrupted.
While there is no software solution that provides instant staff training, choosing a cross-platform Device Control solution can make the life of an IT Administrator much easier. Selecting a solution like Endpoint Protector 4 can ensure the USB Thief will have a hard time getting any confidential information, regardless is it’s going to attempt this on a Windows, Mac or Linux computer.