A new USB-based malware has recently been discovered that poses a serious security risk to enterprises. While USB-based malware is not new, the discovery of Win32/PSW.Stealer.NAI – also known as USB Thief – has caused particular concern.

New USB-Based Malware Leaves No Trace of Infection or Data Theft

The malware is only transmitted via USB drives and leaves no trace of an attack on a compromised computer. Consequently, it is incredibly difficult to detect. The malware is capable of stealing and transmitting data, yet users will be unaware that their data has been being stolen.

The new USB-based malware was recently discovered by security firm ESET. The discovery stands out because the USB-based malware is quite different to other malware commonly used by cybercriminals to steal data.

For a start, the malware has been designed not to be copied and can only be spread via USB devices. The malware derives its key from the USB drive’s device ID, and is bound to the specific portable drive on which it has been installed. If the malware is copied to another drive it will not run because it uses file-names that are specific to each copy of the malware. This means the malware cannot spread and infect systems other than those it is being to attack.

The malware also uses multi-staged encryption that is also bound to the USB drive, which ESET says makes it exceptionally difficult to detect and analyze.

Malware Capable of Attacking Air-Gapped Computers

Many organizations make sure sensitive data is not exposed by not connecting computers to the Internet. However, while air-gaps are an effective protection against most malware attacks, they do not protect against USB-based malware. USB Thief can be used to steal data from air-gapped computers and once the infected USB drive has been disconnected there will be no trace left that any data have been stolen.

It has been hypothesized that the malware has been created to be used in targeted attacks on specific companies in order to steal proprietary enterprise data. ESET has warned that while the USB-based malware is being used only as a data stealer, attackers could tweak the malware to deploy any other malicious payload. This means that the malware could be used to sabotage systems.

ESET reports that the USB-based malware has been used to target companies in Africa and Latin America and warned that detection rates are particularly low. No information has been released to indicate which industries are being targeted with the malware at this point in time.

USB-based malware has previously been used in state-sponsored attacks on organizations. Stuxnet was also used to attack air-gapped systems, predominantly in the Middle East. However, Stuxnet inflected collateral damage as it was capable of self-replicating. It was therefore rapidly picked up and analyzed and action was rapidly taken to block infections.

In this case, the USB-based malware cannot be copied so it is unlikely to spread outside of a targeted system. It is likely to remain incredibly difficult to detect. USB Thief appears to have been extensively tested. Since there is a possibility that it can be identified by G Data and Kaspersky Lab anti-virus solutions, USB Thief performs a quick check to see if those anti-virus solutions are installed. If they have the malware will not run.

Preventing USB-Based Malware Attacks

Disabling autorun for USB drives will have no effect on USB Thief. The USB-based malware does not rely on being automatically run when plugged into a computer. Instead it is inserted into the files of portable applications often stored on USB drives, such as Firefox, TrueCrypt, and NotePad++. When these applications are run, USB Thief will run in the background.

It is possible to take precautions to prevent an attack by disabling USB ports. Even though there is a high risk of infection from an unknown USB drive, many individuals that find USB drives plug them straight into their computers. Staff should therefore be instructed never to plug in a USB drive from an unknown source.