Antivirus firm ESET has discovered a unique Trojan program dubbed as the USB Thief that is almost undetectable and is designed to steal information from PC’s not connected to the internet. Win32/PSW.Stealer.NAI or the USB Thief is hugely different compared with traditional malware programs and has a unique way of spreading via USB storage devices.
What makes this trojan really dangerous is that it does not leave any evidence of steal on the compromised computer. Its makers have employed a unique mechanism to protect the malware from being reproduced or copied, thus making it harder to detect and analyze.
USB Thief is created for targeted attacks
USB Thief uses intelligent encryption and fools one by not following the traditional encryption methods that malware programs have. Its special encryption ensures that it does not spread in masses outside its target environment.
While the common logic says that malware that spreads quickly is termed as very dangerous, such programs also attract immediate attention from security researchers who ensures that fixes and updates are released immediately. However, with USB Thief adopting an offline attack strategy by targeting only the air-gapped systems it is almost a certainty that it won’t be detected.
The malware trick users easily
As per surveys, people don’t excise much caution before using USB storage into their PC.
This malware can easily trick such users as it employs an uncommon way to spread. USB devices are commonly used to store and transfer portable applications like Firefox portable, Notepad++ portable, TrueCrypt portable, and so on. The Trojan file of the USB thief can reside as a plugin source of portable applications or in the DLL file used by the portable application. Hence, whenever such an application is executed, the malware will get executed too.
How to protect from USB Thief
While USB Thief looks deadly, it is possible to prevent its spread by disabling the USB ports as far as possible. Exercising caution while inserting USB drives into PC’s from untrusted sources is also recommended, says Eset.
Indeed, such USB things do happen; for months before upgrading Windows 7 to Win 10 last summer on one device, I went mad for months trying to find how the more mundane but pernicious Dregol search engine changer kept coming back to HDD and portable browsers after removal from HDD with antimalware; I went through so many registry keys looking for legacy keys generated, found none, twice re-installed Windows 7 and ran tools Trend Micro and MBAM then had for checking for CPU/kernel patches and checking disk outside of OS…nothing. Turned out Dregol had spread itself into plugins et al for an open source graphics program despite fact it was packed into a download of a certain free screencasting app…finding code containing the word “skYneT” in one plugin and removing it stopped the reappearance of Dregol browser search hijacking in all browsers. Since then I still use Comodo FW and a few other things to ultra-regulate anything that wants to open from USB, sandboxed or not, familiar or not. And when I get any new USB or SD card, first thing I do is run Privazer over it then reformat twice before using. Thanks for this article, cheers!
your’re a little paranoid lol