Analysis: Inside the USB Thief self-protection mechanism

USB Thief is not just the usual PR puff-wrapped FUDfest, but actually a rather intriguing development in stealth malware technology

Researchers at ESET have this week revealed technical details of a rather interesting new piece of malware called USB Thief. Not only does the malware, a data-stealing Trojan, exclusively use USB devices for propagation but it also features a remarkable mechanism for self-protection. The aptly-named USB Thief differs from your typical piece of data-stealing malware in many ways, not least in that it is tied to a single and specific USB device. This prevents it from leaking from the target and enables a very stealthy attack methodology against even air-gapped systems.

Although the email informing us about the malware nearly had us reaching for the ‘nonsense file’ here at IT Security Thing HQ courtesy of the line “cannot be detected or reverse-engineered” quickly followed by “has been discovered in the wild” – we persevered and are glad we did. What we found was not just some PR puff-wrapped FUDfest but rather a truly intriguing development in malware technology. Obviously whoever wrote the ‘cannot be detected’ line needs to lay down in a dark room for a bit, as ESET appears to have spotted it. The truth is that USB Thief (or Win32/PSW.Stealer.NAI as ESET formally labels it) remains very hard to detect courtesy of the self-protection mechanisms it uses.

Click here to read complete article