USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

Posted by msmash on Thursday March 24, 2016 @06:06AM from the security-woes dept.

Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.

1 of 83 comments (clear)

Min score:

Reason:

Sort:

Re:Confused by duke_cheetah2003 · 2016-03-24 07:48 · Score: 3, Insightful

Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?
This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.
Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.