USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.

I lost my USB drive. I wrote a program that autom

I lost my USB drive. I wrote a program that automatically backs up my computer when I plug it in (of course encrypted). I guess they found it.

Re:Linux? BSD?

[MobileTatsu-NJG]

That depends, does Linux and BSD finally support USB drives?

Confused

How does the trojan get installed on the USB stick in the first place? Either you are using USB drives provided by a stranger (who does that?) or someone has stolen your drive, installed their software, and replaced it without your knowledge. Plausible, but not a great way to propagate this to more than a few specific people.

Re:Confused

[duke_cheetah2003]

Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?

This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.

Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.

Re:Gushing?

[tlambert]

State of the art? How is this any different than the viruses that were passed around 30 years ago on c64 floppies?

USB drives are large enough to contain Java and Python programs, so that recent college graduates can finally write viruses again. C64 floppies are not large enough.

Re:Air gapped

[khasim]

Since your air-gapped computer doesn't have network capabilities (duh) the only reasonable way to do that is with a USB drive.

Not if you really do not want that key to be leaked.

USB drives are too easily compromised.

Use a CD drive instead. Yes, you CAN still buy them. And verify the CD on a different computer.

I had my info stolen

[blogagog]

I had the info stolen off my computer last year. The thieves who took it are now slightly dumber for having read it.

Re:Air gapped

[Bob+the+Super+Hamste]

And yes this is how secure systems operate. You have a box that you load an ISO image onto that goes and checks that image with a battery of AV and other security products and then produces a CD or DVD that you then go and bring with you into your secure server room to load onto the servers. The disk then lives in that room until it gets fed to a shredder. Any electronic gadgets that enter the room remain in the room until they also get fed to a shredder.

Yes I have been in such facilities and even got to see one of my co-workers lose his new iPhone to the shredder because he didn't heed the warnings.

Re:Air gapped

[networkBoy]

" see one of my co-workers lose his new iPhone to the shredder"

Bwahahahahaha awesome!
We have systems that are not air gapped (as I can remotely access them) but are not connected to the network either. We use an IP KVM solution to connect keyboard, mouse, monitor remotely. Much more secure against this kind of attack. Of course bad guy at terminal or prepared for such setup can script keyboard commands and series of screenshots, but the barrier is much higher than direct connected systems.

Defense in depth.
-nb