Warning! Think Twice Before Using USB Drives

[steven36]

Security researchers have discovered a new data-stealing Trojan that makes special use of USB devices in order to spread itself and does not leave any trace of activity on the compromised systems.

 

Dubbed USB Thief ( or Win32/PSW.Stealer.NAI), the malware has the capability of stealthy attacking against air-gapped or isolated computers, warns ESET security firm.

The malware author has employed special programs to protect the USB Thief from being reproduced or copied, making it even harder to detect and reverse-engineer.

 

USB Thief has been designed for targeted attacks on computer systems that are isolated from the Internet, according to the ESET malware analyst Tomáš Gardoň.
 

The 'USB Thief' Trojan Malware

The USB Thief Trojan malware is stored either as a portable application's plugin source or as a Dynamically Linked Library (DLL) used by the portable application.

Since USB devices often store popular applications like Firefox, Notepad++ or TrueCrypt portable, once any of these applications is executed, the malware starts running in the background.

USB Thief is capable of stealing data from air-gapped systems – systems that are isolated from the Internet and other external networks.

"Well, taking into account that organizations isolate some of their systems for a good reason," explained Peter Stancik, the security evangelist at ESET. "Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous."

The malware runs from a USB removable device, so it don’t leave any traces of its activities, and thus, victims do not even notice that their data had been stolen.

Since the malware is bound to a single USB device, it prevents USB Thief from leaking from the infected computers.

Besides this, USB Thief utilizes a sophisticated implementation of multi-staged encryption that makes the malware harder to detect and analyse.

"This is not a very common way to trick users, but very dangerous," Stancik said. "People should understand the risks associated with USB storage devices obtained from sources that may not be trustworthy."

 

The Source

 

[info999]

how on earth the Thief is going to get their loot if the machine is isolated ? 

[steven36]

Original  Article : ESET discovers new USB-based data stealing malware
 

Quote

Tomáš Gardoň, a malware analyst at ESET, explains to We Live Security why a trojan, detected by ESET as Win32/PSW.Stealer.NAI – and dubbed USB Thief – is worth knowing about.

 

“The USB Thief is, in many aspects different from the more common malware types that we’re used to seeing flooding the internet,” Mr. Gardoň notes.

 

“This one uses only USB devices for propagation, and it does not leave any evidence on the compromised computer. Its creators also employ special mechanisms to protect the malware from being reproduced or copied, which makes it even harder to detect and analyze.

 

When reading about new malware, the first question that comes to mind is ‘What is the goal of its creator?’. What is your take on the USB Thief?

We can guess their intentions from the capabilities implemented in the malware. Because it is USB-based, the malware is capable of attacks on systems isolated from the internet. Another benefit of being run from a USB removable device is that it leaves no trace – victims don’t notice that their data has been stolen.

 

Another feature – and one that makes this malware unusual – is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn’t be duplicated or copied. This binding, combined with its sophisticated implementation of multi-staged encryption that is also bound to features of the USB device hosting it, makes it very difficult to detect and analyze.

 

Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?

Traditionally, malware is often encrypted, and the obvious reason is that encryption prevents the malware from being detected or – if it gets detected – from being analyzed. In this case, encryption also serves the purpose of binding the malware to a particular device.

 

As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.

 

To sum up, to me it seems that this malware has been created for targeted attacks.

 

Malware capable of targeted attacks against systems isolated from the internet – it’s quite a dangerous tool, isn’t it?

Well, taking into account that organizations isolate some of their systems for a good reason … yes. Any tool capable of attacking these so called air-gapped systems must be regarded as dangerous. More so if it is able to disappear without leaving any trace.

 

How can organizations prevent attacks based on such malware from succeeding?

This malware is unique because of some particular features but the defense against it still falls within the capabilities of general cybersecurity measures.

 

Most importantly, USB ports should be disabled wherever possible and, if that’s not possible, strict policies should be in place to enforce care in their use. It’s highly desirable for staff at all levels to undergo cybersecurity training – including real-life testing – if possible …

 

… Not to get tricked into running the malware, right?

Unfortunately, this is not the case with the USB Thief as it uses an uncommon way to trick a user – it benefits from the fact that USB devices often store portable versions of some common applications like Firefox portable, Notepad++ portable, TrueCrypt portable and so on. It can be stored as a plugin source of portable applications or just a library – DLL – used by the portable application. And therefore, whenever such an application is executed, the malware will also be run in the background.

 

But people should understand the risks associated with dealing with USB storage devices from sources that may not be trustworthy. Several surveys have shown that people are surprisingly likely to insert every thumb drive they may find into their computers.

 

Of course, other means of protecting data should be also deployed – from perimeter protection to encryption to data backup.

 

When we talk about air-gapped systems, these may also be industrial systems, right? This malware is not that serious of a threat to industrial systems as it is only capable of stealing data …

Well, there are many ways in which bad guys could damage a system once they get into it. And this malware’s payload can be redesigned, moving away from data stealing to any other kind of malicious action.

 

Mr. Gardoň has delivered a technical analysis of the trojan here.

http://www.welivesecurity.com/2016/03/23/eset-discovers-new-usb-based-data-stealing-malware/

 

 

[straycat19]

I find the statement that the malware is not able to be copied and examined unreliable.  There are many ways to capture and examine malware and since this will run on an isolated machine it makes it even easier. I checked the malware repositories and there isn't anything like this available yet but someone will come up with an infected drive or key and post a forensic image that can be used to conduct research on.  Man wrote it so man can destroy it.

[steven36]

44 minutes ago, straycat19 said:

I find the statement that the malware is not able to be copied and examined unreliable.  There are many ways to capture and examine malware and since this will run on an isolated machine it makes it even easier. I checked the malware repositories and there isn't anything like this available yet but someone will come up with an infected drive or key and post a forensic image that can be used to conduct research on.  Man wrote it so man can destroy it.

Why dont you go over to  welivesecurity and contact the person who found this  http://www.welivesecurity.com/author/tgardon/  and have a dick size contest  with him

you can contact him here.

http://www.welivesecurity.com/contact-us/

 

Now you say you can break AES encrypted malware ? if you're a security expert why dont you go bother them instead of boring  us with you're bragging .

Do you have any proof you can do any of this .? Someone can tell me there a movie star  and be homeless on a government handed out cellphone   this is the internet . I had some tell me they was rich before and they downloaded warez  I dont believe everything i read on here .  But i bet you this Tomáš Gardoň has proof of concept  or he would have never reported it, now  were is yours ?

[steven36]

Quote

 

New self-protecting USB trojan able to avoid detection proof of concept.

 

A unique data-stealing trojan has been spotted on USB devices in the wild – and it is different from typical data-stealing malware. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect. In this article we will examine the technical details of this interesting malware.

 

Where other malware uses ‘good old-fashioned approaches’ like Autorun files or crafted shortcuts in order to get users to run it, USB Thief uses also another technique. This method depends on the increasingly common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives.

 

The malware takes advantage of this trend by inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.

 

What really sets this malware apart, however, is its self-protection mechanism.

The protection mechanism

The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements.

 

The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.

 

The name of the next file in malware execution chain is based on actual file content and its creation time. It is the first five bytes of SHA512 hash computed from mentioned attributes (file content concatenated with eight bytes of the creation time).

 

Because of this, filenames are different for every instance of this malware. Moreover, copying malware to a different place will replace the file creation time so that malicious actions associated with the previous locality cannot be reproduced. For a better understanding of the naming technique, please see the image below.

 

It was quite challenging to analyze this malware because we had no access to any malicious USB device. Moreover, we had no dropper, so we could not create a suitably afflicted USB drive under controlled conditions for further analysis.

 

Only the submitted files can be analyzed, so the unique device ID had to be brute-forced and combined with common USB disk properties. Moreover, after successful decryption of the malware files, we had to find out the right order of the executables and configuration files, because the file copying process to get the samples to us had changed the file creation timestamp on the samples.

 

The execution flow of malware is quite simple. Each loader, in turn, loads and executes the following loader identified by computed hash according to the naming technique described above. However the execution must always start with the first stage loader, otherwise the malware terminates itself.

 

 

 

First stage loader

The first stage loader is just the malware’s starting point and its main goal is to trick the user into running it. This can be done in several ways, but the most interesting is the use of portable applications. We have seen portable Notepad++ compromised by a malicious plugin as well as a TrueCrypt portable compromised by a malicious “RichEd20.dll”. This loader also checks whether it is executed from a USB device and whether it is writeable, which is important because the payload will store stolen data here.

Second stage loader

The second stage loader is located using the first stage hash. Subsequently, its configuration file is found using its own hash. The configuration file contains the encrypted name of the parent process to be verified. This is an anti-debugging trick, which will cause termination of the malware if it is running under a different parent process, i.e. a debugger. Finally, the hash of the configuration file is used to compute the name of the third stage loader.

Third stage loader

The third stage loader handles some anti-AV checks. If one of the processes running is “avpui.exe” (Kaspersky security software) or “AVKTray.exe” (G Data security software) is running, execution is stopped.

 

Its configuration file is found by same technique as used by its predecessor, as is the payload executable. It also creates a named pipe to be used to pass the configuration data to the payload. The pipe name consists of the first 30 bytes of a SHA512 hash computed from the computer name.

Payload

Finally, the payload implements the actual data-stealing functionality. The executable is injected into a newly created “%windir%\system32\svchost.exe -k netsvcs” process. Configuration data includes information on what data should be gathered, how they should be encrypted, and where they should be stored.

 

The output destination must always be on the same removable device. In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called “WinAudit”. It encrypts the stolen data using elliptic curve cryptography.

 

Conclusion

In addition to the interesting concept of self-protecting multi-stage malware, the (relatively simple) data-stealing payload is very powerful, especially since it does not leave any evidence on the affected computer. After the USB is removed, nobody can find out that data was stolen.Also, it would not be difficult to redesign the malware to change from a data-stealing payload to any other malicious payload.

 

 

As ESET’s statistics shows, that malware is not very widespread. However, it possesses the ability to be used in targeted attacks – especially at computers that are not connected to the internet for security reasons.

 

Our detection name:

payload: Win32/PSW.Stealer.NAI trojan
loaders : Win32/TrojanDropper.Agent.RFT trojan

SHA1 hashes of decrypted binaries:

2C188C395AB32EAA00E6B7AA031632248FF38B2E
B03ABE820C0517CCEF98BC1785B7FD4CDF958278
66D169E1E503725A720D903E1DFAF456DB172767
4B2C60D77915C5695EC9D3C4364E6CD6946BD33C
76471B0F34ABB3C2530A16F39E10E4478CB6816D

 

http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

[dMog]

there is some dangerous stuff out there

[pc71520]

5 hours ago, dMog said:

there is some dangerous stuff out there

Oh, yeah...