Security researchers have spotted a new data-stealing trojan that "attacks" USB devices, it leaves no evidence on the compromised system but most importantly, it uses a special mechanism to protect itself from being reproduced or copied. Where other malware uses 'good old-fashioned approaches' like Autorun files or crafted shortcuts in order to get users to run it, USB Thief - named by ESET researchers - uses another technique. This method depends on the common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives.
The malware is inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.
The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements.
The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.
The name of the next file in malware execution chain is based on actual file content and its creation time. Because of this, filenames are different for every instance of this malware.
Moreover, copying malware to a different place will replace the file creation time so that malicious actions associated with the previous locality cannot be reproduced.
The "data-stealing" functionality of the malware uses an executable injected into a newly created “%windir%\system32\svchost.exe -k netsvcs" process.
According to ESET's analysis, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called "WinAudit". It encrypts the stolen data using elliptic curve cryptography.
After the USB is removed, nobody can find out that data was stolen.