Breaking News

ASUSTOR 30 TB Ironwolf Pro Now Officially Supported ASUS Announces ExpertCenter P500 SFF Lexar Launches the NM990 PCIe 5.0 SSD DJI Agras T100, T70P and T25P Launches Globally Sony Introduces the RX1R III

logo

  • Share Us
    • Facebook
    • Twitter
  • Home
  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map

Search form

ESET Discovers New Self-protecting USB Trojan

ESET Discovers New Self-protecting USB Trojan

PC components Mar 26,2016 0

Security researchers have spotted a new data-stealing trojan that "attacks" USB devices, it leaves no evidence on the compromised system but most importantly, it uses a special mechanism to protect itself from being reproduced or copied. Where other malware uses 'good old-fashioned approaches' like Autorun files or crafted shortcuts in order to get users to run it, USB Thief - named by ESET researchers - uses another technique. This method depends on the common practice of storing portable versions of popular applications such as Firefox, NotePad++ and TrueCrypt on USB drives.

The malware is inserting itself into the command chain of such applications, in the form of a plugin or a dynamically linked library (DLL). And therefore, whenever such an application is executed, the malware will also be run in the background.

The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements.

The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.

The name of the next file in malware execution chain is based on actual file content and its creation time. Because of this, filenames are different for every instance of this malware.
Moreover, copying malware to a different place will replace the file creation time so that malicious actions associated with the previous locality cannot be reproduced.

The "data-stealing" functionality of the malware uses an executable injected into a newly created “%windir%\system32\svchost.exe -k netsvcs" process.

According to ESET's analysis, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called "WinAudit". It encrypts the stolen data using elliptic curve cryptography.

After the USB is removed, nobody can find out that data was stolen.

Tags: ESETmalware
Previous Post
Hackers Steal, Sell Verizon Enterprise Customer Data
Next Post
Microsoft Supports Yahoo Bidders

Related Posts

  • Intel and Microsoft Convert Malware to Images to Spot Threads Faster

  • Malwarebytes Outlines Coronavirus Scams

  • Google's AI Tool Scans Billions of Gmail Attachments to Secure Inboxes

  • Pentagon, DHS And FBI Issued New Malware Warning For Windows Users

  • Lazarus Group Targets Linux With New Malware

  • Eset Offers Disk Encryption Service for Small Businesses

  • Hackers Targeted Government Officials Using WhatsApp Malware

  • Malware Masked as Textbooks and Essays

Latest News

ASUSTOR 30 TB Ironwolf Pro Now Officially Supported
Enterprise & IT

ASUSTOR 30 TB Ironwolf Pro Now Officially Supported

ASUS Announces ExpertCenter P500 SFF
Enterprise & IT

ASUS Announces ExpertCenter P500 SFF

Lexar Launches the NM990 PCIe 5.0 SSD
PC components

Lexar Launches the NM990 PCIe 5.0 SSD

DJI Agras T100, T70P and T25P Launches Globally
Drones

DJI Agras T100, T70P and T25P Launches Globally

Sony Introduces the RX1R III
Cameras

Sony Introduces the RX1R III

Popular Reviews

be quiet! Light Loop 360mm

be quiet! Light Loop 360mm

be quiet! Dark Mount Keyboard

be quiet! Dark Mount Keyboard

be quiet! Light Mount Keyboard

be quiet! Light Mount Keyboard

Noctua NH-D15 G2

Noctua NH-D15 G2

Soundpeats Pop Clip

Soundpeats Pop Clip

be quiet! Light Base 600 LX

be quiet! Light Base 600 LX

Crucial T705 2TB NVME White

Crucial T705 2TB NVME White

be quiet! Pure Base 501

be quiet! Pure Base 501

Main menu

  • Home
  • News
  • Reviews
  • Essays
  • Forum
  • Legacy
  • About
    • Submit News

    • Contact Us
    • Privacy

    • Promotion
    • Advertise

    • RSS Feed
    • Site Map
  • About
  • Privacy
  • Contact Us
  • Promotional Opportunities @ CdrInfo.com
  • Advertise on out site
  • Submit your News to our site
  • RSS Feed