A new type of stealth malware called USB Thief can reportedly infect air-gapped systems without leaving any signs...
behind. How does USB Thief work and what, if anything, can enterprises do to mitigate this attack?
USB Thief is a new type of malware discovered by ESET. Little is known about the malware because only part of it has been identified and analyzed. ESET explains how USB Thief uses multiple stages in its attacks on air-gapped systems, has the ability to encrypt itself and limits where it can run to prevent analysis. The target of the attack appears to be stealing data from the infected systems.
ESET stated in its blog post that USB Thief leaves no evidence when it has been used. The USB malware does not save any files on the local system. Enterprises have several options to mitigate this attack. They should assume targeted malware will bypass whatever antimalware tools in place and have defense-in-depth controls to monitor and investigate potentially suspicious activity. Windows has built-in functionality for logging in the event log each time a USB device is inserted into a system. An enterprise could then monitor the logs for any time a USB device is inserted and respond accordingly. Windows has functionality to record any time a file is accessed on the system and log that event. Windows can log all files executed on the local system, but it is unclear how the USB Thief malware would show up in the event log when the dynamic link library (DLL) was injected into the targeted executable. All of this data would need to be monitored and analyzed by the enterprise, so that if potentially suspicious events were logged, the enterprise could send an incident response team or investigate the system for suspicious activity.
For systems in high security areas, USB drives can be disabled or have the capability to execute files disabled, which could also prevent this attack. But disabling USB drives might not be possible on general use systems because of the limitations on functionality. Some host-based intrusion detection systems, antimalware, whitelisting or other third-party endpoint security tools also have similar functionality for logging or controlling access to USB drives and files accessed on the system.
Find out the best practices for implementing an air-gapped enterprise network
Learn how to mitigate data theft from USB devices
Read about the new features on Windows Defender Advanced Threat Protection
Dig Deeper on Network intrusion detection and prevention (IDS-IPS)
Related Q&A from Nick Lewis
Rakos malware is attempting to build a botnet by attacking embedded Linux systems. Expert Nick Lewis explains how enterprises can prevent attacks on ...continue reading
The Switcher Trojan spreads to Android devices through the wireless router to which they are connected. Expert Nick Lewis explains how this attack is...continue reading
USB Killer devices, with the ability to destroy systems via a USB input, are available and inexpensive. Expert Nick Lewis explains how they work and ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.