- Jan 8, 2011
- 22,361
"A unique data-stealing trojan has been spotted on USB devices in the wild – and it is different from typical data-stealing malware. Each instance of this trojan relies on the particular USB device on which it is installed and it leaves no evidence on the compromised system. Moreover, it uses a very special mechanism to protect itself from being reproduced or copied, which makes it even harder to detect.
What really sets this malware apart, however, is its self-protection mechanism."
The protection mechanism
Continue Reading: New self-protecting USB trojan able to avoid detection
Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?
Continue Reading: ESET discovers new USB-based data stealing malware
What really sets this malware apart, however, is its self-protection mechanism."
The protection mechanism
The malware consists of six files. Four of them are executables and the other two contain configuration data. To protect itself from copying or reverse engineering, the malware uses two techniques. Firstly, some of the individual files are AES128-encrypted; secondly, their filenames are generated from cryptographic elements.
The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.
The name of the next file in malware execution chain is based on actual file content and its creation time. It is the first five bytes of SHA512 hash computed from mentioned attributes (file content concatenated with eight bytes of the creation time).
Because of this, filenames are different for every instance of this malware. Moreover, copying malware to a different place will replace the file creation time so that malicious actions associated with the previous locality cannot be reproduced.
The AES encryption key is computed from the unique USB device ID, and certain disk properties of the USB drive hosting the malware. Hence, the malware can only run successfully from that particular USB device.
The name of the next file in malware execution chain is based on actual file content and its creation time. It is the first five bytes of SHA512 hash computed from mentioned attributes (file content concatenated with eight bytes of the creation time).
Because of this, filenames are different for every instance of this malware. Moreover, copying malware to a different place will replace the file creation time so that malicious actions associated with the previous locality cannot be reproduced.
Continue Reading: New self-protecting USB trojan able to avoid detection
Could you elaborate on reasons behind binding the malware to a particular device and encrypting it?
Traditionally, malware is often encrypted, and the obvious reason is that encryption prevents the malware from being detected or – if it gets detected – from being analyzed. In this case, encryption also serves the purpose of binding the malware to a particular device.
As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.
To sum up, to me it seems that this malware has been created for targeted attacks.
As for the reasons for binding to a particular device – this obviously makes it harder for the malware to spread but on the other hand it prevents it from leaking outside the target environment. And, given that the attack leaves no traces, the chances are that the malware won’t be spotted if kept on the USB device and wiped off the machine after completing its mission.
To sum up, to me it seems that this malware has been created for targeted attacks.
Continue Reading: ESET discovers new USB-based data stealing malware
