Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Compare cell phone plans using Wirefly's innovative plan comparison tool ×
Security Firefox Software Windows Hardware

USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems 83

Reader itwbennett writes: A Trojan program, dubbed USB Thief by researchers at security firm ESET, infects USB drives that contain portable installations of popular applications such as Firefox, NotePad++, or TrueCrypt, and it also seems to be designed to steal information from so-called air-gapped computers. "In the case we analyzed, it was configured to steal all data files such as images or documents, the whole windows registry tree (HKCU), file lists from all of the drives, and information gathered using an imported open-source application called 'WinAudit'," the ESET researchers said. The stolen data was saved back to the USB drive and was encrypted using elliptic curve cryptography. Once the USB drive was removed, there was no evidence left on the computer, the ESET researchers added.
This discussion has been archived. No new comments can be posted.

USB Trojan Hides In Portable Applications, Targets Air-Gapped Systems

Comments Filter:
  • I just like it when it's air gapped..
    • by khasim ( 1285 )

      So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

      Looks like they've re-invented "sneakernet".

      Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

      • So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

        Looks like they've re-invented "sneakernet".

        Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

        Developing a, super secure, file based Intranet?

        • Reminds me of IPoAC
        • by mikael ( 484 )

          How else can you load and install third-party applications? Maybe you are an animation artist trying to do that ultimate animation for your demo reel. Then you need to install applications like 3DMax, Photoshop, ZBrush, Softimage. Sometime manuals or tutorials only come in HTML format. So you need a web browser to read them.

      • So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

        http://portableapps.com/ [portableapps.com] was my first thought. It's a very impressive collection of portable software, Firefox/Mozilla isn't listed in my setup, Sea monkey and Opera are.

        My folder is just under 6 Gigs, the software meant to be on a USB device or at least right at home.

        This piece of malware might hit portableapps rather hard, just for being what it is.

        • by dgatwood ( 11270 )

          The real question is why those systems weren't configured to refuse to run unsigned apps and/or apps signed with a different key than the last time you ran them. This sort of attack should be almost impossible on any modern desktop OS.

      • My work air gaps the government-owned computers from the university-owned ones. Different networks, same building, often same room. We have approved, encrypted drives to transfer files. USB ports ARE locked down, but that doesn't mean no USB devices are allowed.

      • >So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?
        >Looks like they've re-invented "sneakernet".
        >Seriously. If security is that important that you air-gap a system, why aren't you locking down the USB ports?

        You confuse security with idiocy. Just because there is a secure system, doesn't mean that an idiot can't screw it up!

      • You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives so the USB ports are left open. Besides, malware can still get in on the CD, just like it can on the thumb drive.

        There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in

        • by Anonymous Coward

          You still need a way to transfer files on air-gaped systems or they aren't real useful. CD writeables are much more difficult to use for normal users than thumb drives..

          Oh yes, the poor diddums, they can't just drag'n'drop, they have to think a bit..seriously, I'd never let anyone this incapable anywhere near a system so critical it requires air-gapping.

          Besides, malware can still get in on the CD, just like it can on the thumb drive.

          sure, but a burn-once read-once-then-shred CD containing just $name_of_data_file is a lot less likely to contain malware than a USB stick containing all sorts of stuff as well as $name_of_data_file. And I'm not even going into the possibilities of the existence of embedded-in-the-hardware malware on USB sticks.

          There are already well known groups of malware that target air gaped systems and try to communicate with networked computers by using microphones and speakers (and probably other techniques as well such as cameras and monitors) in frequencies humans can't hear but the electronics of the speakers and microphones can.

          Firstly, most

      • by tlhIngan ( 30335 )

        So why is someone plugging a USB drive with FIREFOX into an "air gapped" computer?

        You can create isolated airgapped networks with their own set of web browsers and all that as well, you know.

        These networks are often on the classified side of things and there is no connection to the Internet or other network. Properly set up SCADA systems are supposed to be on airgapped networks, for example. But there's often documentation and other things that end up as HTML and you need a browser to view it, and it can be

  • by Anonymous Coward

    I lost my USB drive. I wrote a program that automatically backs up my computer when I plug it in (of course encrypted). I guess they found it.

  • I've just read TFA (no big deal) and it seemed positively gushing, with a "white hats off" tone to it.

    Oh well.. what sounds like free-form obfuscation improvisation to me turns out to be, once more, the state of the art in today's heists.

  • Confused (Score:2, Interesting)

    by Anonymous Coward

    How does the trojan get installed on the USB stick in the first place? Either you are using USB drives provided by a stranger (who does that?) or someone has stolen your drive, installed their software, and replaced it without your knowledge. Plausible, but not a great way to propagate this to more than a few specific people.

    • Re:Confused (Score:4, Insightful)

      by duke_cheetah2003 ( 862933 ) on Thursday March 24, 2016 @03:48PM (#51771653) Homepage

      Even more importantly, what's the point? How does the 'attacker' get their USB stick back with the stolen data?

      This feels more like a 'inside job' type trojan, where a person can stick it into a PC they're already trusted to use, and suck everything of value off it to review later. I mean, the way it's difficult to copy and stuff makes it suspiciously not very trojan like. Trojans/malware like to spread easily.

      Encrypting the slurped data just feels like plausible deniability for the attacker if the USB were confiscated and inspected.

    • by AHuxley ( 892839 )
      Find the ready device in car park and pick it up and see what is on it before returning to owner if details are on the files. Gets the code onto a inner networked work computer and hope to infect all other usb devices.
      Deep penetration agent gets to a secure work only USB device to install new code and gets the later returned data from a secure area. Sneaker net it out even with no or low site clearance.
      Flood all staff members with the code to infect their less secure home and work computers and hope one
  • by blogagog ( 1223986 ) on Thursday March 24, 2016 @03:08PM (#51771219)
    I had the info stolen off my computer last year. The thieves who took it are now slightly dumber for having read it.
    • by Greyfox ( 87712 )
      Oh you must have been working for the last company I worked with. They had some left over schwag from the golden days when they were still doing the convention circuit that they handed out one day. Then HR read us the riot act about wearing the comapny T-Shirts we'd gotten. "Kidnapping risk," they said. I wanted to do a PSA for them. Like "Please don't kidnap their employees. All the folks who actually knew how to accomplish anything left the company when it went public. Between the culture of ineptitude im

You are in a maze of UUCP connections, all alike.

Working...