New 'Undetectable' Malware Found On USB devices

A new form of data-stealing Trojan malware which spreads through USB devices and can make itself extremely difficult to detect has been found by security company ESET. Here’s what you need to know.

Pictures: SamahR, Chris Yarzab, Ervins Strauhmanis

The malware is called Win32/PSW.Stealer.NAI, dubbed USB Thief, and infects computers exclusively through USB devices. What makes the malware special is that it has mechanisms to protect itself from being reproduced or copied, which makes it hard to detect analyse, according to ESET researchers.

USB Thief is able to install itself onto a device and leave no evidence, adding to the level of difficulty in detection.

"Because it is USB-based, the malware is capable of attacks on systems isolated from the internet without leaving any traces. So the victims don’t notice that their data were stolen,” ESET malware analyst Tomáš Gardo said. “Another feature which makes this malware unusual is that not only it is USB-based, but it is also bound to a single USB device, since it is intended that the malware shouldn't be duplicated or copied. This makes it very difficult to detect and analyse.”

Most malware uses Autorun files or crafted shortcuts to lure victims into running them but USB Thief inserts itself into the command chain of popular applications such as Firefox, NotePad++ and TrueCrypt as a plugin or dynamically linked library (DLL). This means it can run in the background whenever infected applications are executed.

The best ways to avoid falling victim to this kind of USB-based malware by only using USB storage devices from trusted sources. It's also worth warning your organisation and your co-workers about this kind of threat to prevent sensitive company information from being compromised.

You can find out more on USB Thief over at ESET's blog


    Will formatting the drive get rid of it?

      It really depends on the malware and how you format it. While it's extremely rare, if the malware infects the chip on the USB it can stay on there.

      In most cases, you can use a proper format tool (e.g. Rufus and NOT Windows' formatting tool) to address the issue.

      Hope this helps!



        Thanks Panda, it was just a general curiosity question really, I don't actually have a need for it that I know of. :)

    Don't you mean Win32/PSW.Stealer.NAI? Might also be worth linking to this interview on ESET's blog, since it describes the virus, its probable reason for being and how it's run on a system. It's not automatically executed every time you run Firefox (for instance), it's run whenever you run an infected portable version of Firefox from that specific USB drive.

      Ah yes, I have fixed the typo. Thanks for flagging! Have also put in the link to the relevant blog post. Cheers :)

        There something called BadUSB that springs to mind. Such devices that act the part but actually contain dodgy firmware.

        This 'dodgy' firmware targets flaws within the USB controllers firmware and unleashes it's nefarious activities.
        It's practically invisible to the OS and beyond what current AV scanners can detect.

        That super cheap USB thumb drive that you bought on eBay might do more then meets the eye...

        Last edited 29/03/16 10:14 pm

Join the discussion!

Trending Stories Right Now