This content is part of the Essential Guide: How air gap attacks challenge the notion of secure networks

How can USB Thief be stopped from infecting air-gapped systems?

USB Thief, a new type of stealth malware, leaves no trace on air-gapped targets. Expert Nick Lewis explains how the malware works and how enterprises can mitigate attacks.

A new type of stealth malware called USB Thief can reportedly infect air-gapped systems without leaving any signs behind. How does USB Thief work and what, if anything, can enterprises do to mitigate this attack?

USB Thief is a new type of malware discovered by ESET. Little is known about the malware because only part of it has been identified and analyzed. ESET explains how USB Thief uses multiple stages in its attacks on air-gapped systems, has the ability to encrypt itself and limits where it can run to prevent analysis. The target of the attack appears to be stealing data from the infected systems.

ESET stated in its blog post that USB Thief leaves no evidence when it has been used. The USB malware does not save any files on the local system. Enterprises have several options to mitigate this attack. They should assume targeted malware will bypass whatever antimalware tools in place and have defense-in-depth controls to monitor and investigate potentially suspicious activity. Windows has built-in functionality for logging in the event log each time a USB device is inserted into a system. An enterprise could then monitor the logs for any time a USB device is inserted and respond accordingly. Windows has functionality to record any time a file is accessed on the system and log that event. Windows can log all files executed on the local system, but it is unclear how the USB Thief malware would show up in the event log when the dynamic link library (DLL) was injected into the targeted executable. All of this data would need to be monitored and analyzed by the enterprise, so that if potentially suspicious events were logged, the enterprise could send an incident response team or investigate the system for suspicious activity.

For systems in high security areas, USB drives can be disabled or have the capability to execute files disabled, which could also prevent this attack. But disabling USB drives might not be possible on general use systems because of the limitations on functionality. Some host-based intrusion detection systems, antimalware, whitelisting or other third-party endpoint security tools also have similar functionality for logging or controlling access to USB drives and files accessed on the system.

Next Steps

Find out the best practices for implementing an air-gapped enterprise network

Learn how to mitigate data theft from USB devices

Read about the new features on Windows Defender Advanced Threat Protection

This was last published in August 2016

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)