The malware developed by security experts over at Itrust Consulting is based out of a “self made driver” that makes USB accessible over TCP/IP. Beyond this the malware works, in theory, with any type of smartcard and USB-based smartcard reader thus making it more deadly than the Sykipot Trojan that hijacked US DoD (Depart of Defense) smart cards. The malware comes with key-logging component as well that can be used to steal login credentials such a pins.
The PoC will be showcased by Paul Rascagneres of Itrust Consulting on November 24 at the MalCon security conference in New Delhi, India. “We showcase a new kind of malware that uses a self made driver that make USB over TCP/IP”, reads the summary of the presentation. “So the malware shares the smartcard connected in USB of the victim directly to the command and control (c&c) server in raw. The attacker can use the smartcard as if it is directly connected to his machine!” the summary reads further.
There is a catch though. The malware only works in cases where pins are entered through the keyboard of the Windows PC and not if they are entered through the keyboards attached to smartcard readers notes Computer World. Another thing that works against the malware is that its installations on 64-bit systems is near impossible as these systems require digitally signed drivers unlike the one used by the malware.
However, hackers may use rootkits that would disable the driver signing or sign these custom made drivers with stolen certificates to make them look genuine.