Last year Michael Sikorski of FireEye was sent a very unusual piece of malware.
The custom code had jumped an air gap at a defence client and infected what should have been a highly-secure computer. Sikorski's colleagues from an unnamed company plucked the malware and sent it off to FireEye's FLARE team for analysis.
"This malware got its remote commands from removable devices," Sikorski said. "It actually searched for a specific formatted and hidden file that was encrypted, and would then decrypt it to access a series of commands that told it what to do next."
External network links are the lifeblood of most malware. This sample provided the means for malcode to be implanted on victim machines and served as the command and control link over which stolen data could be shipped off to attackers, allowing additional and further infections.
Sikorski's unnamed malware used employees to spread to other machines and distribute commands. Attackers hacked internet enabled computers they knew staff with access to the air-gap machine would use and turned any external storage device in into a digital bridge.