Results 1 to 1 of 1
-
6th Aug 2014, 05:30 PM #1
Registry-Residing Malware Creates No File for Antivirus to Scan
A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry.
In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since everything is performed in the memory of the computer system and there are several layers of code to get through in order to avoid analysis.
The attack vector is an email with a malcrafted Microsoft Word document attached. The vulnerability leveraged by the attackers is CVE-2012-0158, which affects Office and several other Microsoft products. It is not new, but many users are still using old versions of the software that could be compromised.
Once the file is launched, the cybercriminals turn on the persistency feature of the malware by creating an encoded autostart key in the registry. It seems that the encoding technique used by the malware was originally created by Microsoft to safeguard their source code from being altered.
In order to avoid detection by system tools, the registry key is hidden by providing a name in non-ASCII characters, which makes it unavailable to the Registry Editor (regedit.exe) in Windows.
By creating the auto-start key, the attackers make sure that a reboot of the system does not remove it from the computer.
By decoding the key, Rascagneres observed two sets of code: one that verified if the affected machine had Windows PowerShell installed, and another one, a Base64-encoded PowerShell script, for calling and executing the shellcode.
According to the researcher, the shellcode executes the payload, which attempts to connect to a remote command and control (C&C) server for receiving instructions. There are multiple IP addresses for C&C servers, all hard-coded.
The peculiarity of this malware is that it does not create any file on the disk, making it more difficult to be detected through classic protection mechanisms.
“To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user,” writes Rascagneres.
This type of malicious behavior is not new though, as a sample was also analyzed on KernelMode.info in mid-July, this year. In that case, the same vulnerability was exploited through a malicious RTF attached to an email claiming to be from Canada Post and/or USPS mail service.Kepler Reviewed by Kepler on . Registry-Residing Malware Creates No File for Antivirus to Scan http://i1-news.softpedia-static.com/images/news-700/Registry-Residing-Malware-Creates-No-File-for-Antivirus-To-Scan.jpg A new form of persistent malware has been discovered, one which does not create any file on the disk and stores all activities in the registry. In a blog posted at the end of July, security researcher Paul Rascagneres of GData details the particularities of the new type of malware, dubbed Poweliks, whose methods he labels as “rather rare and new,” since Rating: 5
Sponsored Links
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Similar Threads
-
[Hiring] Uploaders needed. Will pay $10 for 1000 downloads. No file size limit! All countries
By fanturo in forum Completed TransactionsReplies: 10Last Post: 14th Mar 2011, 09:46 AM -
Create a banner for dedicatedhackers.com and get three legit 30day RS accounts
By iKnow in forum Community CooperativeReplies: 20Last Post: 6th Sep 2009, 01:55 AM -
Creating a file hosting site
By chromer19 in forum Technical Help Desk SupportReplies: 2Last Post: 15th Aug 2009, 01:11 AM -
[25/5]$4 Million In Fines For Linking To Infringing Files
By SomeUpper in forum News & Current EventsReplies: 9Last Post: 27th May 2008, 10:23 AM -
Nforce.NL - Search NFO files for basically any release out there...
By Cuzabis in forum Useful SitesReplies: 2Last Post: 23rd Jan 2008, 09:27 AM
themaPoster - post to forums and...
Version 5.23 released. Open older version (or...