Skip to main content
Customer Support Customer Support

Registry-infecting reboot-resisting malware has NO FILES

Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
This one could prove to be awkward and hopefull not  sign of things to come.
 

Anti-virus doesn't stand a chance becuase there's nothing for it to scan

By Darren Pauli, 4 Aug 2014
 
Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.
The malware resides in the computer registry only and is therefore not easy to detect.
 It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.
 


 
Full Article
ProTruckDriver
RetiredTripleHelix
Ssherjj
7 people like this
  • ProTruckDriver
    ProTruckDriver
  • RetiredTripleHelix
    RetiredTripleHelix
  • Ssherjj
    Ssherjj
  • jpasternak
    jpasternak
  • R
    retiredAntus67
  • R
    regnor
  • R
    Retired013118

12 replies

R
Community Guide
Good article, this appears to be a really nasty malware. No doubt we need a quick fix on this one.
RetiredTripleHelix
Jasper_The_Rasper
2 people like this
  • RetiredTripleHelix
    RetiredTripleHelix
  • Jasper_The_Rasper
    Jasper_The_Rasper
R
Community Leader
  • Retired013118
  • Community Leader
  • 841 replies
  • August 4, 2014
Thank you Jasper,
 
If I understand correctly, the same code designed to prevent documents from being copied, a security measure, is used as an attacker. Never ending battle.
 
 
 
 
 
 
Jasper_The_Rasper
1 person likes this
  • Jasper_The_Rasper
    Jasper_The_Rasper
nic
Forum|alt.badge.img+56
  • nic
  • Retired Webrooter
  • 6752 replies
  • August 4, 2014
I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.
RetiredTripleHelix
Jasper_The_Rasper
R
4 people like this
  • RetiredTripleHelix
    RetiredTripleHelix
  • Jasper_The_Rasper
    Jasper_The_Rasper
  • R
    regnor
  • R
    Retired013118
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
Thank you Nic, that is good to know.
R
Community Leader
  • Retired013118
  • Community Leader
  • 841 replies
  • August 4, 2014
@ wrote:
I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.
Thank you Nic!
 
I was waiting to hear from you on this, you are the best!
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
In the lead article this malware did not have a name.
 
By Lucian Constantin  Aug 4, 2014
 
A new malware program called Poweliks attempts to evade detection and analysis by running entirely from the system registry without creating files on disk, security researchers warn.
 
The concept of “fileless” malware that only exists in the system’s memory is not new, but such threats are rare because they typically don’t survive across system reboots, when the memory is cleared. That’s not the case for Poweliks, which takes a rather new approach to achieve persistence while remaining fileless, according to malware researchers from G Data Software.
When it infects a system, Poweliks creates a startup registry entry that executes the legitimate rundll32.exe Windows file followed by some encoded JavaScript code. This triggers a process similar in concept to a Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat researcher at G Data, in a blog post.
 
Full Article
Ssherjj
R
2 people like this
  • Ssherjj
    Ssherjj
  • R
    Retired013118
R
Bronze VIP
  • regnor
  • Bronze VIP
  • 347 replies
  • August 4, 2014
Really an interesting kind of malware; I wonder why this kind of behaviour wasn't used earlier.

WSA would probably not prevent an infection through the DOC file (or similar) but I'm sure that later during the payload the heuristics will detect the suspicious behaviour.
-Webroot Endpoint Protection user-
nic
Forum|alt.badge.img+56
  • nic
  • Retired Webrooter
  • 6752 replies
  • August 5, 2014
Just got confirmation from Threat that we do catch this.  It does eventually try to run a payload dll, which we'll catch and stop.
Baldrick
Jasper_The_Rasper
R
3 people like this
  • Baldrick
    Baldrick
  • Jasper_The_Rasper
    Jasper_The_Rasper
  • R
    Retired013118
Jasper_The_Rasper
Moderator
Forum|alt.badge.img+54
Thank you for the update Nic, that is great news and just what I expected.
Baldrick
Gold VIP
  • Baldrick
  • Gold VIP
  • 16060 replies
  • August 5, 2014
Very cool that WSA does the business...but a very interesting attack vector...whatever will they come up next. :@
Webroot SecureAnywhere Complete Beta Tester v9.0.24.49, imaged by Macrium Reflect v7.2
R
Community Leader
  • Retired013118
  • Community Leader
  • 841 replies
  • August 7, 2014
@ wrote:
Very cool that WSA does the business...but a very interesting attack vector...whatever will they come up next. :@
Your guess is as good as anyones, but they are bound to come up with something!
R
Community Leader
  • Retired013118
  • Community Leader
  • 841 replies
  • August 7, 2014
@ wrote:
Just got confirmation from Threat that we do catch this.  It does eventually try to run a payload dll, which we'll catch and stop.
Thats a relif! Thank you NIc!

Reply


Terms & Conditions