cancel
Showing results for 
Search instead for 
Did you mean: 

Registry-infecting reboot-resisting malware has NO FILES

Highlighted
Sr. Community Expert Advisor

Registry-infecting reboot-resisting malware has NO FILES

This one could prove to be awkward and hopefull not  sign of things to come.

 

Anti-virus doesn't stand a chance becuase there's nothing for it to scan

By Darren Pauli,

 

Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect.

 

It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

 

AV in registry

 

Full Article


Sr. Community Expert Advisor


 


2016-07-18_12-11-32.png Microsoft® Windows Insider MVP - Windows Security

12 REPLIES
Community Leader

Re: Registry-infecting reboot-resisting malware has NO FILES

Good article, this appears to be a really nasty malware. No doubt we need a quick fix on this one.

Community Leader

Community Expert Advisor

Re: Registry-infecting reboot-resisting malware has NO FILES

Thank you Jasper,

 

If I understand correctly, the same code designed to prevent documents from being copied, a security measure, is used as an attacker. Never ending battle.

 

 

 

 

 

 

sig



Experience Shared is Knowledge Shared, Share Yours! I'm a volunteer – my reward is your SMILE!Smiley Very Happy


Helpful Webroot Links:


                         Submit Trouble Ticket • User Guides • BrightCloud URL lookup • Account Console 

Download (PC) • Download (Best Buy/Geek Squad Subscription) • Download (Walmart and Target) • Download (MSN Subscription) 


                                         Register and Introduce yourself to The Community!

Retired Webrooter
Retired Webrooter

Re: Registry-infecting reboot-resisting malware has NO FILES

I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.

Sr. Community Expert Advisor

Re: Registry-infecting reboot-resisting malware has NO FILES

Thank you Nic, that is good to know.


Sr. Community Expert Advisor


 


2016-07-18_12-11-32.png Microsoft® Windows Insider MVP - Windows Security

Community Expert Advisor

Re: Registry-infecting reboot-resisting malware has NO FILES


nic wrote:

I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.


Thank you Nic!

 

I was waiting to hear from you on this, you are the best!

sig



Experience Shared is Knowledge Shared, Share Yours! I'm a volunteer – my reward is your SMILE!Smiley Very Happy


Helpful Webroot Links:


                         Submit Trouble Ticket • User Guides • BrightCloud URL lookup • Account Console 

Download (PC) • Download (Best Buy/Geek Squad Subscription) • Download (Walmart and Target) • Download (MSN Subscription) 


                                         Register and Introduce yourself to The Community!

Sr. Community Expert Advisor

Stealthy malware 'Poweliks' resides only in system registry

In the lead article this malware did not have a name.

 

By Lucian Constantin  Aug 4, 2014

 

A new malware program called Poweliks attempts to evade detection and analysis by running entirely from the system registry without creating files on disk, security researchers warn.

 

The concept of “fileless” malware that only exists in the system’s memory is not new, but such threats are rare because they typically don’t survive across system reboots, when the memory is cleared. That’s not the case for Poweliks, which takes a rather new approach to achieve persistence while remaining fileless, according to malware researchers from G Data Software.

When it infects a system, Poweliks creates a startup registry entry that executes the legitimate rundll32.exe Windows file followed by some encoded JavaScript code. This triggers a process similar in concept to a Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat researcher at G Data, in a blog post.

 

Full Article


Sr. Community Expert Advisor


 


2016-07-18_12-11-32.png Microsoft® Windows Insider MVP - Windows Security

Community Guide

Re: Stealthy malware 'Poweliks' resides only in system registry

Really an interesting kind of malware; I wonder why this kind of behaviour wasn't used earlier.

WSA would probably not prevent an infection through the DOC file (or similar) but I'm sure that later during the payload the heuristics will detect the suspicious behaviour.

Community Guide



-Webroot Endpoint Protection user-
Retired Webrooter
Retired Webrooter

Re: Stealthy malware 'Poweliks' resides only in system registry

Just got confirmation from Threat that we do catch this.  It does eventually try to run a payload dll, which we'll catch and stop.

Sr. Community Expert Advisor

Re: Stealthy malware 'Poweliks' resides only in system registry

Thank you for the update Nic, that is great news and just what I expected.


Sr. Community Expert Advisor


 


2016-07-18_12-11-32.png Microsoft® Windows Insider MVP - Windows Security