light bulb

Did You Know?



Reply
Highlighted
Posts: 6,736
Topics: 4,523
Kudos: 8,622
Registered: ‎06-12-2013

Registry-infecting reboot-resisting malware has NO FILES

This one could prove to be awkward and hopefull not  sign of things to come.

 

Anti-virus doesn't stand a chance becuase there's nothing for it to scan

By Darren Pauli,

 

Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect.

 

It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

 

AV in registry

 

Full Article

Sr. Community Leader

Posts: 4,227
Topics: 2,449
Kudos: 3,429
Blog Posts: 0
Registered: ‎06-02-2014

Re: Registry-infecting reboot-resisting malware has NO FILES

Good article, this appears to be a really nasty malware. No doubt we need a quick fix on this one.

Community Leader

Posts: 902
Registered: ‎06-20-2014

Re: Registry-infecting reboot-resisting malware has NO FILES

Thank you Jasper,

 

If I understand correctly, the same code designed to prevent documents from being copied, a security measure, is used as an attacker. Never ending battle.

 

 

 

 

 

 

sig



Experience Shared is Knowledge Shared, Share Yours! I'm a volunteer – my reward is your SMILE!Smiley Very Happy


Helpful Webroot Links:


                         Submit Trouble Ticket • User Guides • BrightCloud URL lookup • Account Console 

Download (PC) • Download (Best Buy/Geek Squad Subscription) • Download (Walmart and Target) • Download (MSN Subscription) 


                                         Register and Introduce yourself to The Community!

Community Manager Community Manager
Community Manager
Posts: 5,324
Registered: ‎12-16-2013

Re: Registry-infecting reboot-resisting malware has NO FILES

I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.

Posts: 6,736
Topics: 4,523
Kudos: 8,622
Registered: ‎06-12-2013

Re: Registry-infecting reboot-resisting malware has NO FILES

Thank you Nic, that is good to know.

Sr. Community Leader

Posts: 902
Registered: ‎06-20-2014

Re: Registry-infecting reboot-resisting malware has NO FILES


nic wrote:

I've alerted our Threat team to this one, and they're looking into it.  They're confident we'll be able to block this once they can get a sample to investigate.


Thank you Nic!

 

I was waiting to hear from you on this, you are the best!

sig



Experience Shared is Knowledge Shared, Share Yours! I'm a volunteer – my reward is your SMILE!Smiley Very Happy


Helpful Webroot Links:


                         Submit Trouble Ticket • User Guides • BrightCloud URL lookup • Account Console 

Download (PC) • Download (Best Buy/Geek Squad Subscription) • Download (Walmart and Target) • Download (MSN Subscription) 


                                         Register and Introduce yourself to The Community!

Posts: 6,736
Topics: 4,523
Kudos: 8,622
Registered: ‎06-12-2013

Stealthy malware 'Poweliks' resides only in system registry

In the lead article this malware did not have a name.

 

By Lucian Constantin  Aug 4, 2014

 

A new malware program called Poweliks attempts to evade detection and analysis by running entirely from the system registry without creating files on disk, security researchers warn.

 

The concept of “fileless” malware that only exists in the system’s memory is not new, but such threats are rare because they typically don’t survive across system reboots, when the memory is cleared. That’s not the case for Poweliks, which takes a rather new approach to achieve persistence while remaining fileless, according to malware researchers from G Data Software.

When it infects a system, Poweliks creates a startup registry entry that executes the legitimate rundll32.exe Windows file followed by some encoded JavaScript code. This triggers a process similar in concept to a Matryoshka Russian nesting doll, said Paul Rascagnères, senior threat researcher at G Data, in a blog post.

 

Full Article

Sr. Community Leader

Community Guide
Posts: 228
Registered: ‎06-04-2014

Re: Stealthy malware 'Poweliks' resides only in system registry

[ Edited ]

Really an interesting kind of malware; I wonder why this kind of behaviour wasn't used earlier.

WSA would probably not prevent an infection through the DOC file (or similar) but I'm sure that later during the payload the heuristics will detect the suspicious behaviour.

Community Guide



-Webroot Endpoint Protection user-
Community Manager Community Manager
Community Manager
Posts: 5,324
Registered: ‎12-16-2013

Re: Stealthy malware 'Poweliks' resides only in system registry

Just got confirmation from Threat that we do catch this.  It does eventually try to run a payload dll, which we'll catch and stop.

Posts: 6,736
Topics: 4,523
Kudos: 8,622
Registered: ‎06-12-2013

Re: Stealthy malware 'Poweliks' resides only in system registry

Thank you for the update Nic, that is great news and just what I expected.

Sr. Community Leader