Poweliks malware creates no files, lays low in the registry
Posted on 04.08.2014
For most malware, performing their malicious task(s) is the primary goal, and a close second is to stay unnoticed on the system for as long as possible. As developers of security software constantly improve detection methods, malware creators are always trying to keep one step ahead of their efforts.

Take, for example, the Poweliks malware recently discovered and analyzed by G Data researchers. Poweliks is a trojan whose main objective is to download additional malware on the system. So far, that is nothing new.

"When security researchers talk about malware, they usually refer to files stored on a computer system, which intends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be handled in a classic way," says researcher Paul Rascagneres.

But this malware is capable of surviving on the infected system without creating a file - all its tasks are performed within the memory.

"To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user."

As we've said, Poweliks doesn't create a file, but it does create an encoded autostart registry key that will assure that the malicious activities survive system re-boots. And here, again, the malware authors have a found a way for this key to keep a low profile and resist analysis attempts: the key's name is not an ASCII character, which hides it from system tools and prevents it from being opened.

"This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," commented Rascagneres.










Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //