Poweliks malware creates no files, lays low in the registry
Posted on 04.08.2014
For most malware, performing their malicious task(s) is the primary goal, and a close second is to stay unnoticed on the system for as long as possible. As developers of security software constantly improve detection methods, malware creators are always trying to keep one step ahead of their efforts.

Take, for example, the Poweliks malware recently discovered and analyzed by G Data researchers. Poweliks is a trojan whose main objective is to download additional malware on the system. So far, that is nothing new.

"When security researchers talk about malware, they usually refer to files stored on a computer system, which intends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be handled in a classic way," says researcher Paul Rascagneres.

But this malware is capable of surviving on the infected system without creating a file - all its tasks are performed within the memory.

"To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customerís email inbox. Or, as a next line of defense, they need to detect the software exploit after the fileís execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user."

As we've said, Poweliks doesn't create a file, but it does create an encoded autostart registry key that will assure that the malicious activities survive system re-boots. And here, again, the malware authors have a found a way for this key to keep a low profile and resist analysis attempts: the key's name is not an ASCII character, which hides it from system tools and prevents it from being opened.

"This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," commented Rascagneres.










Spotlight

How to talk infosec with kids

Posted on 17 September 2014.  |  It's never too early to talk infosec with kids: you simply need the right story. In fact, as cyber professionals itís our duty to teach ALL the kids in our life about technology. If we are to make an impact, we must remember that children needed to be taught about technology on their terms.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Sep 19th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //