A new form of persistence was discovered malware, which does not create any files in the disk and stores all the commands for its activities in the registry.
In a blog post, security researcher Paul Rascagneres of GData developed in detail the peculiarities of the new type of malware, named Poweliks. The researcher describes his methods as "rather rare and new", since everything is done in the computer's memory and not on the hard disk, thus avoiding detection and analysis by security software.
Malware comes with an e-mail message that contains a Word document. The vulnerability used by attackers is CVE-2012-0158, which affects the Office and many other Microsoft products. It's not new, but many users still use old versions of the software.
As soon as someone goes to open the file, attackers activate its resilience mode malicioussoftware by creating an encrypted autostart key in the registry. It seems that the coding technique used by the malware was originally created by Microsoft to protect the source code from various changes.
Για να αποφύγουν τον εντοπισμό από τα εργαλεία του συστήματος, το κλειδί μητρώου κρύβεται πίσω από ένα όνομα με χαρακτήρες που δεν είναι σε μορφή ASCII, κάτι το οποίο το καθιστά μη available in the Windows Registry Editor (regedit.exe).
By creating the auto-boot key, the attackers are confident that a restart of the system does not remove it from the computer.
By decoding the key, Rascagneres noticed two different sets of code: one that verifies that the infected computer has Windows PowerShell installed, and another, with a Base64 gia PowerShell encoded script, for invoking and executing the shellcode.
According to the researcher, the shellcode runs the payload load, which attempts to connect to a remote command and control (C&C) server to receive instructions. There are multiple IP addresses for the C&C servers, all hard-coded.
The peculiarity of this malicious software is that it does not create any files on the disk, making it very difficult to detect it through classic protection mechanisms.