SECURITY RESEARCHERS have discovered a malware program that infects a system without the need to install any files, by living in the registry.
The rare form of malware was discovered by a security company called Gdata, which found that it does not create any file on the infected system because it lives in the infected computer's registry, thus making it nearly impossible for traditional anti-virus engines to detect it.
"All activities are stored in the registry. No file is ever created," said Gdata senior threat researcher Paul Rascagnères, in a blog post. "So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of the [machine] even after a system re-boot."
Rascagnères explained that the threat uses a technique that is rarely examined. The initial file that triggers all malicious activity on the computer system holds all the code necessary for the attack, encrypted and hidden, waiting to be called and executed.
The analyzed sample was dropped by a Microsoft Word document that exploits the vulnerability described in CVE-2012-0158. The document reportedly was found as an attachment to a fake Canada Post and USPS email that claims to hold information about ordered items for the recipient of the spam.
"To unfold the harmful actions, the attackers work step-by-step deeper into the code, executing steps one after the other [- it] reminds [us] of the stacking principles of Matryoshka dolls," Rascagnères said.
As a result, Windows Regedit cannot read or open the non-ASCII key entry.
"At the entry point, they exploit a vulnerability in Microsoft Word with the help of a crafted Word document they spread via email. After that, they make sure that the malicious activities survive system re-boot by creating an encoded autostart registry key. To remain undetected, this key is disguised/hidden," explained Rascagnères.
"Decoding this key shows two new aspects. Code which makes sure the affected system has Microsoft Powershell installed and additional code. The additional code is a Base64-encoded Powershell script, which calls and executes the shellcode (assembly)."
Rascagnères said that as a final step, this shellcode executes a Windows binary, the payload.
"In the case analysed, the binary tried to connect to hard coded IP addresses to receive further commands, but the attackers could have triggered any other action at this point," he added.
To prevent attacks like this, Gdata warned that anti-virus software has to either catch the file before it is executed or preferably before it reaches the customer's email inbox.
As a next line of defence, Gdata said users need to detect the software exploit after the file's execution, or, as a last step, in-registry surveillance has to detect unusual behaviour, block the corresponding processes and alert the user. µ