Feeds

Windows Registry-infecting malware has no files, survives reboots

Antivirus doesn't stand a chance because there's nothing for it to scan

Internet Security Threat Report 2014

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect.

It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

"All activities are stored in the registry. No file is ever created," Rascagneres said in a post.

"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.

"To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."

Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual 'stacked' execution of code.

The non-ASCII trick is a tool Microsoft uses to hide its source code from being copied, but the feature was later cracked.

Security kit can alternatively detect the software exploit, or as a final step monitor the registry for unusual behaviour, he said.

Malware geeks on the KernelMode.info forum last month analysed one sample which exploited the flaws explained in CVE-2012-0158 that affected Microsoft products including Office.

Deviants distributed the malware under the guise of Canada Post and UPS emails purportedly carrying tracking information.

"This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful," Rascagneres said.

Rascagneres has made a name ripping malware and bots to uncover and undermine black hat operations. He won last years' Pwnie Award at Black Hat Las Vegas for tearing through the infrastructure of Chinese hacker group APT1. ®

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.