Tuesday, August 5, 2014

Windows Registry-infecting malware has no files, survives reboots

Antivirus doesn't stand a chance because there's nothing for it to scan

Researchers have detailed a rare form of Windows malware that maintains infection on machines and steals data without installing files.

The malware resides in the computer registry only and is therefore not easy to detect
.
It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.

"All activities are stored in the registry. No file is ever created," Rascagneres said in a post.
"So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.

"To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer's email inbox."
Read more http://www.theregister.co.uk/2014/08/04/registryinfecting_rebootresisting_malware_has_no_files/

No comments:

Post a Comment