Microsoft researchers find new type of stealth malware

Tom172 · Jan 29, 2012

Security researchers have uncovered a new type of malware that appears to be benign as it is downloaded, potentially fooling security software, but which morphs into malicious software once it is on a user's computer.

Researchers at Microsoft's Malware Protection Centre wrote about their findings this week, explaining that the code is surprising in that unlike most other similar types of malware, it doesn't attempt to download or inject an executable file into a host machine. Instead, it downloads apparently harmless code. However, the researchers found that the code was not harmless at all when they allowed it to execute.

Valentin N · Jan 29, 2012

Sounds nasty

pcjunklist · Jan 29, 2012

Sandbox all unknown programs, problem solved

Jack · Jan 29, 2012

Instead, it downloads apparently harmless code. However, the researchers found that the code was not harmless at all when they allowed it to execute.
"Once the application was run on a machine with a simulated internet connection, it downloaded files from another website, then] copied itself to the Windows system folder as 'misys.exe', and started keylogging."
The sophistication of this new malware is that this malicious behaviour was not apparent from a straightforward analysis of the code itself, which is what security researchers and most security products attempt to do when encountering suspicious software.

It's not as bad as it sounds , in fact the only component that could in theory miss this threat is the actual antivirus engine , and more specifically the definitions......As you've read once downloaded it starts to show strong malware related behavior which any security suite or layered protection would be able to detect....
It connects to an unkwnon site - Firewall
It downloads additional files - HIPS,Firewall, Behavior Blocker
It copied itself to the Windows system folder - HIPS, Heuristic engine , Behavior Blocker
And the keylogging thing would be detected by any decent product.....

@pcjunklist A even simpler way to prevent this would be , to let UAC enabled and actually not run an unknown file

WinAndLinuxTutorials · Jan 29, 2012

@Jack: The huge problem will be if the user has no antivirus on his system.

Prorootect · Jan 29, 2012

Another Quote, if you wish:
'
Researchers 'explained that it changes its functionality by downloading new instructions directly to its own process, rather than attempting to change the registry, or other system processes, which is more commonly seen in malware.

"The application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The 'downloader' becomes malware by executing this downloaded blob of x86 instructions.

"And the downloaded instructions will not be injected to a different process and not dropped to disc, they will be executed in the process context of the 'downloader', thus the 'downloader' inherits the malware functionality."

This malware is fairly simple to create with a basic malware builder tool, meaning that it could quickly become more prevalent.'

Horrible. So quickly click on Stop Internet button.

Valentin N · Jan 29, 2012

pcjunklist said:
Sandbox all unknown programs, problem solved

Solution, Comodo, Avast, Kaspersky, BufferZone and Sandiebox

Search

Microsoft researchers find new type of stealth malware

Tom172

Level 1

Valentin N

Level 2

pcjunklist

Level 1

Jack

Administrator

WinAndLinuxTutorials

Level 4

Prorootect

Level 69

Valentin N

Level 2

Similar threads