Java-based Web Attack Installs Hard-to-detect Malware in RAM

jamescv7

Level 85
Thread author
Verified
Honorary Member
Mar 15, 2011
13,070
A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.

Drive-by download attacks are one of the primary methods of distributing malware over the Web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction.

Kaspersky Lab researchers recently investigated such an attack on visitors to www.ria.ru, a website that belongs to the Russian RIA Novosti news agency, and www.gazeta.ru, a popular Russian-language online newspaper.

The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service called AdFox.

Read More
 

Hungry Man

New Member
Jul 21, 2011
669
You can't install malware to RAM. I understand the concept of having malware stay in RAM but if it doesn't EVER touch the disk you can just restart and that'll remove it.

edit: I see it acted as a bot, eventually downloading trojans.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
'Fileless' malware installs into RAM

The Register said:
Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs.

The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process.

Once under your machine’s guard, the malware tries to attack Windows User Account Control so it install the Lurk Trojan and connect to an associated botnet. That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot.

That the malware is able to do so is down to a known Java vulnerability, CVE-2011-3544 to be precise. Snoracle has long-since patched that hole. Another mitigating factor that will hopefully make this a short-lived attack is the fact Kaspersky picked it up in ads served only on Russian web sites. The security company has informed the ad-serving company and the offending code has been withdrawn.

Read more : http://www.theregister.co.uk/2012/03/18/fileless_malware_found/
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
RE: 'Fileless' malware installs into RAM

Yet another reason why to you should uninstall Java if you don't need it or at least check if to see it's up-to-date........... ;D
 

jamescv7

Level 85
Thread author
Verified
Honorary Member
Mar 15, 2011
13,070
Most of the viruses/malware that have a vector with Java or Flash Player however doesn't installed in the system, chances are it would not successfully compromised, terminated or not worked. Likely 80-85% users around the world used Java and mostly out of date so infection could happen.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top