- Feb 1, 2013
- 969
When you think about malware, you probably imagine a nasty little file that’s been installed on your computer. When you think about anti-malware, you probably imagine some sort of program that can remove that nasty file, and help you go about your day, malware-free. Malware doesn’t always need files though. And anti-malware can’t always do its job through file detection alone.
New research has uncovered a malware called Poweliks that can infect your computer without creating any files on your hard drive.
Instead, Poweliks creates a blank registry entry that automatically runs when you boot up your computer. This registry entry will check if your computer has Windows PowerShell installed, and initiate a download of the scripting program if it doesn’t. Once the presence of PowerShell is confirmed, Poweliks will then run a script that injects a malicious DLL into system memory. This DLL then connects your computer to a command and control server, which can be used to collect personal information or to load more malware onto an infected PC.
Poweliks is particularly evasive for two reasons: it does not create files on the hard drive and, according to reports, it creates a blank registry entry using a non-ASCII character. Both of these measures ensure that manual detection by user or even malware researcher are difficult. Poweliks’ file-less nature also means that antivirus products that rely on file-based detection alone will not find it.
For the full story on Poweliks, see PC Magazine. For technical analysis, see Malware Don’t Need Coffee.
Have a great (malware-free) day!
- See more at: http://blog.emsisoft.com/2014/08/06...ttle-malware-that-could/#sthash.IvKCJajx.dpuf
New research has uncovered a malware called Poweliks that can infect your computer without creating any files on your hard drive.
Instead, Poweliks creates a blank registry entry that automatically runs when you boot up your computer. This registry entry will check if your computer has Windows PowerShell installed, and initiate a download of the scripting program if it doesn’t. Once the presence of PowerShell is confirmed, Poweliks will then run a script that injects a malicious DLL into system memory. This DLL then connects your computer to a command and control server, which can be used to collect personal information or to load more malware onto an infected PC.
Poweliks is particularly evasive for two reasons: it does not create files on the hard drive and, according to reports, it creates a blank registry entry using a non-ASCII character. Both of these measures ensure that manual detection by user or even malware researcher are difficult. Poweliks’ file-less nature also means that antivirus products that rely on file-based detection alone will not find it.
For the full story on Poweliks, see PC Magazine. For technical analysis, see Malware Don’t Need Coffee.
Have a great (malware-free) day!
- See more at: http://blog.emsisoft.com/2014/08/06...ttle-malware-that-could/#sthash.IvKCJajx.dpuf
