Poweliks malware creates no files, lays low in the registry

Cyber Chief Magazine brings you the tactics to uncover and neutralize the insider threat

For most malware, performing their malicious task(s) is the primary goal, and a close second is to stay unnoticed on the system for as long as possible. As developers of security software constantly improve detection methods, malware creators are always trying to keep one step ahead of their efforts.

Take, for example, the Poweliks malware recently discovered and analyzed by G Data researchers. Poweliks is a trojan whose main objective is to download additional malware on the system. So far, that is nothing new.

“When security researchers talk about malware, they usually refer to files stored on a computer system, which intends to damage a device or steal sensitive data from it. Those files can be scanned by AV engines and can be handled in a classic way,” says researcher Paul Rascagneres.

But this malware is capable of surviving on the infected system without creating a file – all its tasks are performed within the memory.

“To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user.”

As we’ve said, Poweliks doesn’t create a file, but it does create an encoded autostart registry key that will assure that the malicious activities survive system re-boots. And here, again, the malware authors have a found a way for this key to keep a low profile and resist analysis attempts: the key’s name is not an ASCII character, which hides it from system tools and prevents it from being opened.

“This trick prevents a lot of tools from processing this malicious entry at all and it could generate a lot of trouble for incident response teams during the analysis. The mechanism can be used to start any program on the infected system and this makes it very powerful,” commented Rascagneres.