Reboot to restore: New ‘fileless​’ malware making the rounds

Reboot to restore: New ‘fileless​’ malware making the rounds

Traditional malware samples all operate in relatively the same manner, using one or more downloaded files to infect the system and avoid detection by any protection software. However, a newly discovered malware sample is taking a new approach to evading exposure through a "fileless" structure. Users can protect themselves by utilizing a layered security approach that includes a reboot to restore solution like Faronics' Deep Freeze.

Poweliks: Hiding in computer registry
Instead of living within files like conventional malware, this recently uncovered sample – dubbed Poweliks – consists of encrypted text that hides on the infected computer's registry. This way, it can attack the system to gain control over the machine's primary functions to download additional malware and provide capabilities for other malicious pursuits.

Malware researcher Paul Rascagneres noted that the fact that the sample is nearly invisible to antivirus and other protection programs makes for "a potentially very dangerous situation."

"As the malware is very powerful and can download any payload, the amount of possible damage is not really measurable," Rascagneres stated. 

Spread through email, drive-by attacks
Besides exhibiting rare detection avoidance capabilities, Poweliks also uses a number of different strategies to spread its infection. One of the most prevalent techniques seen is an email attack via an attached, corrupted Microsoft Word file. Oftentimes, the emails appear to come from legitimate organizations such as the Canada Post and USPS. The malicious attachment exploits a vulnerability in Microsoft Office 2003, 2007 and 2010. Microsoft patched the issue in April 2012, but those that have not downloaded the update leave themselves at risk for infection.

When this attack avenue fails, the malware uses a drive-by download attack strategy to distribute itself onto unsuspecting systems through Web exploits. Experts that have analyzed Poweliks believe that the attack approaches utilized by the sample will be leveraged by other malware creators in the near future to create similar strains.

Protecting against Poweliks
Due to its complex architecture, Poweliks is difficult to prevent, though not impossible.

"[A]ntivirus solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer's email inbox," Rascagneres noted. "Or, as a next line of defense, they need to detect the software exploit after the file's execution, or as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user."

In addition, the use of reboot to restore software, like Faronics' Deep Freeze, as part of a layered security approach can also prevent damage from malware like Poweliks.

"The concept of 'fileless' malware that only exists in the system's memory is not new, but such threats are rare because they typically don't survive across system reboots," PCWorld contributor Lucian Constantin pointed out.

Such protections are especially important in corporate environments, where increasingly sensitive information is at risk. As the Poweliks infection allows the attacker to download additional malware that could threaten the safety of mission-critical content, company decision-makers should include a reboot to restore solution as part of their overall security protocol.