Researchers have discovered an extremely rare and possibly unique form of “fileless” malware that executes entirely in memory without the need to save any files to the hard drive of a victim’s PC.
The latest discovery was made by Kaspersky Lab, which received reports of a malware attack hitting a common Java vulnerability (CVE-2011-3544) on Russian Web sites, but without appearing to drop any files in order to instigate a conventional Trojan attack.
In fact the attack turned out to run Javascript from an iFrame embedded on an infected Web site, injecting its encrypted .dll payload directly into the Javaw.exe process.
The purpose of the unusual malware appears to be twofold; first to disable Windows User Account Control (UAC) and second to act as a ‘pathfinder’, setting up a bot to communicate with a command and control server from which it can receive instructions, including one to install the Lurk data-stealing Trojan on the infected PC.
A new malware attack is injected directly to Javaw.exe.
The disadvantage of this attack is that the user can clear it from memory by restarting the machine in which case a new infection would be required. In return for this inconvenience, it is extremely hard to detect. No files are written and at first at least no files are changed on the target PC. If the exploit being targeted is unpatched then security programs will not pick it up easily.
The use of Java also makes it multi-platform, able to target PCs, Macs and Linux computers, although the Trojan that followed in the recorded attack was Windows-only.
Kaspersky reminds us that the new malware is reminiscent of the infamous Code Red and Slammer worms of a decade ago, but both of these were built simply to spread as far and fast as possible; since both attacked specific Microsoft programs using buffer overflows no files were needed.
The new attack is really more of an advance ‘stub’ that sets up an attack for a later point after exploiting its low profile to circumvent security systems. This counts as distinct and new.
“Based on our analysis of the protocol used by Lurk to communicate to the command servers, we determined that over a period of several months, these servers processed requests from up to 300,000 infected machines,” said Kaspersky researcher, Sergey Golovanov.
