ITBusiness.ca | Business Advantage Through Technology

Follow Us Follow @itbusinessca Like us on Facebook Subscribe to us on YouTube RSS SUBSCRIBE

Main menu

Skip to primary content
Skip to secondary content
ITBusiness.ca Menu
  • News
    • Digital Transformation
    • Sales and Marketing
    • Leadership
    • Finance
    • HR
    • Creative Capital
    • Security
    • Mobile
    • Operations
    • Smart Home
  • Sales and Marketing
  • Digital Transformation
  • Podcasts
  • Videos
    • Unboxing for Business
    • All Hands on Tech
    • 2 Truths and a Lie with Canadian Technology Leaders
    • Speak Up!
    • All Videos
  • Blogs
  • Events
    • LGBTQ2S+ VOICES in IT
    • All Events
  • LightningPR
  • Slideshows
New Russian malware doesn’t need a file to infect you
Security

New Russian malware doesn’t need a file to infect you

John E. Dunn
John E. Dunn
@itbusinessca
Published: March 21st, 2012
New Russian malware doesn’t need a file to infect you

Researchers have discovered an extremely rare and possibly unique form of “fileless” malware that executes entirely in memory without the need to save any files to the hard drive of a victim’s PC.

The latest discovery was made by Kaspersky Lab, which received reports of a malware attack hitting a common Java vulnerability (CVE-2011-3544) on Russian Web sites, but without appearing to drop any files in order to instigate a conventional Trojan attack.

In fact the attack turned out to run Javascript from an iFrame embedded on an infected Web site, injecting its encrypted .dll payload directly into the Javaw.exe process.

The purpose of the unusual malware appears to be twofold; first to disable Windows User Account Control (UAC) and second to act as a ‘pathfinder’, setting up a bot to communicate with a command and control server from which it can receive instructions, including one to install the Lurk data-stealing Trojan on the infected PC.

A new malware attack is injected directly to Javaw.exe.

The disadvantage of this attack is that the user can clear it from memory by restarting the machine in which case a new infection would be required. In return for this inconvenience, it is extremely hard to detect. No files are written and at first at least no files are changed on the target PC. If the exploit being targeted is unpatched then security programs will not pick it up easily.

The use of Java also makes it multi-platform, able to target PCs, Macs and Linux computers, although the Trojan that followed in the recorded attack was Windows-only.

Kaspersky reminds us that the new malware is reminiscent of the infamous Code Red and Slammer worms of a decade ago, but both of these were built simply to spread as far and fast as possible; since both attacked specific Microsoft programs using buffer overflows no files were needed.

The new attack is really more of an advance ‘stub’ that sets up an attack for a later point after exploiting its low profile to circumvent security systems. This counts as distinct and new.

“Based on our analysis of the protocol used by Lurk to communicate to the command servers, we determined that over a period of several months, these servers processed requests from up to 300,000 infected machines,” said Kaspersky researcher, Sergey Golovanov.

Post to Twitter Post to Facebook Share on LinkedIn Share on LinkedIn Share with Google+
More Articles
E-reader app translates books and reads them to you
E-reader app translates books and reads them to you
Telus wants your old cell phones
Telus wants your old cell phones

Security

infected, Java, javascript, kaspersky lab, Malware, research, trojan, User Account Control

Related Content

Cyber Security Today, March 8, 2021 – Patching, data breaches and a spoiled racing car announcement

Software Malware

Malware is going to get weirder in 2020, so it’s time for enterprises to get weird too, says Trend Micro exec

Lack of cybersecurity training still a major issue, says Scalar study

Advancements in malware have changed the landscape of cybersecurity, says eSentire

Tweets by itbusinessca

GET NEWS AND INSIGHTS CRITICAL TO YOUR BUSINESS Receive the IT Business Newsletter and stay informed.

  REGISTER NOW  
Websites ITWC.ca IT World Canada.com Channel Daily News.com Direction Informatique.com
Community Subscribe About Us Contact Us Social Media Tech Videos Tech News Tech Blogs Tech Slideshows Tech Events CMO Digital
Find
Follow
Follow @itbusinessca   Like us on Facebook   Subscribe to us on YouTube   RSS
© 2021 ITBusiness.ca