Poweliks: The file-less little malware that could

5050540_sWhen you think about malware, you probably imagine a nasty little file that’s been installed on your computer. When you think about anti-malware, you probably imagine some sort of program that can remove that nasty file, and help you go about your day, malware-free. Malware doesn’t always need files though. And anti-malware can’t always do its job through file detection alone.

New research has uncovered a malware called Poweliks that can infect your computer without creating any files on your hard drive.

Instead, Poweliks creates two registry entries: a null embedded subkey and a registry value that contains an encoded script. The null embedded entry helps to hide Poweliks and to protect the value containing the script. The script will check if your computer has Windows PowerShell installed, and initiate a download of the scripting program if it doesn’t. Once the presence of PowerShell is confirmed, Poweliks will then inject a malicious DLL into system memory. This DLL then connects your computer to a command and control server, which can be used to collect personal information or to load more malware onto an infected PC.

Poweliks is particularly evasive for two reasons: it does not create files on the hard drive, and it hides itself through use of a null embedded registry entry using a non-ASCII character. Both of these measures ensure that manual detection by user or even malware researcher are difficult. Poweliks’ file-less nature also means that antivirus products that rely on file-based detection alone will not find it.

For the full story on Poweliks, see PC World Magazine. For technical analysis, see Malware Don’t Need Coffee.

Have a great (malware-free) day!

 

 

  • Legend

    Once again, this show how important it is to have your security build over different layers, like : malware signatures to catch was it known, behavior blocker to increase the chance to catch the unknown, a image backup software to completely recreate your system, if a server infection should strike your system. ( against all odds, for us using Emsisoft). And lastly, one could use a visualization software. It could be everything from Vmware to Oracle virtualbox (free) or a more semi user friendly solution as Shadow Defender. But the best weapon is still our common sense. It can’t prevent infections, but I would say that, with a little bit of awareness + good basics protection of your system, you should be pretty safe, generally. (as long as you don’t open small not digitally signed files with strange names like, snow/bot.exe – andr7.exe)