When you think about malware, you probably imagine a nasty little file that’s been installed on your computer. When you think about anti-malware, you probably imagine some sort of program that can remove that nasty file, and help you go about your day, malware-free. Malware doesn’t always need files though. And anti-malware can’t always do its job through file detection alone.
New research has uncovered a malware called Poweliks that can infect your computer without creating any files on your hard drive.
Instead, Poweliks creates two registry entries: a null embedded subkey and a registry value that contains an encoded script. The null embedded entry helps to hide Poweliks and to protect the value containing the script. The script will check if your computer has Windows PowerShell installed, and initiate a download of the scripting program if it doesn’t. Once the presence of PowerShell is confirmed, Poweliks will then inject a malicious DLL into system memory. This DLL then connects your computer to a command and control server, which can be used to collect personal information or to load more malware onto an infected PC.
Poweliks is particularly evasive for two reasons: it does not create files on the hard drive, and it hides itself through use of a null embedded registry entry using a non-ASCII character. Both of these measures ensure that manual detection by user or even malware researcher are difficult. Poweliks’ file-less nature also means that antivirus products that rely on file-based detection alone will not find it.
For the full story on Poweliks, see PC World Magazine. For technical analysis, see Malware Don’t Need Coffee.
Have a great (malware-free) day!