Secret Windows Attack Exists Only in the Registry

By

Forget about catching this one with a conventional virus scanner.

Security experts have uncovered a new form of Windows malware that doesn’t require any files to be copied to or stored on the target system and exists purely within the Windows Registry. Malware hunter Paul Rascagnères describes the attack in a recent blog post. Most anti-malware engines operate by scanning files, so an attack that doesn’t leave a signature anywhere on the filesystem has the potential to avoid detection using standard techniques.
The attack enters the system through a link to a malicious Microsoft Word document sent via email. This original entry point exploit is described in CVE-2012-0158 and is known to circulate with a bogus message from the Canadian or US post office claiming to provide package delivery information. (Of course, the attacker could employ other scenarios as well.) Clicking on the document causes the creation of an autostart registry key, which enables PowerShell and starts a PowerShell script that launches a Windows binary containing the payload. In Rascagnères’ tests, the payload attempted to connect to a remote IP address for further commands, but the attacker could easily write a payload binary to take other kinds of actions.
According to the blog post, you can’t use the Regedit registry editor to look for the presence of the malicious autostart registry key, because the key does not begin with an ASCII character and is thus hidden from the registry editor. The best shot at prevention is to catch the Windows document before it is executed. Otherwise, the only options are to monitor the system for suspicious behavior (after it is already infected) or to implement some form of Registry surveillance system.

08/05/2014

Related content

comments powered by Disqus