New Malware Hides in Windows Registry

    Slide Show

    Cybersecurity Grades Released for Key Industries

    Malware itself isn’t big news. The issue of malicious software has been a problem that security and IT professionals have been battling for years.

    But now hackers have added a new twist to malware. Where traditional malware is found in files embedded in your computer, Trend Micro’s Trend Labs has found new malware, called TROJ_POWELIKS.A, which hides code within the Windows Registry. According to Trend Micro’s Security Intelligence Blog, this allows the malware to avoid detection, adding:

    When executed, TROJ_POWELIKS.A downloads files, which can cause further system infection. Systems affected by this malware risk being infected by other malware, thus causing further system infection. In addition, it has the capability to steal system information, which may be used by cybercriminals to launch other attacks.

    TROJ_POWELIKS spreads via email, latching on to Microsoft Word documents. Right now, it is almost impossible to detect or catch, as the malware can bypass traditional security methods. As Paul Rascagnères wrote in the GData Security Blog:

    To prevent attacks like this, AV solutions have to either catch the file (the initial Word document) before it is executed (if there is one), preferably before it reached the customer’s email inbox. Or, as a next line of defense, they need to detect the software exploit after the file’s execution, or, as a last step, in-registry surveillance has to detect unusual behavior, block the corresponding processes and alert the user.

    Rascagnères uses the imagery of matryoshka dolls (i.e., Russian nesting dolls that get smaller and smaller with each layer) to describe how the malware’s developers are able to dig into the registry. If you’ve ever seen how intricate these nesting dolls can get and how tiny the smallest doll can be, you’ll have a better understanding at how this malware can burrow into the registry and almost disappear. To illustrate the point: I have a nice collection of matryoshka dolls, and the smallest of the small is about the size of my pinky fingernail. If that doll got misplaced, I’d almost never find it because it could fall into almost any crack or crevice. But depending on where it landed, it could do a lot of damage—even though I’d have no idea where it was or how it was creating the damage.

    And right now, we have no idea how much damage POWELIKS is capable of. The Hacker News reported that POWELIKS can install spyware and Trojans, among other things, just as any malicious file would. The difference is that most networks aren’t prepared yet to detect POWELIKS once it is embedded in the registry.

    Trend Micro said that it has the ability to detect the POWELIKS malware using a network protection tool. It may be that other similar tools will be able to detect POWELIKS, as well, before it is able to do any damage. In any case, what this new configuration of malware shows is that we can’t just depend on AV software to find and block malware on our computers and networks. More than ever, the approach to network security must be layered.

    Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba

    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles