UPDATED 10:45 EDT / AUGUST 05 2014

Sneaky virus ‘Poweliks’ lives in the registry. Good luck finding it.

Matryoshka Doll

New malware has been dubbed “Poweliks”, and it’s quite ingenious. Instead of masquerading as a file like 99.9 percent of computer virus nasties do, this malware latches onto the computer’s registry, where it’s almost impossible to detect. It installs itself via malicious Word documents before creating a hidden encoded autostart registry key, which allows it to create and execute shellcode and a payload Windows binary.

“All activities are stored in the registry. No file is ever created,” writes security researcher Paul Rascagneres (@r00tbsd), who discovered the malware. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system reboot.”

Rascagneres adds that to prevent such attacks, antivirus software must catch the initial Word document before it’s opened, assuming that’s the way the malware is delivered.

Even more worrying is that once created, the malicious non-ASCII key entry cannot be read or opened by Windows Regedit. Rascagneres likened the malware to a Matryoshka Doll because of way it executes its code in a “stacked” fashion. Non-ASCII was devised as a trick by Microsoft to hide its source code and prevent it from being copied, although hackers have long since found ways around it.

Poweliks can also cause significant damage. “It might install spyware on the infected computer to harvest personal information or business documents,” writes Rascagneres. “It might also install banking Trojans to steal money or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud.”

Thankfully there are some methods of detection available, though it’ll take some dedication. Rascagneres says that “specialist security kit” might be able to detect the exploit, or that alternatively, one could monitor the registry for unusual behavior.

photo credit:  James Jordan via Flickr

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU