Sneaky virus ‘Poweliks’ lives in the registry. Good luck finding it.

Matryoshka Doll

New malware has been dubbed “Poweliks”, and it’s quite ingenious. Instead of masquerading as a file like 99.9 percent of computer virus nasties do, this malware latches onto the computer’s registry, where it’s almost impossible to detect. It installs itself via malicious Word documents before creating a hidden encoded autostart registry key, which allows it to create and execute shellcode and a payload Windows binary.

“All activities are stored in the registry. No file is ever created,” writes security researcher Paul Rascagneres (@r00tbsd), who discovered the malware. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system reboot.”

Rascagneres adds that to prevent such attacks, antivirus software must catch the initial Word document before it’s opened, assuming that’s the way the malware is delivered.

Even more worrying is that once created, the malicious non-ASCII key entry cannot be read or opened by Windows Regedit. Rascagneres likened the malware to a Matryoshka Doll because of way it executes its code in a “stacked” fashion. Non-ASCII was devised as a trick by Microsoft to hide its source code and prevent it from being copied, although hackers have long since found ways around it.

Poweliks can also cause significant damage. “It might install spyware on the infected computer to harvest personal information or business documents,” writes Rascagneres. “It might also install banking Trojans to steal money or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud.”

Thankfully there are some methods of detection available, though it’ll take some dedication. Rascagneres says that “specialist security kit” might be able to detect the exploit, or that alternatively, one could monitor the registry for unusual behavior.

photo credit:  James Jordan via Flickr