This new malware goes straight to your RAM, no installation required

Subject: General Tech | March 19, 2012 - 11:58 AM |
Tagged: Virus, Trojan-Spy.Win32.Lurk, ram virus, Kaspersky Labs, javaw.exe, fud

A lovely little electronic beastie was spotted by Kaspersky Labs on Russian ad servers recently which uses a Java exploit (long since patched) to corrupt javaw.exe while it is running on system memory, infecting machines without any installation required whatsoever.  While this sounds quite bad, the fact is that in your memory it can infect running programs but not move out of the memory without triggering an installation process and will not survive a system reboot.  That is why as soon as this malware finds its self on a systems RAM it immediately tries to install the Lurk Trojan, which is when your problems would start and when your anti-virus/anti-malware protection should notice something amiss. 

By its self the new virus poses little direct risk but it represents a new attack vector for drive by infections, which could get into protected space and be able to launch an attack from within the systems memory, a much faster and more intimate way of attacking than coming over the network.  With home systems sporting more that 4GB of RAM, there is a lot more space for this type of virus to work with than there was just a few years ago.  Read on at The Register, if you dare.

View Full Size

"The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.” That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process."

Here is some more Tech News from around the web:

Tech Talk

 

Source: The Register
March 19, 2012 | 05:10 PM - Posted by elel (not verified)

What's new about this? As I understand it, all malware has to spend some time in RAM before it writes to the hard drive. Is it that this is now broken into a two stage process so that different pieces of resident malware can be installed using the same exploit?

March 19, 2012 | 06:18 PM - Posted by Jeremy Hellstrom

It is the two stage process, where it infects a service running in RAM to attack the local machine which is new. The idea that it can fully live on your RAM is new, as opposed to a piece of malware which has already installed itself on the machine and then utilizes RAM like any other program.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.