Sneaky New Malware Hides in Windows Registry

Credit: Carlos Amarillo (Shutterstock)Credit: Carlos Amarillo (Shutterstock)

A new piece of malware called Poweliks can seize control of a Windows computer — and it can't be detected by antivirus programs. That's because it doesn't download any files to the infected computer; instead, it resides as encrypted text in the computer's registry. From there it can seize control of the computer's processes to do things such as download more malware onto the computer.

Poweliks is all but invisible to traditional antivirus programs, which work by searching for recognized malware files — a potentially very dangerous situation, said malware researcher Paul Rascagnères.

"As the malware is very powerful and can download any payload, the amount of possible damage is not really measurable," Rascagnères, a threat researcher with Bochum, Germany-based antivirus company G Data, wrote in a company blog post

MORE: 7 Scariest Security Threats Headed Your Way

Poweliks, which has also been documented by Tokyo-based antivirus firm Trend Micro, has been spotted infecting computers via a corrupted Microsoft Word file attached to an email, but the file could spread in other ways as well. This is the best place that an antivirus program might be able to catch Poweliks, if the program scans for malicious email attachments, Rascagnères said. 

If the malicious file is opened, it will create an encoded autostart registry key and hide it within the Windows registry, where the computer's configuration settings are stored. Every time the computer is booted, the key implements code that eventually reaches out to an external IP address controlled by the malware's creators. Through this connection, the creators can then issue further commands.

Rascagnères compared the attack's structure to Russian matryoshka nesting dolls: Poweliks targets the innermost "doll" of the computer, and uses that vantage point to compromise the entire device. 

Poweliks appears to be a fairly recent creation, and it's not yet clear what the malware was created to do.

"It might install spyware on the infected computer to harvest personal information or business documents," Rascagnères wrote. "It might also install banking Trojans to steal money, or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud." 

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

This thread is closed for comments
1 comment
    Your comment
  • Odd. Seems if the anti-virus/anti-malware makers know where to look in the registry for this "infection" that identification and removal should be easy enough.