Sign in with
Sign up | Sign in

Sneaky New Malware Hides in Windows Registry

By - Source: Tom's Guide US | B 1 comment
Tags :

Credit: Carlos Amarillo (Shutterstock)Credit: Carlos Amarillo (Shutterstock)

A new piece of malware called Poweliks can seize control of a Windows computer — and it can't be detected by antivirus programs. That's because it doesn't download any files to the infected computer; instead, it resides as encrypted text in the computer's registry. From there it can seize control of the computer's processes to do things such as download more malware onto the computer.

Poweliks is all but invisible to traditional antivirus programs, which work by searching for recognized malware files — a potentially very dangerous situation, said malware researcher Paul Rascagnères.

"As the malware is very powerful and can download any payload, the amount of possible damage is not really measurable," Rascagnères, a threat researcher with Bochum, Germany-based antivirus company G Data, wrote in a company blog post

MORE: 7 Scariest Security Threats Headed Your Way

Poweliks, which has also been documented by Tokyo-based antivirus firm Trend Micro, has been spotted infecting computers via a corrupted Microsoft Word file attached to an email, but the file could spread in other ways as well. This is the best place that an antivirus program might be able to catch Poweliks, if the program scans for malicious email attachments, Rascagnères said. 

If the malicious file is opened, it will create an encoded autostart registry key and hide it within the Windows registry, where the computer's configuration settings are stored. Every time the computer is booted, the key implements code that eventually reaches out to an external IP address controlled by the malware's creators. Through this connection, the creators can then issue further commands.

Rascagnères compared the attack's structure to Russian matryoshka nesting dolls: Poweliks targets the innermost "doll" of the computer, and uses that vantage point to compromise the entire device. 

Poweliks appears to be a fairly recent creation, and it's not yet clear what the malware was created to do.

"It might install spyware on the infected computer to harvest personal information or business documents," Rascagnères wrote. "It might also install banking Trojans to steal money, or it might install any other form of harmful software that can suit the needs of the attackers. Fellow researchers have suggested that Poweliks is used in botnet structures and to generate immense revenue through ad-fraud." 

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.

Discuss
Add a comment
Ask a Category Expert
React To This Article

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

  • 0 Hide
    COLGeek , August 5, 2014 9:28 AM
    Odd. Seems if the anti-virus/anti-malware makers know where to look in the registry for this "infection" that identification and removal should be easy enough.
React To This Article

Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS