Java-based Web attack installs hard-to-detect malware in RAM

Kaspersky Lab researchers investigated a drive-by download attack that installs malware which only lives in the computer's memory

A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to security researchers from antivirus firm Kaspersky Lab.

Drive-by download attacks are one of the primary methods of distributing malware over the Web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction.

Kaspersky Lab researchers recently investigated such an attack on visitors to www.ria.ru, a website that belongs to the Russian RIA Novosti news agency, and www.gazeta.ru, a popular Russian-language online newspaper.

The attack code loaded an exploit for a known Java vulnerability (CVE-2011-3544), but it wasn't hosted on the affected websites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service called AdFox.

What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory.

"The operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive," said Kaspersky Lab expert Sergey Golovanov, in a blog post on Friday. "However, in this case we were in for a surprise: No new files appeared on the hard drive."

The Java exploit's payload consisted of a rogue DLL (dynamic-link library) that was loaded and attached on the fly to the legitimate Java process. This type of malware is rare, because it dies when the system is rebooted and the memory is cleared.

However, this wasn't a problem for the cybercriminals behind this particular attack, because of the very high probability that most victims would revisit the infected news websites, Golovanov said.

The malicious DLL loaded into memory acted as a bot, sending data to and receiving instructions from a command and control server over HTTP. In some cases, the instructions given out by attackers were to install an online banking Trojan horse on the compromised computers.

"This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: They can be distributed via similar banner or teaser networks in other countries," Golovanov said.

The best protection against this type of attack is to keep the installed software on computers up to date, especially browsers and their plug-ins. In case exploits that target previously unknown vulnerabilities are used, it's best to have an antivirus product running that is capable of scanning Web traffic and detecting attack code generically.

It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs, Golovanov said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?