Cybercriminals turn to ‘fileless’ malware for attacks

by CXOtoday Staff    Mar 20, 2012

Kaspersky Lab said that a simple teaser of Internet news headlines was the launch-pad for this unique malware attack.

Security experts from Kaspersky Lab uncovered a hidden attack by cybercriminals who created a malicious code which operated without creating files on the infected system.

Kaspersky said that a simple teaser of Internet news headlines was the launch-pad for this unique malware attack on popular Russian news sources, and warned that similar attacks could be used to target users outside of Russia.

“We are dealing with a unique attack. A teaser network used by cybercriminals is one of the most effective ways to install a malicious code, as many popular resources contain links to it,” said Aleksander Gostev, Kaspersky Lab’s Chief Security Expert. “Moreover, for the first time in recent years, we faced a rare type of malware, the so-called ‘bodiless’ malware which does not exist as a file on the drive but appears in the operating memory of the infected machine, making its detection much more complicated. This incident was targeting Russian users.”

He warned that the same exploit and bodiless bot may well be used against users in other countries as they can be distributed via similar foreign banner and teaser networks. At the same time it is highly probable that not only Lurk Trojan, but also other malware, is used for these purposes.

The investigation by Kaspersky Lab showed that Russian media websites using the AdFox teaser system on their pages unwittingly infected visitors to their pages. While downloading the news teaser, the user’s browser was secretly redirected to a malicious website containing a Java-exploit.

However, unlike standard drive by-attacks, the malicious program was not loaded to the hard drive, but appeared only in the operating memory of the computer, making it much more complicated to track it down using anti-virus solutions.