Kaspersky Lab Discovers Invisible Memory-Only Bot

Kaspersky Lab has found a unique malware strain on Russian sites, that operates without creating files on the infected system. Instead, the “fileless” bot hides itself in the operating memory.

It has spread the infection quickly by exploiting a vulnerability in the headline teasers used by a number of popular Russian news sources. Once on the system, the malware can send information about the user’s browsing history to a control server, and install banking Trojans such as Lurk.

Kaspersky suggests that tens of thousands of potential victims may have been attacked, and warns that similar attacks could be used to target users outside of Russia.

Bad News

Kaspersky Lab has discovered that several Russian media websites using the AdFox teaser system on their pages unwittingly infected visitors to their site.

Many Russian websites serve a dangerous cocktail of links, banners and pop-ups that are not subject to any regulation. Furthermore, the use of “teasers”- misleading adverts with pictures, often featuring Russian celebrities, is widespread.

While downloading the teaser, users’ browsers were secretly redirected to a malicious website containing a Java-exploit. However, unlike standard drive-by attacks, the malicious program was not loaded to the hard drive, but hid in the RAM of the computer, making it almost invisible to anti-virus software.

The best known examples of such threats are the CodeRed and Slammer worms, which caused mass outbreaks at the beginning of the last decade.

Despite such programs only being able to function until the operating system is restarted, the malware remains effective as it is quite likely that the user will return to the infected news site again.

Acting as a bot, the program was sending requests and information about the user’s browsing history to a control server. If that data included any sign of e-banking services, the cybercriminals installed banking Trojan Lurk to steal confidential user information required to access the online banking systems.

“Based on our analysis of the protocol used by Lurk to communicate to the command servers, we determined that over a period of several months, these servers processed requests from up to 300,000 infected machines,” wrote malware expert Sergey Golovanov on Kaspersky blog.

“We are dealing with a unique attack. A teaser network used by cybercriminals is one of the most effective ways to install a malicious code, as many popular resources contain links to it,” said Aleksander Gostev, Kaspersky Lab’s Chief Security Expert. “Moreover, for the first time in recent years, we faced a rare type of malware – the so-called ‘bodiless’ malware.”

Although this incident was mainly aimed at Russian users, the same exploit and bodiless bot may be used against users in other countries as they can be distributed via similar foreign banner and teaser networks.

Kaspersky Lab’s experts warn that the only reliable protection is the timely installation of updates. In this case, to remove the CVE-2011-3544 Java vulnerability, Kaspersky recommends installing the Oracle patch, which can be downloaded here.

How well do you know Internet security? Try our quiz and find out!