A new breed of malware found by Kaspersky Lab may seem like a nightmare for system administrators and IT managers. This is malware that uses legitimate—frequently open-source—software to infect a system, then uses commonly used Windows services for implementation and operation.
Once the malware is running inside of Windows it erases all traces of its existence, and resides in the memory of the server it’s infected only long enough to exfiltrate the information it's been sent to steal and then it erases itself.
Because the new malware examples, which Kaspersky has named MEM:Trojan.win32.cometer and MEM:Trojan.win32.metasploit, reside in memory, they can’t be found by standard antivirus packages that scan a computer’s hard disk. Furthermore the malware hides inside of other applications making it practically invisible to antivirus packages and whitelisting services used by many firewalls.
According to an entry by Kaspersky on the Securelist blog, the process works by temporarily placing an installation utility on the computer’s hard drive, which installs the malware directly into memory using a standard Windows MSI file before erasing the utility. The actual malware stays in memory where it uses Windows PowerShell scripts to gain administrator passwords set up tunnels and then start gathering information.
Once the malware starts collecting the targeted data, it uses the unusual :4444 port address to access the tunnel. That tunnel is the route for exfiltration.
The malware is hard to find because it exists only in a computer’s memory, which means that the victim’s anti-malware software needs to scan memory while the computer is still running with the infection still resident. Rebooting the computer will erase the malware, which in turn means that forensic analysis has nothing to look for.
Kaspersky Lab principal security researcher Kurt Baumgartner said that its research teams first found the malware in a bank in Russia. The team was able to get to the server, in this case a domain controller, before the computer was rebooted, which allowed them to find the malware. There the Kaspersky team found that the attackers were using a shell script to install a malicious service in the computer’s registry.
Baumgartner said that while AV programs that look for signatures on a computer’s hard disk won’t find this malware, it can still be found. An updated anti-malware package should find it by its activities, such as creating tunnels, starting services or launching PowerShell activity. Network monitoring packages can spot the creation of the tunnel, and the use of the :4444 port.
“We watch what’s being performed on the system and when a variant that’s never been seen before starts, we see it and stop it,” Baumgartner said. He added that a typical characteristic is data broadcasts from a number of different places on the network using the tunnel.
He said that in addition to dealing with phishing attacks, it’s important to keep Windows computers updated. Baumgartner said that under-resourced Windows XP machines are an easy target for this malware.
Baumgartner also noted that watching your system logs and monitoring your network’s outbound traffic are important ways to detect if the invisible malware is on your network. But he also said that it’s important to store that data off-line so that the malware can’t find it and erase any evidence.
He also said that an important means of fighting the malware is to disable PowerShell, but he noted that some administrators won’t do that because they use that utility themselves.
Fortunately, getting rid of the malware can be accomplished simply by rebooting the computer, but that won’t prevent the malware from coming back and operating again. That can be accomplished with the right countermeasures, and with good practices such making sure your server software is up to date.
It’s worth noting that when Kaspersky found the first instance of this malware, it started looking for other instances. It found hundreds of other computers that were infected. In addition to the Russian banks, the team found infections in 40 countries. The United States had the largest number of invisible malware infections, but Ecuador, France, Kenya, Russia and the UK each had a number of infections.
Unlike some recent malware packages, the people who sent out the invisible malware aren’t intent on doing anything to damage the computers that the infection is installed on. Instead, it’s designed to hide quietly in the memory of a server, find and collect critical information and then just as quietly transfer it out of the enterprise that it’s penetrated.
The Kaspersky team hasn’t been able to determine who’s behind these attacks. Part of the reason is that the software uses obscure TLDs (Top Level Domains) as a target. The chosen domains don’t have "whois" entries and they are frequently abandoned by whoever original set them up. This makes the exfiltrated information almost impossible to trace.
Following best security practices can make a successful attack harder to pull off, but you still need to take all of the other available precautions, including monitoring your network and your servers and even rebooting servers every so often. This malware may be invisible, but that doesn’t mean it’s not real.