Java Web Attack Installs Malware In RAM

snydeq writes "A hard-to-detect piece of malware that doesn't create any files on the affected systems was dropped onto the computers of visitors to popular news sites in Russia in a drive-by download attack, according to Kaspersky Lab. 'What's interesting about this particular attack is the type of malware that was installed in cases of successful exploitation: one that only lives in the computer's memory. ... It's ideal to stop the infection in its early stages, because once this type of "fileless" malware gets loaded into memory and attaches itself to a trusted process, it's much harder to detect by antivirus programs.'"

All in memory?

[medv4380]

After reading a bit on the referenced exploit((CVE-2011-3544) I find it hard to believe that the app was all in memory. The exploit involves and unsigned applet gaining higher privileges. Things may have changed since the last time I checked, but shouldn't the jar file for the applet that copied the DLL into memory be the new file sitting the the browser cache that you're looking for? The DLL could retroactively delete the trace but at some point the jar is what the anti-virus should be looking for since it has to be loaded before the DLL can be.

Re:Persistence?

[Barbara, not Barbie]

You can install programs in your keyboard that will survive a reboot. An old trick was to stuff the loader in the keyboard, then read out a page of video ram that had the actual code (notice how your video ram survives a warm reboot?). Cold booting is a bit harder, but not impossible.

In Soviet Russia, Java runs YOU!

Re:Then what does a memory scan do?

[Baloroth]

AV software can scan memory in order to find active malware, yes, but it cannot do so constantly. For example, in order to make sure that your browser isn't getting owned, or that malware isn't otherwise being attached to an active process, it would have to scan every change to memory, which would be prohibitive in terms of processing overhead. Instead, they generally scan whenever files are written to the hard drive. Since any permanent virus needs to do that at some point (and most malware works by downloading a file then executing that), that will usually catch and stop most malware at the very beginning. And since writing is comparatively slow (next to RAM), the overhead is minimal.

What this seems to do is run exclusively in RAM, which can be caught by AV doing a RAM sweep, but not by most resident AV systems which don't do regular RAM sweeps (again, because of the performance impact that would cause). It will either have to download a permanent program to the harddrive later (ideally, after getting "trusted" status to bypass AV software) or simply steal info while resident. Either way, most AV software will have trouble detecting it. I think if the malware gets written to swap, the AV will detect it than, but I could be wrong.