The main difference being, that wasn’t persistent and as it lived in RAM, it wouldn’t survive a reboot. This time, it’s based in the Registry (which technically is stored on the file system) – so it does survive a reboot and is pretty well hidden.<\/p>\n
The malware itself is stored in the registry in a non-ASCII key (to hide it from autostart) and an encoded entry that can’t be properly read by Regedit.<\/p>\n
Researchers have detailed a rare form of malware that maintains infection on machines and steals data without installing files.<\/p>\n
The malware resides in the computer registry only and is therefore not easy to detect.<\/p>\n
It code reaches machines through a malicious Microsoft Word document before creating a hidden encoded autostart registry key, malware researcher and black hat exterminator Paul Rascagneres (@r00tbsd) says. It then creates and executes shellcode and a payload Windows binary.<\/p>\n
“All activities are stored in the registry. No file is ever created,” Rascagneres said in a post. “So, attackers are able to circumvent classic anti-malware file scan techniques with such an approach and are able to carry out any desired action when they reach the innermost layer of [a machine] even after a system re-boot.<\/p>\n
“To prevent attacks like this, anti-virus solutions have to either catch the initial Word document before it is executed (if there is one), preferably before it reached the customer’s email inbox.”<\/p>\n
Windows Regedit cannot read or open the non-ASCII key entry. Rascagneres said the feature set was akin to a Matryoshka Doll due to its subsequent and continual ‘stacked’ execution of code.<\/p><\/blockquote>\n