Unique Fileless Trojan Attacks Visitors To News Sites

This week security vendor Kaspersky uncovered a new type of virus threat used to attack visitors to a number of popular Russian news websites: “While downloading the news teaser, users’ browsers were secretly redirected to a malicious website containing a Java-exploit”.

The type of attack is certainly not new – it’s often called a ‘drive-by’ infection because users are infected just by visiting the website – they don’t have to knowingly download or click on anything.

However, the infection method is unique because the malicious program is not loaded to the hard drive as a file – it appears only in the memory (RAM) of the computer. Because there are no malicious files stored on the hard drive (where they can be viewed or scanned) the infection is much harder for antivirus software to detect.

Acting as a (ro)bot, the malware checks to see if the user logs into any online banking services and, if so, installs a banking trojan (Lurk) to steal the secret login information – this could then be transmitted to a remote server so the virus creators could log in as the user and drain their bank accounts.

To date, the malware has targeted Russian users and Russian banks but there is no reason why the same attack vector could not be used to target other countries in future.

Isn’t RAM Storage Temporary?

Yes, anything stored in RAM memory is lost when you shut down your computer. As long as the user does not access any online banking services during the current session (so the banking Trojan is not installed) the malware will disappear when the computer shuts down.

However, if the user revisits the infected website again (quite likely for popular news sites) the malware could re-infect their RAM again with the same risks as before.

How To Avoid This Type Of Malware?

Kaspersky warn that the only reliable protection is to regularly update the main programs used on the internet – these may include Adobe Reader, Adobe Flash player, Adobe Shockwave player, Java, Quicktime, Silverlight and the web browser itself.

In this case, the malware utilizes the CVE-2011-3544 vulnerability in Oracle’s Java program. This vulnerability was patched in Java 6 Update 29 last October but there have been several further Java security updates since.

The current version of Java is available from Oracle here.

However, I have previously recommended uninstalling Java for better security. One of the reasons Java is attacked so often is because it is installed on so many computers – why make yours a target if you don’t need it? Very few people do…