Java Attack Installs Malware in Memory

Tuesday, March 20, 2012 @ 05:03 PM gHale

Hard-to-detect malware that doesn’t create any files on the affected systems dropped onto computers of visitors to sites in Russia in a drive-by download attack, researchers said.

Drive-by download attacks are one of the primary methods of distributing malware over the Web. They usually exploit vulnerabilities in outdated software products to infect computers without requiring user interaction.

Stress Testing Web 2.0 Apps
Updated DHS Cyber Security Tool
Body Heat Powers Devices
Grass to Gas: A Biofuel Boost

One of those types of attack occurred to visitors to, a website that belongs to the Russian RIA Novosti news agency, and, a popular Russian-language online newspaper, said researchers antivirus firm Kaspersky Lab.

The attack code loaded an exploit for a known Java vulnerability, but the malware was not on the affected websites. Instead, it served to visitors through banners displayed by a third-party advertising service called AdFox.

The type of malware installed only lives in the computer’s memory.

“The operation of such an exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive,” said Kaspersky Lab expert Sergey Golovanov. “However, in this case we were in for a surprise: No new files appeared on the hard drive.”

The Java exploit’s payload consisted of a rogue DLL (dynamic-link library) loaded and attached on the fly to the legitimate Java process. This type of malware is rare, because it dies when the system reboots and the memory clears.

However, this wasn’t a problem for the cyber criminals behind this particular attack, because of the very high probability that most victims would revisit the infected news websites, Golovanov said.

The malicious DLL loaded into memory acted as a bot, sending data to and receiving instructions from a command and control server over HTTP. In some cases, the instructions given out by attackers were to install an online banking Trojan horse on the compromised computers.

“This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: They can be distributed via similar banner or teaser networks in other countries,” Golovanov said.

The best protection against this type of attack is to keep the installed software on computers up to date, especially browsers and their plug-ins.

Leave a Reply

You must be logged in to post a comment.