What Poweliks tells us about our current state of security

“No foreign nation, no hacker, should be able to shut down our networks, steal our trade secrets, or invade the privacy of American families, especially our kids.” – President Obama, State of the Union address, Jan. 20, 2015.

Amid all the partisan wrangling following the president’s State of the Union address, his comments about cyber security got virtually no attention, and there’s a real question whether legislation addressing this issue will even get a full hearing in Congress. Some say the proposed regulations go too far, others say they don’t go far enough, and many just shrug it off. It’s as if we’ve resigned ourselves to having sensitive information stolen and abused.

The U.S. Central Command, fashion house Bebe, financial services conglomerate Morgan Stanley, retailer Home Depot, entertainment giant Sony — these institutions are so different from each other, yet each has recently been involved in large-scale cyber vandalism. But as the president’s speech mentioned, it’s not just major corporations being victimized. Each of us is increasingly at risk from sophisticated threats.

One such threat is Poweliks. The worst thing about it is that it’s not a file — it resides in memory, where all malicious codes can be effectively concealed. Since it never actually drops a physical file on the system and instead injects itself into legitimate processes currently running (such as your browser), it basically piggybacks on trusted applications. As a result, Poweliks avoids detection from most existing security tools.

Even in the always-advancing field of information security threats, this is a big deal. Sure, exploits and their payloads will always evolve. However, until now, most have taken the form of a physical file on the system, which means they can be spotted and deleted with the right tools. Poweliks offers a few clues — entries in the registry, threads running within the process space of the browser, etc. — but it can generally cause havoc without sending out any real signals of its existence.

But if that’s the bad news, here’s how it gets worse.

In the future, Poweliks might be seen as a milestone in the ongoing journey that is information security. Yes, it’s just one more way for people to get infected, but it does require a level of sophistication that is hard to fight with most of the technologies currently available. And true to form, a few copycats have already emerged, such as Xswkit/Gootkit, identified by security researchers in early January. (These offshoots also leverage the registry to ensure persistence and load the malware, but they vary the method slightly by using HTML Application scripting.)

The fact that these threats are file-less (let’s hope that word doesn’t fully enter the lexicon) means cyber-criminals are investing heavily in software development, designing and deploying tools that can skirt even the strongest defenses. As more such strains emerge, many of the traditional anti-virus solutions currently in place will have to be improved or accompanied by tools that can detect these hard-to-spot infections. This means they’re increasingly difficult to get rid of.

On a related note, the fact that these threats can exist undetected is not the real problem. What’s really consequential is that while remaining in the registry and surviving off legitimate applications, they can wreck other programs and, of course, steal data. Now that’s a huge problem.

For the record, those of us on the right side of the law are doing our thing too. There are now removal guides and anti-exploit technologies available to hunt down and destroy the first wave of file-less infections. But prevention is still the best defense. It’s up to IT departments everywhere to step up and recognize we’ve entered a new phase in the information security wars. The attacks are getting better (again). Protection strategies and technologies need to get better too.

Pedro Bustamante is Director of Special Projects at Malwarebytes. He is a global expert on exploits and anti-exploit security technologies and formerly cofounded ZeroVulnerabilityLabs and served as its CEO; prior to that he was Senior Research Advisor and VP Product Management at Panda Security.