Kaspersky finds bot that resides in memory

Security company Kaspersky has found a rare kind of malware in the wild that resides in a computer's RAM rather than on the hard drive.The 'fileless' bot is more difficult for antivirus software to detect, and resides in memory until the machine is rebooted, Kaspersky said in a blog post on Friday.

Security company Kaspersky has found a rare kind of malware in the wild that resides in a computer's RAM rather than on the hard drive.

The 'fileless' bot is more difficult for antivirus software to detect, and resides in memory until the machine is rebooted, Kaspersky said in a blog post on Friday.

"Because no file is written to the hard drive, it becomes much harder to detect the problem using antivirus software," said Kaspersky researcher Sergey Golovanov in the blog post. "If the exploit is not detected, the bot can be successfully loaded into RAM, becoming virtually invisible."

The bot was being spread via infected banner ads on Russian news websites by Russian third party advert company AdFox. Kaspersky named state news agency RIA Novosti and online publication Gazeta.ru as two news organisations serving the infected banner ads.

The bot spread via an iframe in the ads infected with the CVE-2011-3544 Java exploit. Once the malware infected a Microsoft machine, the bot disabled User Account Control, contacted a command and control server and downloaded the 'Lurk' Trojan. The malware also attacked Apple devices.

Famous fileless bots include the CodeRed and Slammer worms, said Golovanov.

In other Kaspersky news, researchers have identified a type of code used by the Duqu Trojan that had foxed them, with the help of developers. A Duqu command and control communications module which appeared to have been written in different code to the rest of the Trojan appears to have been written in a custom object-oriented C dialect (OOC) using the Microsoft Visual Studio compiler.

"This kind of programming is more commonly found in complex 'civil' software projects, rather than contemporary malware," said Kaspersky researcher Igor Soumenkov.