News Column

Online Bad Guys Have Sneaky New Weapon

Feb. 22, 2013

Ron Acohido, USA TODAY

angry computer user

Security researchers are keeping a wary eye on malicious programs circulating on the Internet designed to carry out invasive tasks in a computer's random access memory, then disappear without a trace.

"We are seeing very sophisticated code that resides in the RAM of a computer that traditional (defensive) software has no chance of detecting," says Bob Gourley, chief tech officer of tech consultancy CTOvision.com.

In the past year, 10% of malicious code isolated by security firm Triumfant operated exclusively in RAM. That's worrisome, as the current approach to defending networks is built around detecting and disabling malicious programs after a hacker embeds them on the hard drives.

Triumfant CEO John Prisco refers to RAM-based attacks as "advanced volatile threats." Such attacks require high expertise to pull off, and so far have been comparatively rare. But they could get more usage by elite hacking groups as organizations get better at defending traditional attacks, security researchers say.

"What we're seeing more often these days is attackers compromising a user's laptop without having to install any software," says Carl Livitt, a researcher at security consultancy Stach & Liu. "Once the payload is deployed, it can bury itself in RAM, hide from users, hide from anti-virus, hide from system administrators, and act as a staging point from which other attacks can be launched."

The emergence of AVTs comes as corporations and government agencies are starting to publicly acknowledge network intrusions.

"Cybercriminals are always looking for new ways to attack," says Pravin Kothari, CEO of encryption firm CipherCloud. "Organizations need to be proactive in identifying these new threats and correspondingly adopt new technologies to protect their sensitive information."

But even as companies and governments are starting to collaborate on defenses, the brightest of bad guys have begun honing the next generation of even more insidious attacks.

In one caper, documented by Kaspersky Lab, hackers corrupted advertisements appearing on two popular Russian news sites. Anyone using a Windows PC to visit either of the sites got an infection that activated only in RAM. The malicious program got wiped out when the browser shut down. But in the hours the browser was enabled, the infection remained active.

A subsequent security update now prevents a repeat of that attack.

Even so, security experts are concerned.

"It's worrisome because if there is no way to detect these things as the infection is occurring, the question then becomes, 'What else are they going to do next?'" says A.N. Ananth, CEO of security firm EventTracker.

(c) Copyright 2013 USA TODAY, a division of Gannett Co. Inc.



Source: Copyright USA TODAY 2013


Story Tools