No more Poweliks!

No more Poweliks!

Poweliks is an infection that runs without a filesystem object, completely from the registry and memory using rundll32.exe, javascript and a create on-the-fly dll in memory.

Starting now, we can remove it for you.

Traditional malware will be located in a physical file on the system, something that can be detected and deleted with relative ease.

If you come across an exploit, it’s likely that the exploit will download the malware file onto your system and execute it.

The problem with Poweliks is that it never actually drops a physical file on the system, instead it would inject code into legitimate processes currently running, like Internet Explorer.  In doing so, it is able to run on the back of the legitimate process and avoid detection.

diskvsmemory

The traditional infection approach versus the memory only approach (i.e. Poweliks)

In order to gain persistence, or be able to start once the system rebooted, it would place code inside hidden registry keys. When the computer restarted, it would execute the code in the keys and inject into the legitimate process once again.

We have seen a lot of cries for help from our forum members as well as users across the net and have made it one of our top priorities to detect and crush this particular malware, and with the just released Malwarebytes Anti-Rootkit (1.08) we can.

There are other tools out there that can remove maybe one variant of Poweliks malware, but Malwarebytes Anti-Rootkit goes beyond that, we have even made sure to make it easy for us to push updated detection methods to your version of Malwarebytes Anti-Rootkit when the malware authors change the way they do things.

To double your protection, we recommend running Malwarebytes Anti-Malware along Malwarebytes Anti-Rootkit and Malwarebytes Anti-Exploit.

If you think you might have been infected with Poweliks, please download and run Malwarebytes Anti-Rootkit, in addition, we have created a removal guide on our forums that will help you remove more stubborn infections.

Malware will always evolve, not just in how its run but how it’s distributed, to that end Malwarebytes has made it our mission to hunt down the newest malware trends and beef up or modify our existing protections to make sure the internet is a safer place for our users.

Thanks for reading and safe surfing!

If you want to know more about Poweliks and the way it spreads, please check out an awesome blog by our own Jerome Segura that goes into additional detail.

ABOUT THE AUTHOR

Adam Kujawa

Director of Malwarebytes Labs

Over 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.