Kaspersky Lab researchers have discovered a drive-by download attack that evades hard-drive checkers by installing malware that lives in the computer's memory
When the insecurity experts were looking at a drive by attack on www.ria.ru, a website that belongs to the Russian RIA Novosti news agency, and www.gazeta.ru, a popular Russian-language online newspaper, they found an interesting exploit of a known Java vulnerability. It wasn't hosted on the affected websites but was served to visitors through AdFox banners.
Kaspersky Lab expert Sergey Golovanov wrote in his bog that the exploit involves saving a malicious file, usually a dropper or downloader, on the hard drive. But insecurity experts were surprised by the fact that no new files appeared on the hard drive."
The Java exploit's payload consisted of a rogue DLL that was loaded and attached on the fly to the legitimate Java process.
Normally this malware is rare, because it dies when the system is rebooted and the memory is cleared. But the hackers do not really care because there is a good chance that most victims would revisit the infected news websites.
Once the malicious DLL loaded into memory it sends data and receives instructions from a command and control server over HTTP.
Sometimes the instructions given out by attackers were to install an online banking Trojan horse on the compromised computers. So far the exploit has only been seen in Russia.