Technology Blog »

Emerging Threat - What is Poweliks?

Poweliks Registry

In recent weeks, security researches have reported an increase in the number of computers compromised by a "sneaky" piece of Malware known as "Poweliks". This threat has found new ways to hide itself while remaining nearly undetectable. In this post we offer you some insight on Poweliks and recommend ways to keep yourself protected.

What is Poweliks and how do I get it?

Poweliks is categorized as a trojan horse which can enter your computer though several methods

  • While Trojan.Poweliks is unique in how it resides on a computer, it can arrive on a computer through more common methods, such as malicious spam emails and exploit kits. Once on the compromised computer, Trojan.Poweliks can then receive commands from the remote attacker.
  • Poweliks has reportedly been delivered through malicious spam emails that claim to be a missed package delivery from the Canadian Post or the US Postal Service (USPS)
  • The Trojan may be dropped by Trojan.MDRopper which deceives the user in order to install itself and then performs malicious activities on the compromised computer. Unlike an ordinary trojan which infects your computer with malicious files, Poweliks is a silent and invisible threat that hides away in the registry of your system. Although this evasion technique has been used by others, Poweliks is the first one to remain persistent even after a computer reboot. Worse still, Poweliks hijacks the legitimate processes and applications running on your network, inserting its code into them where it can largely evade detection.

Once in your computer Poweliks creates a connection back to one of two malware servers located in Kazakhstan. The servers in Kazakhstan then send commands to the bug to tell it what to do next. In theory, this then makes way for the tool to be used to download other undesirable programs that could infect your system without your knowledge. It could equally be used to steal and disseminate data from your network.

Poweliks has created something of a headache for firms behind conventional security solutions like anti-virus software. Symantec and others have admittedly managed a number of updates to their protection in response to the threat posed by Poweliks. Although very minor records of the presence of the trojan are left behind, the signs of its destructive presence are much lower key than the computer world is used to.  In turn, Poweliks is unlikely to show up on most anti-virus software scans.

Think your security is taken care of with a frequent anti-virus scan?

Think again. While we’ve all become used to the idea that viruses, worms and other malware - however much disruption and damage they cause to our systems - can be detected and removed thanks to the tracks they leave, that’s no longer something to count on. Proving the point is Poweliks, an invisible trojan horse that evades being picked up by anti-virus software. Read on to find out all you need to know about Poweliks and how to fight it.

How can I best protect myself?

As well as the anti-virus updates that have gradually been released a number of Poweliks removal guides are now available online. Nevertheless, prevention as ever, remains better than cure. One method reported to have been employed in the distribution of the Poweliks infection is embedding it in a Microsoft Word document, which is then sent as an attachment to spam emails, and which the attackers hope your curiosity will lead you to open. Among the senders that these spam messages have masqueraded as being from are the United States Postal Service and Canada Post. Of course the best advice remains to be suspicious of any and every email attachment you open, particularly if you weren’t expecting mail or it's from someone you don’t know.

Should I be concerned?

In fact, revisiting your everyday security precautions is probably pretty good advice all round, since experts predict that this type of threat is likely to become ever more common as attackers seek to exploit the techniques of Poweliks in order for their infiltration to remain unnoticed for as long as possible. Sure enough, a number of copycat threats have already been detected by security specialists as of the start of 2015.

General awareness around web sites you choose to visit is also recommendable in particular, since others have also reported the bug making its way onto their systems thanks to so-called ‘drive-by download attacks’ - whereby simply visiting a malicious web site is enough to trigger the infection, and actively downloading a file isn’t even necessary. As a result, organizations may wish to consider more comprehensive filtering of internet access, or at the very least reactive blocking of known malicious sites, in order to prevent employees from inadvertently infecting a company network.

To find out more about IT security solutions and protecting your technology from attack, contact us today.