Viruses that live only in RAM

Hi GT! The zoo of every possible viruses grows every year, the blessing of imagination to their founders not to occupy. Of course, antiviruses successfully cope with a number of the most common malicious programs, moreover, even their free versions or built into the OS itself. They have also learned to fight with popular encryption companies (there is a section on decryption or code generation services on websites of well-known anti-virus companies, if you know the wallet or email to which the authors of the malware ask to transfer funds).

Normal viruses leave traces on the infected machine - any suspicious executable files, library files or just stubs of malicious code that the antivirus is able to detect or the correct admin. Finding and identifying such traces helps identify the virus, which means removing it and minimizing the consequences.

But the confrontation between the sword and the shield is an eternal thing, and computer malware is not limited to those that leave some marks on the drives. After all, if the virus is located and acts only inside the RAM, without contacting the hard disk or SSD, it means that he, too, will not leave marks on them.

In 2014, there was a series of news about the so-called RAM malware, but then it related to a rather narrow group of devices that were hit — payment terminals.

Transaction data is considered secure as it is stored in encrypted form on payment system servers. But there is a very short period of time during which information for authorizing a payment is stored in plain text. And it is stored in the RAM of the payment terminal.

Of course, this piece of hackers seemed too tasty for hackers to simply pass by it, and the malware appeared collecting information from RAM POS terminals - card numbers, addresses, security codes and user names.

And then someone decided to go further, remembering that computers also have RAM.


February 2017, Kaspersky Lab releases material that a similar malware hit computers in telecommunications companies, banks and government offices in 40 countries.

How does the machine infect in this case:

Cybercriminals had time to collect data on usernames and passwords of system administrators, which allowed in the future to administer an infected host. And it is clear that with this ability to control an infected computer, you can make a lot of not the most legitimate actions, but the main direction of such attacks is the “milking” of ATMs.

It is difficult to find such viruses, because in their usual form they do not actually leave any traces. There are no installed applications. There are no separate files scattered in different folders, including system or hidden.

But somewhere they leave traces?

Of course, if the virus does not leave traces on the drives, there is no need to look for them. And then what? That's right - the registry, memory dumps and network activity. It is necessary for him to somehow register himself in the memory (and in such a way as to keep working even after rebooting the machine), and then somehow transmit the data to the attacker's server.

Kaspersky Lab specialists carefully analyzed memory dumps and registry entries from infected machines, and were able to reconstruct the attack using Mimikatz and Meterpreter.

Fragment of code downloaded using Meterpreter from adobeupdates.sytes [.] Net

Script generated by the Metasploit framework.
It allocates the required amount of memory, uses WinAPI and loads the Meterpreter utility directly into RAM.

Should I be afraid of this

On the one hand - certainly yes. Whatever the virus is, it is not aimed at making your work at the computer more comfortable.

On the other hand, it is not as strong (as yet not as strong) as the usual viruses and the same cryptographers. If only because at the moment the main goal of such attacks is financial institutions, not ordinary users.

But who knows how often such malware will be created and used in the near future.

We remind you that spring is an excellent reason to update not only the leaves on the trees, but also the system blocks under your table. Kingston has special offers for this in partner stores. For example, in the DNS network until April 15, you can buy Kingston SO-DIMM RAM at a discount, for more details, click here . Until July 18, a special offer is held in Yulmart and there are special prices for Kingston and HyperX memory modules for computers and laptops using the KINGMEM promo code. And in Citylink stores until April 7, discounts apply to several types of RAM at once, and there it’s also important not to forget to enter the promotional code - DDR3HX . So it makes sense to hurry for a new memory and profitable upgrade.

For more information about Kingston and HyperX products, visit the company's official website .


All Articles