Microsoft researchers find new type of stealth malware

Malware appears benign when downloaded, but morphs into malicious software once on a user's machine

Security researchers have uncovered a new type of malware that appears to be benign as it is downloaded, potentially fooling security software, but which morphs into malicious software once it is on a user's computer.

Researchers at Microsoft's Malware Protection Centre wrote about their findings this week, explaining that the code is surprising in that unlike most other similar types of malware, it doesn't attempt to download or inject an executable file into a host machine.

Instead, it downloads apparently harmless code. However, the researchers found that the code was not harmless at all when they allowed it to execute.

"Once the application was run on a machine with a simulated internet connection, it [downloaded files from another website, then] copied itself to the Windows system folder as 'misys.exe', and started keylogging."

The sophistication of this new malware is that this malicious behaviour was not apparent from a straightforward analysis of the code itself, which is what security researchers and most security products attempt to do when encountering suspicious software.

"The static analysis did not indicate this kind of functionality," said the researchers.

They explained that it changes its functionality by downloading new instructions directly to its own process, rather than attempting to change the registry, or other system processes, which is more commonly seen in malware.

"The application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The 'downloader' becomes malware by executing this downloaded blob of x86 instructions.

"And the downloaded instructions will not be injected to a different process and not dropped to disc, they will be executed in the process context of the 'downloader', thus the 'downloader' inherits the malware functionality."

This malware is fairly simple to create with a basic malware builder tool, meaning that it could quickly become more prevalent. Malware authors can configure it to steal and transmit whatever data they believe may reside on a target's machine.

However, tools to combat the software have now been added to Microsoft's anti-virus products, with other security vendors sure to swiftly follow.