A piece of malware that resides only in the memory of a compromised system now resides in thousands of systems mainly in the U.S., researchers said.
Poweliks malware does not leave any trace on the storage drive of the infected machine and plants a script in Windows Registry that points to the malware and executes it in memory.
An early version came out last year, but it did not have proper development so it was easy to remove with a restart of the computer, said researchers at Symantec.
With a careful eye on the malware’s growth curve, researchers found in its effort to take control of the infected system, Poweliks also relied on a then Zero Day vulnerability (CVE-2015-0016) in Windows, which Microsoft patched in January.
Unlike previous reports revealing Poweliks as an infostealer, Symantec said the threat is really for ad-fraud purposes, launching web pages in the background and clicking on the advertisements, indicating the crooks enrolled to a cost-per-click advertising model to generate money.
In one case, the malware made about 3,000 ad requests from a single computer, each with a bid amount of $0.000503. The total revenue generated this way per day was $1.51, according to a Symantec report.
With a one off computer, this is not a big deal, but considering there are hundreds of thousands of computers compromised, the return value becomes evident (100,000 bots would bring in $10,000 on a daily basis).
The malware also exploited in December 2014 a Zero Day vulnerability in Windows, which permitted execution of an arbitrary file with elevated privileges. Microsoft patched it in the first month of the year, after receiving a report from Symantec.
According to Symantec, in half a year’s time, Poweliks compromised 198,500 computers and more than 99.5 percent of them were in the U.S.