Should you worry about memory-only malware?

Some malware disappears when you reboot, but returns if you haven't plugged the hole where it came in. Is this scourge worse than others?

The recent Target data heist of more than 40 million credit card records has many worrying about the impact of memory-only malware. The Target malware, a variant of BlackPOS, is part of a Trojan horse family known as Trojan.POSRAM. After the initial exploitation, these programs simply load themselves into RAM -- they don't install themselves on the hard drive.

The lack of "software footprint" makes RAM-only malware programs elusive. Some people say they're to be truly feared. Should we worry about them more than other malware programs?

[ Also on InfoWorld: 13 tough questions about computer security. | Keep up with key security issues with InfoWorld's Security Central newsletter. ]

In a word: No.

The panic over memory-only Trojans reminds me of all the doomsday prophecies about rootkit malware, which could "easily hide from antivirus programs." It brings to mind past hysteria about roving bot worms, email attachment viruses, boot viruses, and DNS hijackers. Those newly discovered types of malware sounded scary at first, but antimalware programs now readily detect them all. The only challenge to antimalware software is keeping up with the sheer number of new malware programs that appear every day. Detecting an entire type of malware has rarely been a problem.

In fact, memory-only malware is sort of a blessing, for a few reasons.

First, most memory-only malware can't live through a reboot. True, if you haven't fixed what allowed it to gain initial access in the first place, the malware will get back in. But how nice it is that if you close the initial entry hole, a simple reboot will clean up the malware mess? There's no hunting around the hard drive trying to find all the places it has modified or in which it may be hiding, no pulling viruses out of host executables and trying to decide how to put Humpty-Dumpty back together again, no wondering if you got everything. Just reboot your computer and relax. I'm picturing myself on a beach in Mexico, kicking back with a golden beer.

Second, antimalware programs love to scan memory for bad actors. It's the non-memory items that slow them down. Scanning memory can be literally thousands of times faster than scanning a hard drive -- it's even much, much faster than scanning an SSD. Plus, of course, there's a lot less RAM than disk to scan. Antimalware scanners would love to stick to memory if they could; the performance hit would evaporate.

Third, I've seen no studies that say memory-only malware is harder to detect or has incurred increased false negatives. This is what most people are worried about; I haven't seen any real evidence yet.

Lastly, although BlackPOS has been around for only a few years, we've had memory-only malware for a long time. The SQL Slammer worm of 2003, for example, was memory-only. To this day, SQL Slammer still holds the title of the fastest-spreading worm. It exploited nearly every unpatched SQL server on the Internet in about 10 minutes. But as bad as it was, I loved the cleanup: You patched the server and rebooted. Voila! Bad thing gone forever. Oh yeah, it's readily detected by every antivirus program in the world.

So, no, I'm not afraid of memory-only malware. On the contrary, I'm crossing my fingers and hoping all malware becomes memory-only.

This story, "Should you worry about memory-only malware?," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.

Join the discussion
Be the first to comment on this article. Our Commenting Policies