Fileless Malware: A New Threat?

Category: Anti-Virus

A 15 year-old technique is finding favor among today's malware authors, vastly complicating the work of anti-malware software developers and forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it…

What is Fileless Malware?

Traditional malware consists of one or more files written to a disk. At least one of these files must be executable, and the malware cannot do any harm until its key file is executed. Fileless malware, in contrast, resides in RAM memory and is never written to disk as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.

Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to figure out where a file-based malware package came from and what it is.

Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory.

Fileless Malware - The Threat

Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the disk i/o port - ignoring what is in main memory.

Effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.

Does the ghost call PowerShell? If so, that call may be blocked until why PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.

Digging Deeper

Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.

To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a compromised website, an infected document or USB drive can result in a fileless malware attack. Malicious instructions are then sent to a legitimate program, which executes the attack.

Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. So I did some quick research to see if some of the popular anti-malware products mention protection against fileless malware. Surprisingly, I found no mention on the websites for AVG and Avira. Avast and Bitdefender do claim to protect against this threat, but I had to dig deep to find it.

MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well. PC-Matic also differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review of PC Matic.

It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Your thoughts on this topic are welcome. Post your comment or question below...

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 16 Oct 2018


For Fun: Buy Bob a Snickers.

Prev Article:
Kraken Ransomware Masquerades As Legit Software

The Top Twenty
Next Article:
Geekly Update - 17 October 2018

Most recent comments on "Fileless Malware: A New Threat?"

Posted by:

Charley
16 Oct 2018

Here is a summary of fileless attacks from Symantec.
https://www.symantec.com/blogs/feature-stories/your-next-big-security-worry-fileless-attacks


Posted by:

Dave
16 Oct 2018

Bob, How about this as a browser replacement?
DuckDuckGo is an Internet privacy company that empowers you to seamlessly take control of your personal information online, without any tradeoffs. With our roots as the search engine that doesn’t track you, we’ve expanded what we do to protect you no matter where the Internet takes you.
Learn more about our story


Posted by:

LadyLiberTEA
16 Oct 2018

Since Anti-Virus programs instruct not to run additional protection potentially conflicting, must a Fileless Malware fighter like MalwareBytes or PC-Matic run simultaneously, or do you temporarily disable your Anti-Virus and run the other to check manually on demand, Bob?


Posted by:

Mac 'n' Cheese
16 Oct 2018

Bob,

In the last month or so, I've seen a great amount of editorial endorsements on your site for PC Matic. I've also seen more display ads for PC Matic than I would expect from random Google Ads placement.

Would you take a few minutes to address the question of whether or not you have any kind of paid relationship with PC Matic or PC Pitstop?

If you do, I believe the FTC's disclosure requirements (https://www.ftc.gov/tips-advice/business-center/guidance/ftcs-endorsement-guides-what-people-are-asking)come into play, meaning I believe you are required to disclose your relationship prominently on each page where you promote the sale of the product.

Of course, if there is NO affiliate relationship, no disclosure is required. In that case, you could remove all doubt by stating that you are not being compensated by PC Pitstop.

I enjoy your column. I just don't like the thought of you having to write it from the Graybar Hotel!

Mac 'n' Cheese


Posted by:

Ron
16 Oct 2018

Mac 'n' Cheese makes a good point


Posted by:

Doc
16 Oct 2018

Mac 'n' Cheese, Ron:

Bob PAYS for his copy of PC matic - If you read that article he SAYS he has no reciprocal relationship to PC-MATIC -- NONE -- (unless I've missed it completely). I am waiting for his 6 month stamp of approval before I switch.

I've fallen in love before, and had my heart broken - and once was with Norton (yeah, Love makes you do strange things - but that was LONG before the release of the first Power-Mac when ever that was) - And I've been in 'Love' since. So I'm waiting for the romance to wear out and see if it's True Love with PC MATIC -- or if it was just a passing infatuation.

I, like MANY others, wish Bob would answer questions NOT covered, but suggested or implied by his posts - and he does so with such seemingly randomness and almost non sequitur rareness that it's safe to assume that he does NOT answer questions asked on his 'newsletter' and his 'Bus' makes VERY few personal stops - once on, you are on the ride, not a sight seeing tour where there is two-way communication (tough I have received a VERY few replies to my e-mail - and even then they are FEW words which form only the outside definition of the outline of a Germanic Sentence and NEVER approach the realm of a Latinate sentence, let alone its plural.

So - please re-read his original post - and see that he states in his plain, simple, Germanic staccato style that he is nowhere near a covert shill, let alone PAID undercover spokesman for PC-Matic - he spells it out - without going back to read -- in what I remember is VERY clear English that HE paid for his copy, HE receives NOTHING back from the company - nor does he expect to in HIS foreseeable financial future - hidden stocks transferred to secret off-shore accounts in some exotic off-shore Island Kingdom who's GDP is based on income from those with lucre to spend on untraceable private jets and pseudonym credit cards issued by the quasi-bank which forms the other part of the Kingdoms GDP. AND with virtually no costs (the Island IS a totalitarian kingdom) There are no trade balances or Net anythings - it's ALL GDP.

So - find the article, and read it, pay attention to the words used - how he uses them -- notice how they can't really be changed without the extensive use of ellipses (. . .) -- and I think you will be satisfied that he receives NOTHING from PC-Matic except their program, their protection (from PC threats - flora, fauna, or electronic) and read his own words about why he chose the more expensive ($150 I think) version over the cheaper ($50? version).

It LOOKS TO ME LIKE HE IS TELLING THE TRUTH.

I once took some Art History final in college - 3 hours long - call it 1000 questions. When he got up to correct the exam with the part of the class that turned up for that one last class - he said, 'The answer to 1 is True. The answer to number 2 is True. The answer to number 3 is True. Hell the answer to ALL the questions is True. They Don't pay me to lie to you, they pay me to tell you the Truth.!!" (my cap, but I'm just not sure).

I suspect Bob is the same way: We (DON'T) pay him to tell us the Truth (my cap again) because if he didn't, The Tour Bus would have crashed in flames with all aboard dead, and this extension would have also gone down in flames. - for a more recent example - see how he slams two search engines for using the same data engine AND the same annoying pop-ups as used by another, perhaps pioneered by that very same, company.

I STAND BY BOB BY FOR OVER 23 YEARS!!

One of the few readers since 1995.


Posted by:

Buth
17 Oct 2018

Anyone out there go as far back as when Dr. Bob and Patrick Crispin (sp?) "drove" together? I'd swear it was before 1995. But, heck, my memory may be slipping a tad with all the years "under my belt."


Posted by:

Stella Hogue
17 Oct 2018

Doc
I second that emotion!


Posted by:

Patty
17 Oct 2018

It was nice to see the reference to when Bob and Patrick Crispin "drove" together....I too go back that far and have been enjoying and trusting Bob's articles ever since. I tell everyone I know about what my "computer guy" Bob Rankin says about this and that. Has it really been since 1995? Wow time flies!


Posted by:

Mike Herlihy
17 Oct 2018

I don't have the oldest email handy, but this is from late 1997:

=====================[ Tourbus Rider Information ]===================
The Internet Tourbus - U.S. Library of Congress ISSN #1094-2238
Copyright 1995-97, Rankin & Crispen - All rights reserved
Archives on the Web at http://www.TOURBUS.com


Posted by:

Mac 'n' Cheese
17 Oct 2018

Doc, thanks for the reminder that Bob DID, indeed, state that he's an uncompensated endorser of PC Matic. I'd forgotten that.

My opinion with PC Matic was soured by the fact that at the time I bought and installed PC Matic, my computer experienced serious corruption of its Win 7 (64-bit) operating system, and after attempting to resolve the issue with less drastic measures, the Dell support team recommended that I reinstall Windows and all my programs. I have more than 80 programs I use regularly or occasionally.

That process took several days, including time to do over 200 Windows Updates (my Win 7 distribution disc dates back to almost the time that operating system was first released), then customize and tweak those 80+ programs.

On the chance that PC Matic was the culprit, I did not reinstall it. To their credit, Pit Stop immediately refunded my purchase price on my request.

I didn't talk about my difficulties on this forum before now, because I do NOT know for a fact that PC Matic caused my problems. I DO know I won't risk installing it again. :-(

Mac 'n' Cheese


Posted by:

LadyLiberTEA
17 Oct 2018

Yes Doc, ditto Mac thanking history of Bob Rankin's service to the community (I wouldn't mind if the valuable Rankin File newsletter with enlightening commenters received commission it doesn't for educating us on products).

Mac, thanks for nudge to check which programs were recently installed before corruption, and to prepare for possible corruption when installing including PC-Matic I'm ready for since my Acer can format DVD-RWs to create System Image disks better for reload than Recovery Disks requiring download/re-install of non-OEM programs and drivers; re-running updates of all programs and drivers; re-customizing computer settings and programs; and reinstalling personal files from hard drive I manually copy onto thumb drives where I maintain sensitive data too, since computer-generated backup could be corrupted too, and I don't trust cloud.


Posted by:

Butch
20 Oct 2018

In my previous entry, I typed *Buth* instead of Butch--lack of proofing. However, I think "Roadmap" was the original name for the cooperative efforts of Dr. Bob & Patrick--late 1980's perhaps??? C'mon, Dr. Bob. You can settle this for us 'old-time' fans and readers. (Is Patrick still wary of squirrels? Alabama variety, that is)

EDITOR'S NOTE: The ROADMAP series was created by Patrick Crispen in 1994, and I made minor contributions. I partnered with Patrick to create the INTERNET TOURBUS newsletter in 1995, which continued through 2011. Patrick now works for the University of Southern California, in the field of educational technology.


Posted by:

Jim
23 Oct 2018

I just want to say thanks to Bob for all he has helped me through with this newsletter over the years. I am considering PC-Matic but plan to wait a little longer to make sure he doesn't run into any problems. I have been a loyal reader since 1995.


Posted by:

Egbok
31 Oct 2018

I received a copy of PC Matic promo. free with an order from Tiger Direct when it first came out. I installed it on my XP laptop. Been using it ever since, Vista desktop and now 7 on a 6 year old HP laptop. Hasn't missed a lick, just keeps the Black Hats at bay.


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Fileless Malware: A New Threat? (Posted: 16 Oct 2018)
Source: https://askbobrankin.com/fileless_malware_a_new_threat.html
Copyright © 2005 - Bob Rankin - All Rights Reserved