Fileless Malware: A New Threat?
A 15 year-old technique is finding favor among today's malware authors, vastly complicating the work of anti-malware software developers and forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it…
What is Fileless Malware?
Traditional malware consists of one or more files written to a disk. At least one of these files must be executable, and the malware cannot do any harm until its key file is executed. Fileless malware, in contrast, resides in RAM memory and is never written to disk as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.
Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to figure out where a file-based malware package came from and what it is.
Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory.
Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the disk i/o port - ignoring what is in main memory.
Effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.
Does the ghost call PowerShell? If so, that call may be blocked until why PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.
Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.
To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a compromised website, an infected document or USB drive can result in a fileless malware attack. Malicious instructions are then sent to a legitimate program, which executes the attack.
Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. So I did some quick research to see if some of the popular anti-malware products mention protection against fileless malware. Surprisingly, I found no mention on the websites for AVG and Avira. Avast and Bitdefender do claim to protect against this threat, but I had to dig deep to find it.
MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well. PC-Matic also differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review of PC Matic.
It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 16 Oct 2018
|For Fun: Buy Bob a Snickers.|
Kraken Ransomware Masquerades As Legit Software
The Top Twenty
Geekly Update - 17 October 2018
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Fileless Malware: A New Threat? (Posted: 16 Oct 2018)
Copyright © 2005 - Bob Rankin - All Rights Reserved