Fileless Malware: Who You Gonna Call?
A clever but pernicious software technique that's been known for more than a decade is finding favor among today's malware authors, complicating the work of anti-virus developers and digital forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it... |
What is Fileless Malware?
The “Good Times” virus hoax, which made its way around the fledgling Internet of 1997, warned users of a ghostly digital menace that would make today's AI bots jealous. It was said to have the power to recalibrate your refrigerator's coolness setting, demagnetize the strips on all your credit cards, move your car randomly around parking lots, make meth in your bathtub, and leave bacon cooking on the stove while it goes out to chase gradeschoolers with your new snowblower. If all that wasn't bad enough, it was "also a rather interesting shade of mauve."
Traditional malware consists of one or more files stored on a hard disk. At least one of these files must be executable, and the malware cannot do any harm until that file is executed. Fileless malware, in contrast, is like a ghost in your computer. It resides in RAM memory and is never written to your hard drive as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.
Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to detect a file-based malware package (a traditional virus) and where it came from.
Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory. Just the “ghost” lurking in system memory space.
Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the hard disk – ignoring what is in main memory.
Fileless attacks are said to be ten times more likely to succeed than file-based attacks. Fileless malware played a role in the devastating Equifax breach that exposed the personal information of over 100 million consumers. Last Fall, a phishing campaign used malicious Excel macros to launch fileless malware attacks on Windows systems.
But effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.
Does the ghost call PowerShell? If so, that call may be blocked until the reason PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.
Digging Deeper
Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.
To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a zero-day exploit, a compromised website, a careless click on an email link, an infected document (or perhaps a fragment of an underdone potato) can trigger a fileless malware attack. Malicious instructions are then sent to a legitimate program, which dutifully executes the attack.
Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. Avast, Avira and Bitdefender do claim to protect against this threat, but I had to dig deep to find it on their websites. MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well.
PC-Matic, my preferred anti-malware tool, differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review: PC Matic 4.0 – My Review.
It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Keeping your operating system, application software and anti-malware defenses updated is an important first step. (See Here's Why You Must Keep Your Software Updated and how to do it for free.)
And since some of these fileless malware attacks rely on Windows PowerShell, I recommend disabling that as well. To do so, follow these steps:
- Type windows features in the Windows 10/11 search box, and press ENTER.
- Scroll down to the Windows PowerShell 2.0 line item
- Uncheck the box next to it, and click OK
- Wait for the prompt to restart your computer.
Have you been affected by fileless malware, or has your security tool detected an instance of it? Your thoughts on this topic are welcome. Post your comment or question below.
|
|
|
This article was posted by Bob Rankin on 24 Feb 2025
| For Fun: Buy Bob a Snickers. |
 |
Prev Article: Here's Why You Should X-Ray Your Computer |
The Top Twenty |
Next Article: Geekly Update - 26 February 2025 |
 |
Post your Comments, Questions or Suggestions
|
Free Tech Support -- Ask Bob Rankin Subscribe to AskBobRankin Updates: Free Newsletter Copyright © 2005 - Bob Rankin - All Rights Reserved About Us Privacy Policy RSS/XML |
Article information: AskBobRankin -- Fileless Malware: Who You Gonna Call? (Posted: 24 Feb 2025)
Source: https://askbobrankin.com/fileless_malware_who_you_gonna_call.html
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Fileless Malware: Who You Gonna Call?"
Posted by:
Cory D.
24 Feb 2025
I have used PC Matic off and on for a couple of years. So far, MS Defender appears to run well so I have balked at paying for Antivirus. HOWEVER, I do take Bob Rankin's advice seriously so I will most likely go back to PC Matic.
I do have a question on PC Matic. In this article on fileless malware PC Matic is mentioned, but I didn't see how it handled fileless malware. Does anybody know this answer?
Posted by:
Ernie (Oldster)
24 Feb 2025
At the end of this item, Bob asks "Have you been affected by fileless malware, or has your security tool detected an instance of it?" My answer to date is "No!" to both questions.
I check for system updates using Windows Update every Patch Tuesday, and on the last Tuesday/Wednesday of each month.
I use a free software update utility named 'Patch my PC', to install the non-Microsoft apps I use, and to check for updates weekly (on weekends). I found it on the OlderGeeks website (https://oldergeeks.com/). If interested, you can navigate directly to the app's download page (https://oldergeeks.com/?ss360Query=Patch%20my%20PC). Note: The download link for any app found on the site is always at the bottom of the page.
I use the Microsoft Security Suite to protect my computers, and I have the free version of MalwareBytes anti-malware (installed using "Patch my PC") on all my computers to scan my systems weekly (on weekends) as an adjunct to Windows Security. It scans system memory, so if anything finds a way to sneak on to my computers, MalwareBytes should find it for me.
I back up my computers using Macrium Reflect free (downloaded from the OlderGeeks website), creating weekly backup sets consisting of a full system image, and six differential images. I keep four backup sets so I can access versions of my files going back twenty-eight days. These backups allow me to quickly recover my stuff when all else I do fails, or in the event of a disk failure, or following any other malady/disaster. Additionally, I sync selected folders on my computers to the cloud, making it easy to access the same files on all my computers, as well as being a part of my backup regimen, because unless a file's stored in at least two places, it's not backed up, and having an off-site location protects me from disasters such as floods, home fires,etc.
Finally, I employ what I call Cognitive Security, a paradigm I've described several times here and on the Ask Leo website. Essentially, I blindly trust nothing coming from the Internet so I'm very skeptical about anything from there. I never click any hyperlink before comparing its URL with its label, regardless whether I encounter it on a website or in an email message - particularly if the message was unexpected. If I cannot decipher where the URL will take me, or if it doesn't correspond to/with the label, I don't click - period. Additionally, I never believe anything I read on social media without confirming its accuracy/validity using several fact-check websites. IIRC, Bob has written about such sites so you can find ones you can trust on the AskBob website (here).
This covers most of what I do to remain safe, and keep malware off my computers. I hope what I wrote here helps others,
Ernie (Oldster)
Posted by:
gene
25 Feb 2025
I've used Malwarebytes Premium since it's earliest days, they offered a lifetime license (transferable to each new computer though it can only run on one at a time) fo $25 more than 10 years ago, I snapped that up. They no longer offer that, but they still treat me as if I were paying them full price as of now. Amazing product and I highly recommend it, do a full scan every day. I use their browser extension (free) on all my browsers too, Win10 Pro system. They recommended Patch My PC to me a few years ago, and I use that too. I NEVER click a link without checking to see that it actually points to a legitimate site. I never enter login information except ON the original site, no legitimate site asks you to do that in an email. I use UBlock Origin on my browsers as well, it will intercept me if I head to a page it thinks unsafe. One simply can't be too well protected these days.
Posted by:
Marvin A.
01 Mar 2025
If the fileless malware resides on RAM, why doesn't it get zapped when you turn off the computer? When you turn off or restart a computer everything on the RAM gets deleted. True?