Fileless Malware: The Ghost in Your Computer
A clever but pernicious software technique that's been known for more than a decade is being adopted by today's malware authors, complicating the work of anti-virus developers and digital forensic analysts. Tracking down so-called “fileless malware” is to detection of regular malware what ghost-hunting is to catching a garden-variety burglar. Read on to learn about this resurgent threat and what you can do to stop it...
What is Fileless Malware?
Traditional malware consists of one or more files stored on a hard disk. At least one of these files must be executable, and the malware cannot do any harm until that file is executed. Fileless malware, in contrast, resides in RAM memory and is never written to your hard drive as a file. Then there is semi-fileless malware, with some seemingly harmless parts written to disk while the main executable portions remain in RAM or even on a remote server.
Files leave traces as they are read or written to disk. A file has a pattern that can be reduced to a static signature that can be compared to known signatures in antivirus databases. These and other traits of files make it easier to figure out where a file-based malware package came from and what it is.
Instead of tricking the user to download and run an executable file, fileless malware uses legitimate, trusted tools that are part of the operating system to do its dirty work. That means there are no “suspicious” programs on the hard drive, or active in memory. Just the “ghost” lurking in system memory space.
Fileless malware is fluid. Like water poured into different jars full of pebbles, it perfectly fits itself into unused gaps in RAM, all linked together by beginning and ending memory addresses. Traditional antivirus software looks in vain for the wrong thing – a signature – and in the wrong place – the hard disk – ignoring what is in main memory.
Fileless attacks are said to be ten times more likely to succeed than file-based attacks. Fileless malware played a role in the devastating Equifax breach that exposed the personal information of over 100 million consumers. But effective anti-malware also detects the shapeshifting ghost of fileless malware. It identifies suspicious areas of RAM by analyzing traffic that flows between them. Having identified the outline of a ghost, the anti-malware zeroes in on that outline to monitor what crosses it. What the ghost does becomes the important thing, not what it is.
Does the ghost call PowerShell? If so, that call may be blocked until the reason PowerShell is called has been discovered and authorized. Does the ghost send data out to the Internet? To whom and why must be known before that is allowed. All of this learning and blocking must be done instantly, lest some suspicious activity slip past. So effective anti-malware, like fileless malware, must reside in RAM. This requirement constrains how much the ghost-hunting function can do, and how adversely the ghost-hunter affects overall system performance.
Fileless malware poses many other challenges for the good guys. I hope these examples give you some appreciation for the prowess of anti-malware developers who keep us safe from much of this nasty stuff, if not all of it. MalwareBytes’ Vasilios Hioureas covers fileless malware in excruciating geekly detail in an ongoing series of articles that begins here.
To be honest, even after reading these highly technical articles, I was still a bit confused about exactly how fileless malware actually sneaks into a computer. Suffice it to say that under the right conditions, some combination of unpatched vulnerabilities, a zero-day exploit, a compromised website, a careless click on an email link, an infected document (or perhaps a fragment of an underdone potato) can trigger a fileless malware attack. Malicious instructions are then sent to a legitimate program, which dutifully executes the attack.
Traditional anti-virus programs that rely on file-based scanning will not stop these attacks. Avast, Avira and Bitdefender do claim to protect against this threat, but I had to dig deep to find it on their websites. MalwareBytes has done a lot of research on this type of malware and seems to understand mitigation strategies well.
PC-Matic, my preferred anti-malware tool, differentiates itself by focusing on emerging polymorphic threats and fileless ransomware detection. If you missed it, see my review: PC Matic 4.0 – My Review.
It's important to keep yourself aware of emerging threats and take action where you can to protect yourself, your computer, and your important data. Keeping your operating system, application software and anti-malware defenses updated is an important first step. (See Here's Why You Must Keep Your Software Updated and how to do it for free.)
And since some of these fileless malware attacks rely on Windows PowerShell, I recommend disabling that as well. To do so, follow these steps:
- Type windows features in the Windows 10/11 search box, and press ENTER.
- Scroll down to the Windows PowerShell 2.0 line item
- Uncheck the box next to it, and click OK
- Wait for the prompt to restart your computer.
Have you been affected by fileless malware, or has your security tool detected an instance of it? Your thoughts on this topic are welcome. Post your comment or question below.
This article was posted by Bob Rankin on 30 Mar 2023
|For Fun: Buy Bob a Snickers.|
Geekly Update - 29 March 2023 (Are we doomed?)
The Top Twenty
REVEALED: How Creepy Marketers Get Your Email Address
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Fileless Malware: The Ghost in Your Computer (Posted: 30 Mar 2023)
Copyright © 2005 - Bob Rankin - All Rights Reserved