Whenever you buy a new laptop or desktop, you always make sure to drag one antivirus product off the shelf and drop it in your cart. It is a well-known prescription to avoid malwares or viruses. No- one has to be a cyber-security expert to crack that!
Every traditional antivirus program depends on the presence of a file on the hard drive. It examines to find the payload (the part of malware which performs a malicious action). Once the payload is identified, the antivirus quarantines and/or eradicates the malicious files. This is how our anti-virus functions to protect our computer from any malware. This is all possible because of malwares storing its payload on the hard disk.
But what if malware never stores its payload on the hard drive? (Wouldn’t that be a great scary story for the IT team during Halloween?)
Fileless Malware: Nightmare
In August 2014, Poweliks Trojan, created to execute click-fraud, brought new opportunities for the malware makers to shock the cyber-security world.
They created a new malware that can infect the system without letting the antivirus know about its existence. They called it as “Fileless Malware.”
Fileless malware is a variant of computer-related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It is part of the family that has been defined as an Advanced Volatile Threat (AVT). AVTs are an advanced kind of cyber-attack where the malicious code does not need to reach its victim’s hard drive in order to deliver its payload.
Predicted by Kaspersky Labs after the fileless worm “Code Red” exploited the vulnerability in Microsoft IIS web servers in 2001, Fileless Malware has evolved to leave very little traces of evidence that could be used by cyber-forensic investigators to identify illegitimate activity.
Fileless Malware can penetrate into your systems using the following ways:
- Phishing Mails,
- Compromised Websites.
Phishing emails and compromised website contain exploit kits. Exploit kits are software programs designed to find flaws, weaknesses or mistakes in apps and use them to gain access to your computer or any other system. It plays a very important role in a successful fileless malware attack.
By written it directly to the RAM, Cyber criminals programed fileless malware like Memory-resident malware & Rootkits that can hide in locations making the malware difficult to get detected.
How does it work?
So here is the situation in which you access a compromised website:
1. You didn’t update the installed plugins on your browser.
2. You access one of the compromised websites.
3. The website contains an exploit kit that scans for the vulnerability in your plugin.
4. It directly starts running the payload it in the memory of your browser’s process.
5. If it is ransomware based payload, it will connect to the servers controlled by the attackers and get the encryption key.
6. The data is encrypted and your system is locked out.
The Dawn of the Fileless Malware Infection.
The use of Fileless Malware means that it can transport a broad variety of malware, from banking Trojans to Ransomware, without being detected by the traditional antivirus solutions. This has turned into a business module where malware makers are providing exploits kits-as-a-service. This is a major boost for other new cyber-criminals trying to make some quick money. The rate at which the fileless malwares are being created goes around 230,000 new malware samples per day. Due to the wide variety of different fileless malwares, detection becomes near to impossible.
This new type of fileless malware helps the cybercriminals to:
- infect systems without getting detected;
- make profit from fileless malware infections;
- gather information using info-stealing malware about a target PC before infecting it with additional malware;
- achieve persistence by moving the payload to the Windows registry after the exploitation;
- find and manipulate vulnerabilities faster by using sophisticated, flexible and even modular exploit kits;
- infect machines with ransomware.
Because fileless malware is running in your computer’s RAM memory, it can only work while PC on. This means that attackers have smaller chance to execute the attack and penetrate your operating system.
Nowadays, our computers are on for much longer times than ever before, so cybercriminals will have more time to execute a successful infection.
How to be a Fileless Malware-Buster?
The fileless malware can successfully penetrate into our system because of our negligence. Fileless Malware is not detectable if it enters the Host PC. You can only avoid the fileless malware from infecting your system if you prevent them at the first moment.
- Apply security updates for your applications and operating system: This keeps your apps and OS updated at all times and can rule out as many as 85% of targeted attacks.
- Blocking the pages hosting the exploit kit: You can invest your money in a premium internet security product and use it to avoid the compromised website. It will block such websites helping you to avoid fileless malware.
- Blocking the communication between your PC and the attackers’ servers: If the payload is in the host system, it becomes very necessary to block any communication between the servers controlled by the cyber-criminals. Premium security product can help you achieve that.
Got comments? Did I miss something? Comment below…
Kumar Jishu is a Cybersecurity Analyst working for VISTA InfoSec, a PCI QSA company providing vendor neutral consulting services in the areas of Information Risk Compliance and Infrastructure Advisory Services. For more information, email me at firstname.lastname@example.org. My LinkedIn profile can be viewed at www.linkedin.com/in/kumarjishu/