+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is fileless malware?

Fileless malware attacks have increased over 300% in 2019. What is fileless malware and how does it work?

According to their mid-year Cybersecurity report, Trend Micro asserts that fileless malware attacks have increased 365% over the same period the previous year.  In order to understand why this is increasing and how fileless malware works, we first need to understand how traditional anti-virus software works, because fileless malware evolved in order to try to circumvent the protections offered by traditional anti-virus software.

How does anti-virus software work?

Traditional anti-virus software attempts to identify malware code while it is at rest on the computer disk or in use in an executing program.  Using Microsoft windows as our example, it works like this:

Since Windows XP, Windows has included the ability to insert drivers into the filesystem at run-time.  These drivers are arranged in a stack and all disk I/O has to flow through all the drivers for each read and write operation.  The drivers are arranged into groups in the stack and perform functions such as file replication, undelete services, quota management, and anti-virus scanners. It is easy to understand how a problem with an anti-virus product can affect system performance, as all disk I/O has to interact with the anti-virus software.

Computer software is code, whether compiled or interpreted, it is generally static.  This means if you can obtain a copy of a piece of malware, you can look at the code and locate a sequence of bytes that is unique for that item of malware.  This is its signature.  Anti-virus software watches the stream of bytes flowing to and from the disk and if it spots a sequence of bytes that it recognises, it blocks the I/O operation and flags the file as malware.

As anti-virus software became more sophisticated, the developers realised that certain patterns of code often turn up in some form or another in malware.  For example, attempts to modify certain system files in order to create a persistent process that survives a system reboot.  Recognising this behaviour as ‘probably’ malware, even if that exact piece of malware is not within the anti-virus list of signatures, gave rise to the next generation of heuristic anti-virus.

In order to combat the signature based anti-virus detection, malware authors developed polymorphic viruses– that is malware which changes itself over time. It does this by downloading new modules from command and control servers, re-arranging how it stores itself on the computer system, and rapidly updating itself to new version so the anti-virus signatures are always out of date.  Heuristic anti-virus which looks for patterns of behaviour rather than patterns in the code is a primary defence against polymorphic malware.

The ability to insert drivers into the I/O stack for disk operations, is repeated for access to the Windows Registry, Firewall traffic, loading code images (EXE, DLL or SYS files), starting processes and spawning threads.  The anti-virus can insert itself into all of these operations and inspect the data and terminate the operation if it identifies a risk.

This presents a challenge to the malware authors, as however they try to get their software onto your computer, be it hidden in another file, downloaded over the network or saved to disk via a browser exploit – the anti-virus software has the potential ability to spot the file and block it.

The answer is the shift to fileless malware.

What is fileless malware?

Fileless malware does not exist as executable code on the disk of the computer system – hence the term fileless.  Instead the malware resides only in memory, it may have components that are invoked using details injected into the Windows Registry or it leverages existing system components such as PowerShell to work on its behalf.  This is known as ‘living off the land.’

PowerShell based malware has risen significantly in the last year – up a 1000% according to Symantec.  PowerShell is used legitimately all the time in enterprise networks – for tasks such as login scripts, monitoring performance or rolling out new software updates.  If the script that PowerShell is executing is never stored on the disk, traditional anti-virus can never spot it, and a computer forensic investigations has nothing to work with.

In addition to malicious scripts, fileless malware can also inject malicious code into otherwise legitimate running software by leveraging exploits in that application.  Typically, these attacks target web browsers or frameworks like Java or Flash.

How to mitigate fileless malware attacks

With the latest versions of PowerShell (v5 onwards), Microsoft has introduced support for the Antimalware Scan Interface.  This Windows 10 / Server 2016 service allows any software that processes scripts (not just PowerShell) to submit the plain text script to Windows Defender or installed anti-virus for validation before it is executed.  This means that any software that is scriptable can now provide some measure of protection against malicious scripts being used in ‘living off the land’ fileless attacks.  Developers need to update their software to work with the AMSI, as it does not happen automatically.

In addition to subverting scripting engines, fileless malware exploits vulnerabilities in other installed software (such as Microsoft Office applications, Java or Flash).  Removing unused software and ensuring all other software is promptly patched each month reduces the attack surface that fileless malware can exploit.

Next Generation Firewalls that provide application level inspection, intrusion protection and use cloud services to bring intelligence from outside the firewall will also help.  With the firewall automatically updating itself to block traffic to and from malware command and control servers as they are discovered, the fileless malware can be disrupted from operating.

Fileless malware is the next phase in the arms race between malware authors and cybersecurity professionals.  Good security hygiene  is still the best defence.

 

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

CREST
CCS
ISO9001
ISO27001
CE-PLUS

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.