Fileless Malware
Traditional malware installs be dropping a payload
(.exe or .dll) onto an infected device’s hard disk and uses persistence features
such as “autostart” to ensure they continue to run. Most anti-malware scanners
should detect these threats. On the other hand, fileless malware [1] does not install any
files on its victims PC. Instead, Fileless malware writes itself directly to
the RAM, thereby existing in memory only. For example, fileless malware often hides in
the window’s registry by creating a new thread. Much like rootkits, hiding in
memory or registries makes detection and removal more difficult; especially for
file-based anti-malware. Phasebot works by creating a new
registry value in HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed
Components\{Bot GUID}.
Fileless malware that leverages the registry has been round for a year or two. Morto was probably the first, coming out in July 2012, followed by Emotet in May 2014. By never dropping anything onto
the hard-drive you reduce your payload’s footprint and its chances of being
detected. Samples are also harder to collect. The drawback for fileless malware
is simply restarting your device can get rid of it; unless of course the
malware hooks into an API that guarantees its survival once the application
closes.
A nice comparison of traditional
against fileless malware can be found here:
PowerShell Malware
Another recent malware trend is the use of Windows’s Powershell, such as POWELIKS [2] back in August 2014, and Phasebot
[3] (a child of Solarbot)
in April 2015. Powershell is a configuration management framework, introduced in Windows 7. (It can be opened by pressing WinKey and type powershell). It is to
Windows what Shell is to Unix. It is a CLI, similar to Windows CMD prompt, only
more powerful. This power comes from a newer more powerful command set and the
ability to script (via Powershell ISE) rather than use CMD’s batch processes.
Again, as with fileless malware, using
Powershell script rather than installing a .exe file makes it much harder to
detect as the malicious script can be compiled and embedded (eg in rundll32.exe)
on the fly.
[1]
|
SecurityNet, "New Fileless malware found in the
wild," April 2015. [Online]. Available:
https://www.net-security.org/malware_news.php?id=3021.
|
[2]
|
TrendLabs, "POWELIKS: Malware Hides in Windows
Registry," August 2014. [Online]. Available:
https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/.
|
[3]
|
TrendLabs, "Without a Trace: Fileless Malware
spotted in the Wild," April 2015. [Online]. Available:
https://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/.
|
No comments:
Post a Comment