Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    ‘Fileless’ Malware Attacks Growing in Number and Sophistication

    By
    WAYNE RASH
    -
    September 5, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Fileless malware attacks

      You may not have heard of a fileless malware attack, but despite its obscurity, it’s a real and serious threat. 

      Furthermore, fileless malware makes up about 70 percent of executables that are unknown to reputation services, according to SentinelOne’s Enterprise Risk Index Report for the 2018 first half. This means that antivirus software that depends on matching a signature won’t find this malware. 

      In many cases this is because the malware isn’t an executable file at all. Instead, it’s a process that’s delivered to a computer that takes over an existing service, such as Microsoft Windows PowerShell or another Windows service, which then loads software or follows commands that carry out the activities normally associated with malware. 

      I first encountered such malware in 2015 in a spoofed email from a fax service that included a scan of the supposed fax. But what was actually included was a Microsoft Word file that included Javascript code that loaded malware from Russia. My AV software never noticed, even when I explicitly scanned the document. 

      That’s the problem with fileless malware. It enters your system as executable instructions that run in PowerShell, for example, and the computer follows those instructions. It may, for example, load encryption software from a remote site, encrypt your hard disk and then terminate the process. Or it can tell PowerShell to locate your backups first, and then erase them. 

      Security software that relies on a library of known malware threats to protect computers from cyber-attacks are ineffective because there’s no virus or malware file for your antivirus or anti-malware program to recognize. According to the SentinelOne report, this threat is growing rapidly. The problem then becomes, what to do about it? 

      “When there’s no file, many of the AV systems are blind to it,” says Migo Kedem, director of product management at SentinelOne. Kedem said that some companies are trying to prevent such attacks by disabling PowerShell or by disabling macros in Microsoft Office. 

      But he said that such actions can have serious impacts on productivity. He also noted that PowerShell has become increasingly important to IT departments for automating critical processes. 

      According to Kedem, the problem is also that you can’t hash a command line the way antivirus software uses a computed hash to identify malware. So the fileless malware can run the same command 25 or 30 different ways until something works. 

      Kedem said that he’s been working on artificial intelligence and machine learning software that can observe what is happening on a system under attack. When certain types of activities take place, the intelligent system can stop them, and if necessary roll back the attack. 

      “Eventually it will try to encrypt your files,” Kedem explained. “But first it will try to delete your backups. In the case of ransomware, those are two behaviors that mark it as malicious.” 

      The only way to detect such fileless malware is to catch it in the act. This means that you need monitoring software that will observe activity on your computers, and when it sees something suspicious, it immediately takes action. SentinelOne has an agent that monitors such activity, and takes action when it finds it. 

      Other solutions include Cybereason RansomFree which looks for the encryption process to begin, and then immediately terminates it. Cybereason also makes a full enterprise system that uses AI to seek out and destroy malware of all types. 

      Malwarebytes, long known for effective malware protection, is also fighting fileless malware. 

      “Malwarebytes’ exploit mitigation technology allows us to stop file-less malware attacks before they even begin, whether they rely on drive-by downloads or social engineering—i.e. Office macros,” said Jerome Segura, head of investigations at Malwarebytes Intelligence in an email. 

      “Our other layers of protection allow us to detect file-less malware already on the system in particular if it relies on registry entries for persistence and connects to its Command and Control server,” Segura wrote. 

      As you might expect, the fact that it’s fileless means that finding it installed on a system is problematic. 

      “There are types of file-less malware that we detect after infection,” explained Adam Kujawa, head of Malwarebytes Intelligence in an email. “However, with the constant evolution of this type of attack, we are likely going to encounter speedbumps on protecting users from this threat after infection.” 

      “A combination of our real time protection and web protection functionalities help with after infection cases, while our exploit mitigation tech identifies the attack before it can cause any damage,” Kujawa added. 

      Besides using JavaScript, and instructions for PowerShell, there are a number of ways that fileless malware can attack a system. These include VBScript Mshta (which runs Microsoft’s HTML application host) and rundll32 among other Windows processes that can run executable code. 

      However, you can’t just disable these processes in Windows (or similar processes in other operating systems) without potentially disabling the computer. While Windows is the most commonly attacked with fileless malware, there’s nothing that prevents this from happening with other operating systems. 

      The reasons why most of the files attacks are directed against Windows systems is mostly because of the huge installed base and because of the higher potential for significant return on malware writers’ efforts. 

      Protecting your computers requires more than just an antivirus package. It also requires discipline, education and good computer hygiene to keep from being a victim in the first place. You also have to have a strong sense of suspicion, which is how I discovered my first piece of fileless malware. 

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×