Defending Against Fileless Malware
By BUFFERZONE Team, 14/08/2018
Fileless malware has attracted a lot of attention recently, due to the difficulty that security solutions are having in defending against it. The attackers are also aware of the defenders’ difficulties, and are concentrating much of their efforts on this type of attack. Fileless attacks increased significantly throughout 2016 and are still on the rise.
Here we’ll try to explain what exactly fileless malware is, and we’ll discuss some of the approaches to protecting against it.
Understanding Fileless Malware
First off, ‘fileless malware’ is a bit of a misnomer, since it’s not always completely fileless, as we’ll see. This is why various other names have been suggested, including ‘bodiless malware’, ‘non-malware attacks’, Advanced Volatile Threats (AVTs) and ‘living off the land’ attacks. However, fileless malware seems to have become the accepted term, so we’ll stick with that.
Fileless malware is not unique in how it gains its foothold on endpoints. As with conventional malware, possible entry vectors include email attachments such as Office files with macros, malicious websites with Flash or streaming video, and other types of file-based or fileless data arriving at computers. Fileless malware is also not unique in its actual attack, which like conventional malware can be destruction of valuable resources, spyware that steals sensitive information, or ransomware that encrypts and blocks access to important information.
Fileless malware has existed for almost 20 years, but until recently had one significant built-in weakness: since nothing was saved, it was easily removed by a simple reboot. However, beginning 2014 attackers have been developing sophisticated methods for achieving fileless malware persistence. These include:
- Windows registry: The malware saves one or more registry keys that upon boot start legitimate services running malicious code. The registry keys are of course themselves saved to disk, but the code is well hidden in legitimate-seeming contexts, may be in randomized addresses, and may be encrypted.
- WMI (Windows Management Instrumentation): The malware saves malicious code to WMI’s CIM repository that upon boot starts legitimate services with malicious code. The CIM repository is itself saved to disk, but the code is well hidden.
- Reinfection: The malware propagates across servers with high uptime, so that after reboot a server is likely to be reinfected.
In many cases, sophisticated attackers take existing conventional malware and create new, fileless variants.
Thanks to these methods, organizations are now faced with persistent, fileless malware, capable of a variety of attack types, that conventional security solutions cannot intercept and remove. Some notable recent examples include Powerliks, Kovter, Duqu 2.0, POSHSPY and WMIGhost.
Once a fileless attack is known to exist, forensic analysts can use sophisticated tools to track and remove malicious code. However, it is almost impossible for conventional automated solutions to find and identify fileless malware.
Some cybersecurity companies are attempting to apply behavioral and statistical analysis to identify malicious behavior rather than the malicious code itself. It is not clear whether in fact attack behavior can be reliably differentiated from legitimate behavior; in any case, this approach is still limited in its ability to anticipate new attack vectors.
At this point in time it seems as though there is only one really effective solution: preemptive containment such as that provided by BUFFERZONE.
BUFFERZONE creates a virtual container on organizational endpoints, and all processes that could access external, untrusted sources such as the internet are kept in the container, along with any data they download or save, including registry settings. At the same time, only uncontained processes can access trusted organizational resources. So, for example, a browser session to a malicious site would stay in contained memory, and a malicious email attachment would be opened in contained memory. Even if some malicious code manages to run in the container, it can only affect contained, virtualized resources (memory, disk space, networking, and registry), and then the container is periodically wiped clean, including contained processes, data, and any registry settings saved to the container’s virtual copy of the registry. Contained processes can also on separate networks, enforced by organizational proxy, eliminating the possibility of propagation through the organization.
So, with the BUFFERZONE solution, it doesn’t matter what kind of malware your endpoints may become infected with – file-based, fileless, or some new kind that we haven’t seen yet. Anything that comes into contact with untrusted sources is isolated from anything important, and periodically wiped clean.
Lenny Zeltser, The History of Fileless Malware – Looking Beyond the Buzzword, on zeltser.com, 4/20/17
Dan Goodin, A rash of invisible, fileless malware is infecting banks around the globe on Ars Technica, 2/8/17