A new capability enables malware to infect a system without leaving any files on disk. How does this work? What...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
can be done to stop malware like this?
A tried and true method for identifying if a computer has been compromised is to look at its file system to find any new files that were recently saved on the computer. Many times in incident response, a computer under investigation would be powered off and the hard drive would be forensically investigated to find new saved files. Once files are found, indicators of compromise could be created and further investigation on other systems can be done.
However, by not writing files to the file system, attackers can evade these incident response steps. In this case, the incident responder would need to recover the malware from memory or from network traffic, which can be much more challenging.
Malware researcher Kafeine wrote a blog post about new malware that doesn't write a file to the local file system. This malware works by forcing a vulnerable program to download malicious code that will execute in memory and inject malicious code into a running process. This type of malware can be dumped from memory using a forensics tool such as Volatility and then investigated.
One of the best ways enterprises can stop fileless malware is by promptly and regularly patching software on the endpoint so it can't be exploited in the first place. In addition, enterprises should use either an antimalware network appliance to block the malicious network traffic or antimalware software that can detect this type of malware. If fileless malware is discovered, incident responders should look at network traffic logs and identify the processes used to send the malicious network traffic to pinpoint the malicious processes.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn the latest about the changing face of malware detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Can Structured Threat Information eXpression improve threat intelligence sharing? Nick Lewis breaks down the evolution of the STIX security framework.continue reading
A new type of WordPress malware, WP-Base-SEO, disguises itself as an SEO plug-in that opens backdoors. Nick Lewis explains how it works and how to ...continue reading
A new exploit of CLDAP servers can be used for a DDoS reflection attack that gives attackers a 70x boost. Nick Lewis explains how to defend against ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.