alphaspirit - Fotolia
A new capability enables malware to infect a system without leaving any files on disk. How does this work? What can be done to stop malware like this?
A tried and true method for identifying if a computer has been compromised is to look at its file system to find any new files that were recently saved on the computer. Many times in incident response, a computer under investigation would be powered off and the hard drive would be forensically investigated to find new saved files. Once files are found, indicators of compromise could be created and further investigation on other systems can be done.
However, by not writing files to the file system, attackers can evade these incident response steps. In this case, the incident responder would need to recover the malware from memory or from network traffic, which can be much more challenging.
Malware researcher Kafeine wrote a blog post about new malware that doesn't write a file to the local file system. This malware works by forcing a vulnerable program to download malicious code that will execute in memory and inject malicious code into a running process. This type of malware can be dumped from memory using a forensics tool such as Volatility and then investigated.
One of the best ways enterprises can stop fileless malware is by promptly and regularly patching software on the endpoint so it can't be exploited in the first place. In addition, enterprises should use either an antimalware network appliance to block the malicious network traffic or antimalware software that can detect this type of malware. If fileless malware is discovered, incident responders should look at network traffic logs and identify the processes used to send the malicious network traffic to pinpoint the malicious processes.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn the latest about the changing face of malware detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Enterprises new to the cloud can write new security policies from scratch, but others with broad cloud usage may need an update. Consider these ... Continue Reading
Cloud security providers need to play catch-up with the evolving advancements in cloud technology. Find out what the top CSPs offer today and which ... Continue Reading
Cloud security certifications serve to bolster security professionals' resumes and boost value to employers. Learn about the top certifications ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.