alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

How to detect malware that leaves no file on disk

Malware that leaves no file on disk can throw enterprises' malware-detection capabilities for a loop. Learn how to detect and defend against fileless malware.

A new capability enables malware to infect a system without leaving any files on disk. How does this work? What can be done to stop malware like this?

A tried and true method for identifying if a computer has been compromised is to look at its file system to find any new files that were recently saved on the computer. Many times in incident response, a computer under investigation would be powered off and the hard drive would be forensically investigated to find new saved files. Once files are found, indicators of compromise could be created and further investigation on other systems can be done.

However, by not writing files to the file system, attackers can evade these incident response steps. In this case, the incident responder would need to recover the malware from memory or from network traffic, which can be much more challenging.

Malware researcher Kafeine wrote a blog post about new malware that doesn't write a file to the local file system. This malware works by forcing a vulnerable program to download malicious code that will execute in memory and inject malicious code into a running process. This type of malware can be dumped from memory using a forensics tool such as Volatility and then investigated.

One of the best ways enterprises can stop fileless malware is by promptly and regularly patching software on the endpoint so it can't be exploited in the first place. In addition, enterprises should use either an antimalware network appliance to block the malicious network traffic or antimalware software that can detect this type of malware. If fileless malware is discovered, incident responders should look at network traffic logs and identify the processes used to send the malicious network traffic to pinpoint the malicious processes.

Other host-based hardening techniques such as implementing least-privileged accounts, whitelisting and so forth should also to be in place to stop fileless malware attacks.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Learn the latest about the changing face of malware detection

This was last published in April 2015

Dig Deeper on Malware, virus, Trojan and spyware protection and removal