alphaspirit - Fotolia
A new capability enables malware to infect a system without leaving any files on disk. How does this work? What can be done to stop malware like this?
A tried and true method for identifying if a computer has been compromised is to look at its file system to find any new files that were recently saved on the computer. Many times in incident response, a computer under investigation would be powered off and the hard drive would be forensically investigated to find new saved files. Once files are found, indicators of compromise could be created and further investigation on other systems can be done.
However, by not writing files to the file system, attackers can evade these incident response steps. In this case, the incident responder would need to recover the malware from memory or from network traffic, which can be much more challenging.
Malware researcher Kafeine wrote a blog post about new malware that doesn't write a file to the local file system. This malware works by forcing a vulnerable program to download malicious code that will execute in memory and inject malicious code into a running process. This type of malware can be dumped from memory using a forensics tool such as Volatility and then investigated.
One of the best ways enterprises can stop fileless malware is by promptly and regularly patching software on the endpoint so it can't be exploited in the first place. In addition, enterprises should use either an antimalware network appliance to block the malicious network traffic or antimalware software that can detect this type of malware. If fileless malware is discovered, incident responders should look at network traffic logs and identify the processes used to send the malicious network traffic to pinpoint the malicious processes.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn the latest about the changing face of malware detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cisco Talos' Thanatos ransomware decryptor can recover files affected by new ransomware that won't decrypt ransomed files even when a ransom has been... Continue Reading
A phishing campaign targeting Trezor wallets may have poisoned DNS or hijacked BGP to gain access. Learn how the attack worked and how to mitigate it... Continue Reading
Okta researchers found a bypass that allows macOS malware to pose as signed Apple files. Discover how this is possible and how to mitigate this ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.