alphaspirit - Fotolia
A new capability enables malware to infect a system without leaving any files on disk. How does this work? What can be done to stop malware like this?
A tried and true method for identifying if a computer has been compromised is to look at its file system to find any new files that were recently saved on the computer. Many times in incident response, a computer under investigation would be powered off and the hard drive would be forensically investigated to find new saved files. Once files are found, indicators of compromise could be created and further investigation on other systems can be done.
However, by not writing files to the file system, attackers can evade these incident response steps. In this case, the incident responder would need to recover the malware from memory or from network traffic, which can be much more challenging.
Malware researcher Kafeine wrote a blog post about new malware that doesn't write a file to the local file system. This malware works by forcing a vulnerable program to download malicious code that will execute in memory and inject malicious code into a running process. This type of malware can be dumped from memory using a forensics tool such as Volatility and then investigated.
One of the best ways enterprises can stop fileless malware is by promptly and regularly patching software on the endpoint so it can't be exploited in the first place. In addition, enterprises should use either an antimalware network appliance to block the malicious network traffic or antimalware software that can detect this type of malware. If fileless malware is discovered, incident responders should look at network traffic logs and identify the processes used to send the malicious network traffic to pinpoint the malicious processes.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Learn the latest about the changing face of malware detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
IBM banned removable storage devices to encourage employees to use the company's internal file-sharing system. Learn how a ban like this can improve ... Continue Reading
After a comeback of the Russian-built VPNFilter botnet, home network devices are at risk. Learn how this malware targets victims with expert Nick ... Continue Reading
The TrickBot banking Trojan joined forces with IcedID to form a dual threat that targets victims for money. Discover how this union occurred and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.