This content is part of the Essential Guide: Antimalware tools and techniques security pros need right now
Problem solve Get help with specific problems with your technologies, process and projects.

The rise of fileless malware attacks

New malware threats can infect systems without leaving any files behind. Expert Nick Lewis explains how fileless malware operates and the best ways for security programs to stop it.

Attackers want to be as stealthy as possible to reduce the chance they will be detected. This means making the...

least number of changes to an infected system and leaving the least amount of evidence on that system. The longer the attackers can stay undetected, the greater the chances they can achieve their goal. Attackers have long been known to delete their tools during an attack, and malware authors have started deleting files used in attacks, which is known as fileless malware. This leaves the system relatively clean of malicious files that could be detected to alert security managers of the attack.

This tip will take a look at how fileless malware works, how it's becoming more sophisticated, and what enterprises can do to protect themselves from such threats.

How fileless malware works

Intel Security presented a detailed overview of fileless malware in its McAfee Labs Threats Report November 2015. The report describes how fileless malware deletes any files it saves on the disk of an infected system, saves encrypted data in the registry, injects code into running processes, and uses PowerShell, Windows Management Instrumentation and other techniques to make it difficult to detect and analyze the malware. The data saved into the registry also is saved in a way that allows the malware to run on startup, but not allow a normal user to view or access the specific registry data. This allows the attackers additional time from the initial detection to use their malware and continue their attacks; malware might be detected by an automated tool or submitted to a malware repository, but until it's been sufficiently analyzed, the malware can be difficult to identify and remove with most antimalware products. There are legitimate reasons to store encrypted or hashed data in the registry or to use some of the other techniques malware authors use to obfuscate their malware. For example, some applications might store an encrypted password in the registry that needs to be protected.

There are legitimate reasons to store encrypted or hashed data in the registry or to use some of the other techniques malware authors use to obfuscate their malware.

To execute instructions on a Windows computer, the operating system needs to first know what instructions to execute; this can happen by opening an attachment, clicking on a link in an email, opening a file on a computer or using a remote file share. Injecting code into a running process first requires one of these previous actions. Once the code is in memory, it can execute and take whatever action is allowed for the user executing the code. If that user has administrative-level access, the system can be completely compromised, but if the account is a limited user account, additional steps are necessary to completely compromise the system.

In the McAfee Labs report, researchers described how the Kovter malware uses more advanced fileless malware techniques. Kovter is distributed via email or malicious websites, and once the initial dropper malware executes on the local computer, it writes JavaScript to the registry that calls an encrypted PowerShell script also stored in the registry. Since it doesn't save a file and uses PowerShell to hide, it is more difficult to identify. Older malware types do not take these advanced steps after the initial distribution.

Protecting enterprises from fileless malware

The first step in defending against a fileless malware attack is to ensure endpoints are secure with updated patches; also make sure users have only standard user accounts and not privileged ones, and use endpoint antimalware tools to protect the devices. These steps need to be completed using a defense-in-depth approach by scanning network connections and email for malware. This will help reduce the chance that the malware will be able to get on the endpoint and execute.

Endpoint security tools that monitor the behavior of an executable as well as operating system calls could also potentially detect the unauthorized external connections or unexpected access to the registry that fileless malware attacks require. To prevent malicious PowerShell scripts, technology expert and Microsoft MVP Don Jones outlines the security protections necessary for PowerShell in a TechNet article, but the most important setting to verify is that only digitally-signed scripts can execute.

Malware authors continue to improve their fileless malware tactics, but enterprises can use the same techniques and tools to protect endpoints they used against older malware. The improvements have made it more difficult to analyze fileless malware, but the same steps for enterprise protections can be used to reduce the chances of initial infections and executions of that malware.

Next Steps

Discover how understanding malware lifecycles can help enterprise security

Read more on new malware obfuscation techniques that use HTML5

Learn how to change enterprise security programs based on new threats

This was last published in February 2016

Dig Deeper on Emerging cyberattacks and threats