Fileless malware: Invisible threat or scaremongering hype?

Fileless malware: Invisible threat or scaremongering hype?

fileless-malware-blog

Ransomware may have claimed the lion’s share of media headlines in 2017, but there’s another type of attack that has become increasingly common in recent months – fileless malware.

Deceptive, sneaky and undeniably effective, fileless malware is growing in popularity as cybercriminals trade in brute force for stealth. While some organizations claim traditional antivirus software is all but blind to fileless malware, the truth is that many IT security products are more than up to the challenge.

In addition, there are a few things you can do yourself to minimize the risk of infection and limit the fallout should something happen to slip past your defenses. Read on to find out how you can protect yourself from the ‘invisible’ threat that is fileless malware.

What is fileless malware?

Fileless malware goes by many names, including ‘non-malware’, ‘memory-based malware’ and ‘living off the land attacks’. Whatever you choose to call it, fileless malware refers to a special type of cyberattack that can infect a system with malware without leaving an executable file on disk. It’s not fileless in the sense that no files are involved whatsoever; rather, the term refers to the fact that – unlike conventional malware – fileless malware can deliver its payload without dropping anything suspicious onto a machine’s hard drive.

So, if fileless malware isn’t stored on your hard drive, where does it live?

1. In your RAM

Random access memory (RAM) is a form of computer data storage that allows information to be stored and retrieved temporarily. Some strains of fileless malware can reside in your RAM and remain there until executed without stepping foot on your hard drive. This type of fileless malware is relatively rare because it can only survive until you restart your computer, which completely clears the RAM.

While this might seem like a futuristic concept, it’s worth noting that memory-resident malware has been around in one form or another for decades. For example, back in 2001, the Code Red worm spread like wildfire, infecting almost 360,000 computers by exploiting a vulnerability in Microsoft IIS web servers – all without leaving the RAM of the infected system.

2. In the Windows Registry

With the shortcomings of RAM-based malware in mind, cybercriminals have developed a new type of fileless malware that resides in the Windows Registry. The Windows Registry is an enormous database that stores low-level settings for the Windows operating system as well as all the applications that use the registry. Kovter and Poweliks are two examples of fileless malware that make use of the Windows Registry to infect users without leaving any incriminating files on disk.

In most cases, the malware relies on the use of native Windows tools such as PowerShell and Windows Management Instrumentation (WMI).

How does fileless malware end up on your machine? While the infection process can vary between malware families, it often looks something like this:

fileless-malware-infographic

  1. You’re browsing the web
  2. You visit a site that happens to be hosting an exploit kit
  3. The exploit kit scans your browser for outdated plugins such as Flash, Adobe, Java or Microsoft Silverlight
  4. The exploit kit attempts to exploit vulnerabilities in the outdated plugin
  5. If successful, the exploit kit starts running the payload in the memory of your browser process.
  6. The infection is successful!

Why are fileless malware attacks becoming more common?

Fileless malware is on the rise. In fact, some reports estimate that as many as 4 in 10 businesses in the US were compromised by fileless malware in 2017.

What’s responsible for this trend?

It’s the path of least resistance. As noted, fileless malware does not reside on a computer’s hard disk. Some antivirus products rely solely on checking file attributes to determine whether a file is safe or potentially malicious and do not take into account the behavioral patterns of the attack. Fileless malware has less chance of being detected than conventional malware, which means the criminals have a higher chance of success, whether that’s encrypting your files, stealing your passwords or something similarly destructive.

Our users can rest assured that Emsisoft Anti-Malware makes use of advanced behavioral identification methods to recognize and stop both regular and fileless malware. However, not all antivirus products are so thorough and, given that there are no suspicious files to actually check, many fileless malware fly under the radar. There is simply less chance of being detected.

Another factor to blame for the increase in fileless malware attacks is the growing popularity of exploits as a service, a relatively new phenomenon in which criminals deploy cyberattacks on behalf of the buyer. This illegal service means that even the least tech-savvy criminals have the means to unleash a devastating fileless malware attack on the target of their choosing.

Fileless malware protection 101

fileless-malware-attacks-breaker

There’s no denying that fileless malware are sneaky critters, but the good news is that there are a number of things you can do as a user to minimize the risk of infection. Protect yourself against fileless malware by:

1. Keeping your apps and operating system up to date

One of the most effective ways to keep your system safe from malware is to simply keep all your software up to date with the latest security patches. As many as 85 percent of all targeted attacks can be prevented by simply applying the latest software patches, according to figures from the U.S. government. For the ultimate peace of mind, ensure auto updates are enabled in the settings of your applications.

2. Disable PowerShell

Windows PowerShell is a native Microsoft tool used for task automation and configuration management. Unfortunately, fileless malware often exploits certain vulnerabilities in PowerShell. If you don’t need to use PowerShell (and most home users probably don’t), use the following steps to disable it:

Windows 10:

  1. Press the Windows key
  2. Type “Control Panel”
  3. Open Control Panel
  4. Click Programs
  5. Click Turn Windows features on or off
  6. Scroll down to Windows PowerShell and untick
  7. Click OK

3. Monitor traffic logs for suspicious traffic

Both fileless and conventional malware leave clues as to their existence, most commonly in the form of affecting your network’s traffic. If you notice network activity that is substantially different from the status quo, it’s possible that you may have been infected.

There are many tools you can use to do this, including the native Windows Firewall. Check out this How-To Geek article for step by step instructions on using Windows Firewall logs to track network traffic and identify suspicious behavior.

4. Use an antivirus with behavioral detection

As we mentioned earlier, detecting fileless malware can be a challenging task for some antivirus products that focus exclusively on file properties. With this in mind, it’s important to choose antivirus software that can analyze your system’s behavior and pinpoint suspicious activity. By recognizing changes to the system’s usual patterns of behavior, these security solutions can identify malicious activity and promptly block and remove the threat.

5. Adopt the principle of least privilege

A cornerstone of IT security, ensure that every user on the system has the lowest clearance needed to perform their task. This helps keep the damage to a minimum should a piece of fileless malware happen to slip past your computer’s defenses.

Is my current antivirus enough to protect against fileless malware?

The notion that fileless malware is completely invisible to conventional antivirus products is little more than marketing hype. Although it doesn’t reside on the hard drive, many modern IT security solutions have evolved past the point of simple file scanning and are more than capable of revealing and removing zero-day malware threats, regardless of where they choose to hide.

Fileless malware attacks could very well become even more common in the months and years ahead. But despite the sinister name and scaremongering from some organizations, the fact remains that reputable antivirus products such as Emsisoft Anti-Malware will be up to the challenge of keeping your computer safe from harm.

What’s your strategy for dealing with fileless malware? Let us know in the comments!

Have a terrific (malware-free) day!

  • howiem

    In Windows 7 there is no Windows Power Shell to disable – at least not in the location described above.

    • Arthur

      I have the same thing…And what can we do at least?

      • howiem

        If I recall correctly, no Power Shell means that the fileless files cannot hide there, so there is nothing to do.

        • @howiem:disqus
          The fileless malware doesn’t hide in powershell, it uses powershell (an interpreter like cmd) to deliver its exploit.
          Using an analogy, a disease (Fileless malware) use saliva (powershell) to deliver its bacteria (exploit) to infect the victim (the system).

          so if you don’t exchange saliva with anyone (disable powershell), you don’t infect anyone.

          • Arthur

            Hi, there! And how can uncheck Power Shell in Winwos 7 64-bit if I can’t see it in Windows features on or off?

  • atonda

    Regarding your instructions of removing Power Shell in Windows 10. I attempted to do it but could not find the access to Power Shell App. So I don’t know if I even have Power Shell I even tried Power Shell at the in the Search and found myself at the DOS Prompt with Windows Power Shell for the title. Now I don’t know what to do with it. Can you help?

    Anthony Tonda

    • Pete Casey

      Yes the instructions above are hopeless for Windows 10. Go to Start and scroll down to Windows System. Click on that and you will see Control Panel so click that. Once Control Panel is open go to Programs and select Uninstall a Program. Then you will see in the left hand column Turn Windows Features on or off. Scroll down to Power Shell and untick it. Job done.

      • TRADINGLOUNGE

        When you say Programs, you mean Programs and Features right? if so Powershell is not in there. but I do have Powershell as I can see it when I right click on Start logo

        • Just Myself

          Tradinglounge, either depending on your view; Icon or Category. For Icon (Large or Small) click “Programs and Features” for Category view then click “Programs”. In both cases, “Programs” is the key word. All other steps are the same.

      • Doug Gray

        Tried that and got error message “Windows couldn’t complete the requested changes. The referenced assembly could not be found. Error code 0x80073701.” Standard Micro$oft support procedure (i.e. Google search) unhelpful. Any other ideas? thanks

      • atonda

        Pete I do not find “Turn Windows Features on or off”. Any thing else?

        • Alino

          Hi,
          in Windows 10 you may find it using these steps:

          1. Start button –> type “Apps and features”
          2. Open it – this is the “new” manager of software in Windows.
          3. Now it depends on the layout of the Windows – the wanted part is either at the bottom or on the right side – it should be named “Programs and Features”. 4. Open it. This should be the “old-school” software manager.
          5. On the left side (not among the applications) you should spot a shield and the text “Turn Windows features on or off”.
          6. Open it and find Powershell. Uncheck it.

          Done!

          • atonda

            Nope, still not there. Nothing even remotely to power shell or defendrer

            Anthony

          • atonda

            I have done all things and my system has no access to Power Shell or Defender.
            Nothing Nada anything remotely related. I know there is something wrong with my system. I just don’t know what or how to fix it. My access to outside help is either unaffordable or not available to me.

      • Just Myself

        Pete, the instructions worked perfectly for me. (I am on win 10 1709)

    • Nevi Løvfelt

      Go to programs and functions or just programs in controlpanel. Then you come to move or edit a program. In the left there are some options.Click on Turn Windows features on or off. In the bottom there, you will find the power shell option. Untick it.

    • Just Myself

      atonda, Be sure to scroll to “Windows PowerShell” instead of “Power Shell App”.

  • DrHubert Hechabarria

    Windows 10 free download destroyed my HP laptop and my two custom built desktops by performing a scan on all three computers saying that there was an error and Microsoft needed to scan my computers with this very strange blue screen. No errors were found, but it was impossible to reboot out of the blue screen. And I am an expert in computers going back to IBM. My software/hardware Cindy from Hong Kong also was unable to reboot out of this strange blue screen from Microsoft. End result she installed Windows 7 Ultimate 64bit with an OEM key. There is no Windows Power Shell on all three computers running Windows 7 Ultimate 64bit. I have Emsisoft Anti Malware installed on all three of my computers.

  • TRADINGLOUNGE

    Windows 10, I can see powershell app, but its not in Program and Features, so I dont know where to turn it off.

    • Pete Casey

      See my reply to atonda above.

    • Pete Casey

      When you open Control Panel as I mentioned above you will see Programs (not programs and features) Click on Programs. Then follow my earlier advice.

  • Arthur

    There’s no Windows Power Shell in “Programs & Components” either in ” Windows features on or off” in Windows 7 64-bit…but …

    I see a folder with this native Microsoft tool in “System 32″…What am I to do? Thanks a lot!

  • Carol

    Windows Power Shell is exactly where the article says in Windows 10. When the “Programs & Features” window is up, it is NOT in the long list. Instead look to the top left side of the window & click on the “Turn Windows features on or off”. When that list comes up, just uncheck the box that says Windows Power Shell. It can also be turned back on if it is needed.

  • Everybody, please note that the step mentioned in the article will remove the old powershell v2 framework (the one most often used by malware/exploits) for Windows8/10.
    Both uses updated versions which are not so easily exploitable.
    In Windows7 it is in a different location, you can find some articles describing how to do it on the net.

    Powershell files you will find in system32/wow64 are those required by the system (v3 for Win8, v4 for win8.1, v5 for Windows10).
    Don’t delete those files without knowing the consequences.

    Finally, you don’t have to remove every part of powershell from your system to be safe, it helps but you still have Emsisoft to protect you anyway :)

  • Cool N boy Xbox 360 Gamer

    Well, Malwarebytes can catch fileless malware in the registry

    • Richarddd

      Cool! Zemana saved my life once catching a fileless malware in the registry too (but lately it’s detection rate has decreased…sadly).

  • Brian M. Leahy

    I’m an 81 year old man seriously lacking in computing skills so I would like to know a simply answer to the following question.
    Does my current level of protection actually protect me?

    • Classic users (like most of us) won’t normally cross those type of malware much often (unless you visit suspicious sites or open unknown mails). So don’t worry by using Emsisoft and exercising safe habits you are protected.

  • Richarddd

    Hi. I don’t know if disabling Powershell had to do with all of these BSODs and that after putting my laptop to ‘sleep’, Windows 10 never ‘woke up’. Instead it rebooted.
    I decided to install a good copy made in Macrium reflect and everything was OK again.
    I won’t disable Powershell again. Just in case.

    • @disqus_Emi1wOLuaa:disqus
      i don’t think it is related, powershell isn’t needed for a system to run properly.
      Anyway, if you have safe habits and using Emisoft, i dont believe you may be hit by such malware.