To date, there are a number of so-called fileless infections. By fileless infections or fileless malware, we are referring to an infection or malware that does not write any files to the infected system’s hard drive.
By leaving as little traces behind as possible, malware authors try to postpone detection by security vendors for as long as possible. Which is another big step in the arms war between malware and security products and the process of making file-based detections by security vendors something of the past.
In some modern exploit kits (Angler in particular), fileless infection is rapidly becoming the run-of-the-mill method. If we want to classify fileless infections, the first split will be depending on whether the infection wants to be resident or if it will be gone after doing its job or sometimes after a reboot.
Hit and Run
Based on that property USB Thief, PowerSniff and exploit kits can be categorized as “hit and run” malware. They run on the infected system, do their job and disappear. This makes it hard for researchers to get samples and study their behavior.
- Fileless exploit kits run directly in memory and often seen in malvertising. They can fingerprint the system that they are active on and then infect them further by downloading and running other malware.
- PowerSniff is spread by mail as a macro in an attached Word document. It gathers information on the infected system and sends that to a Command & Control server.
- USB Thief resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.
Here to stay
And then there are the likes of Poweliks, PhaseBot and Kovter that use rootkit techniques to hide in the Windows registry.
- Poweliks uses a “NULL” Runkey (which makes the content invisible) in the registry to run a JavaScript and uses PowerShell to run an encoded script hidden elsewhere in the registry. It steals system information and has the ability to download and install other malware.
- PhaseBot uses PowerShell to run components that are encoded scripts it has hidden in the registry. PhaseBot can execute commands issued by the botnet operator.
- Kovter uses non-ASCII characters to create unreadable registry keys that hold obfuscated JavaScript. The JavaScript in turn executes PowerShell loading a script that was created as well. Kovter is a Trojan famous for its screen-locks (FBI Ransomware) and click-fraud activities.
Summary
We discussed the most well-known fileless infections to date and gave brief descriptions of how they operate. For more elaborate descriptions of the above mentioned fileless infections, we encourage you to check out the following links:
Pieter Arntz
Nothing about how we can protect our systems from these specific threats? Probably the same “keep your OS, browsers and AV software up to date” which is of absolutely no help whatsoever to those of us who already do that religiously. How about some real answers and real solutions that you don’t charge an arm and a leg for?
Malwarebytes Anti-Exploit should prevent you to get infected with most of these: https://www.malwarebytes.org/antiexploit/ Try the free version and see if you like it. Some exploit kits will not even try to infect you if you have it installed. The USB Thief is a rare one and easy to prevent: don’t accept and use any pre-configured portable programs on a USB.
The link does not work. Is there another one?
Hi howiem,
Malwarebytes Anti-Exploit is now part of the Malwarebytes 3.0 program. You can download the free (or paid) version here: https://www.malwarebytes.com/mwb-download/