Fileless malware

Last updated

Fileless malware is a variant of computer related malicious software that exists exclusively as a computer memory-based artifact i.e. in RAM. It does not write any part of its activity to the computer's hard drive, thus increasing its ability to evade antivirus software that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaving very little evidence that could be used by digital forensic investigators to identify illegitimate activity. Malware of this type is designed to work in memory, so its existence on the system lasts only until the system is rebooted.

Contents

Definition

Fileless malware is sometimes considered synonymous with in-memory malware as both perform their core functionalities without writing data to disk during the lifetime of their operation. This has led some commentators to claim that this variant strain is nothing new and simply a “redefinition of the well-known term, memory resident virus”, [1] whose pedigree can be traced back to the 1980s with the birth of the Lehigh Virus that was developed by the originator of the term, Fred Cohen, and became influential with his paper on the topic. [2]

This synonymy is however incorrect. Although the aforementioned behavioral execution environment is the same, in both cases i.e. both malware variants are executed in system memory, the crucial differentiation is the method of inception and prolongation. Most malware's infection vector involves some writing to the hard disk, [3] in order for it to be executed, whose origin could take the form of an infected file attachment, external media device e.g. USB, peripheral, mobile phone etc., browser drive-by, side-channel etc.

Each of the aforementioned methods has to have contact with the host system's hard drive, in some form or another, meaning that even when employing the stealthiest anti-forensic methods, some form of the infected residue will be left on the host media.

Fileless malware on the other hand, from the point of inception until process termination (usually by way of a system reboot), aims never to have its contents written to disk. Its purpose is to reside in volatile system areas such as the system registry, in-memory processes and service areas. [4]

Fileless malware commonly employs the Living off the Land (LotL) technique which refers to the use of pre-existing operating system binaries to perform tasks. [5] The goal of this technique is to avoid unnecessarily dropping extra malware on the system to perform tasks that can be done using already existing resources, this aids in stealth, primarily because the pre-existing system binaries are commonly signed and trusted. An example is an attacker using PsExec to connect to a target system.

History

Fileless malware is an evolutionary strain of malicious software that has taken on a steady model of self-improvement/enhancement with a drive towards clearly defined focused attack scenarios, whose roots can be traced back to the terminate-and-stay-resident viral programs [6] that, once they were launched, would reside in memory awaiting a system interrupt before gaining access to their control flow; examples of which were seen in viruses such as Frodo, The Dark Avenger, Number of the Beast. [7]

These techniques evolved by way of temporary memory resident viruses [8] and were seen in famous examples such as: Anthrax, Monxla [9] and took on their truer fileless nature by way of in-memory injected network viruses/worms such as CodeRed and Slammer.

More modern evolutionary incarnations have been seen in viruses such as Stuxnet, Duqu, Poweliks, [10] and Phasebot. [11]

Recent developments

On February 8, 2017, Kaspersky Lab's Global Research & Analysis Team published a report titled: "Fileless attacks against enterprise networks" [12] which implicates variants of this type of malware, and its latest incarnations, affecting 140 enterprise networks across the globe with banks, telecommunication companies and government organizations being the top targets.

The report details how a variant of fileless malware is using PowerShell scripts (located within the Microsoft Windows Registry system) to launch an attack against a target's machine leveraging a common attack framework called Metasploit with supporting attack tools such as Mimikatz, [13] and leveraging standard Windows utilities such as ‘SC’ and ‘NETSH’ to assist with lateral movement.

The malware was only detected after a bank identified the Metasploit Meterpreter code running in physical memory on a central domain controller (DC). [12]

Kaspersky Labs is not the only company to have identified such emerging trends, with most of the principal IT security anti-malware companies coming forward with similar findings: Symantec, [14] Trend Micro, [15] and Cybereason. [16]

Digital forensics

The emergence of malware that operates in a fileless way presents a major problem to digital forensic investigators, whose reliance on being able to obtain digital artifacts from a crime scene is critical to ensuring chain of custody and producing evidence that is admissible in a court of law.

Many well-known digital forensic process models such as: Casey 2004, DFRWS 2001, NIJ 2004, Cohen 2009, [17] all embed either an examination and/or analysis phase into their respective models, implying that evidence can be obtained/collected/preserved by some mechanism.

The difficulty becomes apparent when considering the standard operating procedures of digital investigators and how they should deal with a computer at a crime scene. Traditional methods direct the investigator to: [18]

Fileless malware subverts the forensics models, as evidence acquisition can only take place against a memory image that has been obtained from a live running system that is to be investigated. This method, however, can itself compromise the acquired host's memory image and render legal admissibility questionable, or at the very least, instill enough reasonable doubt that the weight of the evidence presented may be drastically reduced, increasing the chances that Trojan horse or "some other dude done it" defenses may be used more effectively.

This renders this type of malware extremely attractive to adversaries wishing to secure a foothold in a network, perform difficult to trace lateral movement and do so in a quick and silent manner, when standard forensic investigatory practices are ill-prepared for the threat. [19] [20] [21]

Notable attacks

Related Research Articles

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

<span class="mw-page-title-main">Antivirus software</span> Computer software to defend against malicious computer viruses

Antivirus software, also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

PGPCoder or GPCode is a trojan that encrypts files on the infected computer and then asks for a ransom in order to release these files, a type of behavior dubbed ransomware or cryptovirology.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites such as Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The Virus Information Alliance (VIA) is an international partnership created by the Microsoft Corporation in association with various antivirus software vendors. Alliance members exchange technical information about newly discovered malicious software (malware) so they can quickly communicate information to customers.

<span class="mw-page-title-main">Kaspersky Lab</span> Russian multinational cybersecurity and anti-virus provider

Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Kaspersky Lab develops and sells antivirus, internet security, password management, endpoint security, and other cybersecurity products and services.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran. Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games. The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama's presidency.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm and to have been created by Unit 8200. Duqu has exploited Microsoft Windows's zero-day vulnerability. The Laboratory of Cryptography and System Security of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

TeslaCrypt was a ransomware trojan. It is now defunct, and its master key was released by the developers.

Duqu 2.0 is a version of malware reported in 2015 to have infected computers in hotels of Austria and Switzerland that were sites of the international negotiations with Iran over its nuclear program and economic sanctions. The malware, which infected Kaspersky Lab for months without their knowledge, is believed to be the work of Unit 8200, an Israeli Intelligence Corps unit of the Israel Defense Forces. The New York Times alleges this breach of Kaspersky in 2014 is what allowed Israel to notify the US of Russian hackers using Kaspersky software to retrieve sensitive data.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

Titanium is a very advanced backdoor malware APT, developed by PLATINUM, a cybercrime collective. The malware was uncovered by Kaspersky Lab and reported on 8 November 2019. According to Global Security Mag, "Titanium APT includes a complex sequence of dropping, downloading and installing stages, with deployment of a Trojan-backdoor at the final stage." Much of the sequence is hidden from detection in a sophisticated manner, including hiding data steganographically in a PNG image. In their announcement report, Kaspersky Lab concluded: "The Titanium APT has a very complicated infiltration scheme. It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software. Regarding campaign activity, we have not detected any current activity [as of 8 November 2019] related to the Titanium APT."

References

  1. "Advanced volatile threat: New name for old malware technique?". CSO. CSO. 21 February 2013. Retrieved 20 February 2017.
  2. "Computer Viruses - Theory and Experiments". University of Michigan. Retrieved 20 February 2017.
  3. Sharma, S (2013). "Terminate and Stay Resident Viruses" (PDF). International Journal of Research in Information Technology. 1 (11): 201–210.[ permanent dead link ]
  4. "A Disembodied Threat". Kaspersky Lab Business. Kaspersky Lab . Retrieved 20 February 2017.
  5. Living Off The Land Attacks (LOTL)
  6. "The Art of Computer Virus Research and Defense: Memory-Resident Viruses". Archived from the original on 21 February 2017. Retrieved 20 February 2017.
  7. "The Number of the Beast". FireEye. Archived from the original on 2017-02-22. Retrieved 2017-02-20.
  8. "The Art of Computer Virus Research and Defense: Temporary Memory-Resident Viruses". Archived from the original on 21 February 2017. Retrieved 20 February 2017.
  9. "What is Monxla - Monxla Information and Removal". antivirus.downloadatoz.com. Archived from the original on 2011-11-18. Retrieved 2017-02-20.
  10. "Trojan:W32/Poweliks". F-Secure. 2023. Retrieved 27 December 2023.
  11. "Phasebot, the fileless malware sold in the underground". Security Affairs. 23 April 2015.
  12. 1 2 Global Research & Analysis Team (8 February 2017). "Fileless attacks against enterprise networks". AO Kaspersky Lab. Retrieved 27 December 2023.
  13. "mimikatz". GitHub wiki. 30 September 2022.
  14. "Trojan.Poweliks". Symantec . Symantec. Archived from the original on October 20, 2014.
  15. Morales, M. (7 April 2015). "TROJ_PHASE.A". Trend Micro. Retrieved 27 December 2023.
  16. Muller, I.; Striem-Amit, Y.; Serper, A. (2015). "Fileless Malware: An Evolving Threat on the Horizon" (PDF). Cybereason. Retrieved 27 December 2023.
  17. Casey, Eoghan (2010). Digital evidence and computer crime : forensic science, computers and the Internet (3rd ed.). London: Academic. p. 189. ISBN   978-0123742681.
  18. "ACPO: Good Practice Guide for Computer-Based Electronic Evidence" (PDF). The Crown Prosecution Service. Association of Chief Police Officers. Archived from the original (PDF) on 2 February 2017. Retrieved 20 February 2017.
  19. "POWELIKS Levels Up With New Autostart Mechanism". Trend Micro. Trend Micro. Retrieved 20 February 2017.
  20. "Anti-Forensic Malware Widens Cyber-Skills Gap". InfoSecurity Magazine. InfoSecurity Magazine. 8 September 2015. Retrieved 20 February 2017.
  21. "Without a Trace: Fileless Malware Spotted in the Wild". Trend Micro. Trend Micro. Retrieved 20 February 2017.