Getting past protections with fileless malware
Malware is constantly evolving, and, unfortunately, that means that it’s getting scarier. As cybersecurity experts develop and deploy new means of catching different types of malware, the hackers invent new ways of getting around these protections. One of the old standbys of anti-malware defense was the antivirus. It worked on very simple principles and worked well, so people keep using it. However, some hackers have begun using fileless malware as a way of sneaking past the protections provided by the common antivirus.
Malware and Signatures
Antivirus software uses signature detection to find potentially dangerous files on your computer. When a piece of malware has been identified by security researchers, they develop a fingerprint or “signature” that uniquely matches it. The details of the signature can vary from malware to malware, but some common features are text contained in the malware, file hashes (a value that uniquely identifies a given file), and IP addresses or domains that the malware tries to contact when run. Just like the police keep a massive collection of fingerprints of known criminals, antivirus programs keep a list of these signatures. Those updates that your antivirus keeps wanting to do are downloads of the latest signatures for recently discovered malware.
When a new file appears on your computer, your antivirus compares it to its collection of known malicious signatures. If it finds a match, it cleans it up for you, protecting your computer against infection. This approach to finding malware already has some problems. Every different variant of a malware sample might have a different signature, and it’s easy for a malware author to change the text, IP addresses/domains, and file hashes of a particular sample. This causes a scalability issue where the malware authors can make many different variants easily and force the antivirus to store and scan against every possible signature in order to find a match. Antivirus programs can discard old signatures; however, there is always the possibility that an old malware sample may be given new life.
While the scalability issue is bad enough, traditional antivirus has another issue: it’s file-based. Some malware authors have taken advantage of this shortcoming by developing and deploying fileless malware. Traditionally, malware comes in a self-contained file. A malware author writes some malicious computer code, turns it into an executable file, and delivers it to your computer. The issue with this is that all of the malicious code in those files triggers the signature detection engine of the antivirus.
Fileless malware takes a different approach. Instead of writing a bunch of code to provide certain capabilities, it takes advantage of the programs already installed on your computer by “living off the land”. Operating systems like Windows, Mac, and Linux have built-in programs designed to help a system administrator manage all of the computers in an enterprise environment without going door-to-door to run code in person.
These programs (like Windows PowerShell) provide most of the capabilities that malware authors want in their malware anyway. So, instead of writing malware that is easily detectable by antivirus signature detection, they just write a PowerShell script that uses this perfectly legitimate program to do their bidding. Since PowerShell is also used by legitimate system administrators, it’s difficult to build a signature that differentiates malicious instructions from benign ones.
Fileless malware is bad enough, but malware authors are always trying to build the next big thing. While fileless malware is good at being stealthy, it lacks the ability to cause massive impacts like other malware types.
You’re probably familiar with the WannaCry outbreak of early 2017. The National Security Agency (NSA) had developed a set of exploits for vulnerabilities in Windows computers and had kept them secret until a group called the ShadowBrokers stole and published them. Once they were released, someone used one of them to create a ransomware program called WannaCry that would encrypt peoples’ computers, demand a ransom to unlock them, and spread by scanning for vulnerable computers and sending itself to them to run.
WannaCry was a ransomware worm, meaning that it was a ransomware program that spread itself independently. Hackers are big fans of types of malware that have multiple things going for them and have created another one called vaporworms. Vaporworms are fileless malware that also has self-spreading capabilities. This gives it the ability to automatically find and spread itself to vulnerable computers (because of the worm part) and sneak past the antivirus and successfully run (because of the fileless part). This two-for-one deal for hackers means that these can pose a significant threat to individuals and organizations alike.
Catching Fileless Malware
Luckily, all is not lost. There are several steps that individuals and organizations can take to reduce their vulnerability to fileless malware and vaporworms. The first option for fighting against these types of malware is prevention. In order to run on your computer, the malware first needs to get there. Keeping your software up-to-date (i.e. installing those pesky updates) and not falling for phishing attacks means that these malware and worms never find a hole to slither in through. The other option is to use a behavior-based antivirus solution. Several antivirus vendors are moving away from a signature-based approach to a behavior-based one. These don’t care if there is a file or not, if a program is doing something sketchy, they kill it.
Fileless malware and vaporworms are the next iteration in malware. Security researchers have developed ways to protect against them…but they only work if you use them.