There’s an old expression: if it looks like a duck, walks like a duck, and quacks like a duck, then it must be a duck.
What happens, though, if the duck in question is malware that doesn’t behave like typical malware? Namely, it doesn’t drop a file on your disk to infect your computer, hijack system processes, or steal your data, but can do these things without landing—even lock your system (as with ransomware) in mid-air, if you will. It’s therefore, a kind of non-malware malware, otherwise known as a fileless attack. How do you protect yourself from something that doesn’t look, walk, or quack like a malware duck—and yet, is a kind of predatory bird you don’t want flying around in the secret spaces of your computer?
Read on if you’re a hunter of such birds. A big ounce of prevention (in the form of precautions) and a virtual pound of cure (in the form of Trend Micro Security) can help protect you from fileless malware.
Stealthy Threats in Plain Sight
Fileless threats have been around for years, though lately, such threats are on the rise precisely because fileless attacks are more stealthy and subtle than malware executables dropped on your disk, which can be more readily caught by traditional antivirus software. Fileless malware is “very resistant to [antivirus] forensic strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, [and] time-stamping, etc.,” because it does not write itself to disk (Wikipedia). 29% of attacks faced in 2017 were of the fileless kind, according to a study conducted by the Ponemon Institute, The 2017 State of Endpoint Security Risk), up from 20% the year before; while this year it projects that 35% of all attacks will be fileless by year’s end. Trend Micro has also noted this alarming trend in its 2018 Midyear Security Roundup, with 24,430 fileless attacks detected in January 2018 rising to 38,189 fileless events by June. Fileless attacks may be stealthy and subtle, but there’s nothing subtle about these rising numbers.
So what, exactly, is a fileless attack? It usually starts in a familiar way, with a web popup that instructs you to “update” a piece of software (like your Flash Player), so that it “runs properly;” or with a spam or phishing message, which entices you to click on a malicious link, which starts the infection process; or to open what seem to be normal files and are anything but. When you do so, the action injects malicious code into your system.
- Approved applications, such as Microsoft Office, are then exploited for malicious intent, enabling the attacker to run his code with the same privileges as the application that’s updating or running.
- Interpreted code, such as found in Java and PowerShell, or a Windows utility, such as Windows Management Instrumentation (WMI) (used for automating system administration tasks), is abused to allow malicious scripts to run, which are then rolled out to the endpoint, without writing to disk.
- Legitimate processes are taken advantage of through DLL injection (to force the loading of a dynamic-link library, hook system function calls, or read the contents of password textboxes) or through process hollowing (replacing some code with the malicious function), which then executes directly in memory and is kept running in the background even after the software is closed.
- The Windows Registry is compromised, storing exploit codes in the registry with auto-run capabilities, to ensure the attacks will start afresh behind the scenes, even if you reboot your computer.
The upshot is that fileless attacks can persist undetected in memory or in your system, completely ignored by traditional antivirus programs applying their solutions to malicious files that land on your disk—and your sensitive data is compromised or stolen, pilfered by the cybercriminal, or your computer is locked, as with ransomware. Meanwhile, once established, a network channel may be opened up to the hacker’s command-and-control center for further exploits of your system.
A Big Ounce of Prevention
So what can you do to guard against fileless attacks?
- Start by educating yourself. There are countless websites, videos, and webinars that you can use to learn more about this ever-expanding threat, the various forms it takes to infect you, and the consequences to your system.
- Secure possible points of entry. Fileless malware’s attack vectors are known to be spam email, malicious websites/URLs (especially if they use an exploit kit), and vulnerable third-party components like browser plug-ins. Use anti-spam and web threat protection (see below).
- Be wary of macros. Some Microsoft Office documents when opened prompt you to enable macros (or “enable content”). Of course, the safest way is to disable macros to prevent unsecured code from running in your system. However, if enabling macros can’t be avoided, ensure that you disable all but digitally signed macros. With your Microsoft Office document open, go to File > Options > Trust Center > Trust Center Settings > Macro Settings > Disable all macros except digitally signed macros.
- Disable unnecessary components. As mentioned, a fileless attack can also come in the form of exploits in vulnerable third-party components like browser plug-ins, or even tools like PowerShell itself. Disabling unused or outdated components can limit the ways an attacker can breach a system or network. Disable built-in Windows tools that you don’t use such as PowerShell. To do this just go to Start > Windows System > Control Panel > Programs > Turn Windows features on or off > Uncheck Windows PowerShell 2.0.
- Do not open files (executable files, documents, scripts) from untrusted locations (unknown websites, email attachments), because malicious files can be the instigators to perform fileless attacks through embedded or downloaded payloads.
- Always keep everything installed in your system updated. Schedule Windows Updates and other installed software updates weekly.Install antivirus software that can detect and mitigate fileless threats in memory, as well as protect against different layers of malware exposure.
A Virtual Pound of Cure
For the last precaution, you should install and use Trend Micro Maximum Security, which actually has a low impact on the performance of your system, while providing a “virtual pound” of cure. Its behavior monitoring, active script analysis, exploit shield, and real-time memory and registry scan enhancements can detect and block the following fileless threats:
- Exploit attacks on approved applications
- Script-based attacks using interpreted code such as Java, PowerShell, and WMI
- Exploit code stored in registry keys or process memory
- Malicious memory operations in legitimate processes, such as reflective DLL injections (loaded from memory) and process hollowing.
Note that legacy systems (such as Windows 2000, XP, and soon Windows 7) are most vulnerable to fileless assaults, reinforcing the brutal fact that old-style, signature-based antivirus engineered to detect malicious files cannot fully protect your system. You need state-of-the-art, multi-layer antivirus that can address these fileless threats. With Trend Micro Maximum Security fileless threats have nowhere to hide.