Unlike the malware that we’re “used to”, fileless malware is able to infect and cause damage without leaving a trace. Its secret, as its name indicates, is not to record any type of file on the hard disk. All action takes place “in the air”, that is, on memory. The moment the system restarts the virus will disappear, but the damage will already be done. Can you fight an enemy that leaves no trace? Of course the answer is yes.
What is Fileless Malware?
Fileless malware is a type of Advanced Volatile Threat or AVT, malicious code that is designed to not write itself onto the hard drive and work from the RAM. In general, viruses and other types of malware need one or more files to act on the system. They are usually detected immediately by defense systems in operation and subsequently identified and quarantined. However, fileless malware does not need such files on the hard drive, so traditional protection systems are in fact completely unable to detect it. Naturally, it is much more difficult to defend against attacks using this technique, as these infections are not only difficult to detect, but also much more resilient and difficult to control.
They are also ephemeral malicious processes, since they disappear the moment the system is reset. Depending on the variants, we can find malware such as Phasebot, a fileless malware sold on the black market as a kit to make a virus specialized in data theft. Or Anthrax, a hybrid virus. Its modus operandi is to go into “fileless mode” once the infected executable has been opened. Once restarted, the virus passes by way of memory and infects new files. Poweliks forces the system to generate fraudulent visits and opens the door to new possibilities of infection through command and control servers (C&C).
The symptoms and damages caused by this fileless malware are very diverse. In any case, it is a serious problem for forensic system analysis, as well as protection strategies based on white lists, signature detection, hardware verification, or pattern recognition … In short, it gives all the tried-and-true methods of malware detection a run for its money.
Protecting Yourself Against Fileless Malware Is Possible
Fileless malware is a concept with a decades-long history behind it. However, its evolution has skyrocketed in recent times, seeing a record of viruses with incredibly harmful potential and overwhelming effectiveness. How can we defend against the threat of a code that leaves no traces on the hard drive? The secret is in behavior. Monitoring the system for malicious behavior is probably the most effective method. Panda Adaptive Defense 360 is able to classify 100% of the active processes in the corporate network and detect any compromising activity, in real time, alerting users of any and all suspicious behavior as soon as it occurs.
In 220 efficacy tests performed with Adaptive Defense 360, 99.4% of the infection attempts were detected. In none of the cases was there a false positive, nor any lost data, including potential fileless viruses in the tests. According to data obtained in the last PandaLabs security report, among our corporate clients 2.67% of the machines protected by traditional solutions suffered attacks by unknown threats, a higher figure when compared to 1.27% of the machines protected with Adaptive Defense, which blocks attacks instantly and without any collateral damage.
A proactive strategy is, as always, the best strategy. The conventional wisdom certainly applies here: always keep your systems updated, monitor suspicious traffic, restricting the use of macros etc. Other less-known countermeasures include restricting scripting languages and disabling, if possible, Windows PowerShell, one of the main routes exploited by fileless malware. In the end, only dedication and healthy security practices, coupled with the right tools, will keep us safe from the malware that we cannot see.