Threats keep advancing
Fileless Malware, or Advanced Volatile Threat, is malware that can launch without being stored on disk.
Does this matter? If you’re relying on your defences detecting malware before it hits you, then yes. Fileless malware outsmarts those defences, and they’re not just being used by sophisticated nation states.
Anti-Virus – Failing to detect
Previous generations of malware stored their payload on disk, either as an executable file or script, and then executed it or arranged for the system to run it at later. Anti-virus software is designed to exploit this behaviour. By intercepting accesses to the file store, AV software can detect the creation of a file and check its contents for signatures of known malware. When it detects malware, it deletes or quarantines the offending file before it can run.
If malware doesn’t write any code to disk, AV software never sees it. So even if the malware’s signatures are known, it will never be found.
Fileless malware works by “living off the land”. This means it exploits tools already stored on the victim machine. Nothing new here – it’s why it has always been right to remove unnecessary software– but the tools involved are now much more powerful and has become de riguer amongst attackers to exploit them. The problem is, and always has been, that you cannot remove the software being used by the malware, as it is an integral part of the system. On Windows the use of Powershell scripts is essential, and Powershell can control every aspect of the machine. So attackers can, and will, make good use of it, while you can’t remove it.
AV software could catch up. For example, it could intercept the system calls that start Powershell and inspect the parameters to check for signatures of known malware. But it will be tough to do effectively because many additional system calls can launch malware and AV software needs to intercept them all without disrupting normal operations.
Malware detection – The impossible dream
This is why Fileless Malware is hitting the headlines. Malware detection techniques – whether looking at data or behaviour – can’t cope with it. This doesn’t sound like good news. Data is the lifeblood of the digital economy, and thanks to Fileless Malware, you cannot trust any of it.
This tells us that differentiating malware from safe data is not always possible. Detection doesn’t work, but that doesn’t mean detection is needed to defeat malware.
Content Threat Removal – Defeating the unknown
The key observation that leads to a solution is that it is not data which is the lifeblood of the digital economy, but information. What we need is the information, not the data that carries it. This means we don’t need to trust the data if we can get the information without it. This is the core concept at the heart of Content Threat Removal (CTR). It does not attempt to decide if it can trust certain data – all data is distrusted and none is allowed to pass. Instead it extracts the information, discards the data and then builds completely new data to carry the information.
Fileless malware lives in data. Therefore extracting information from the data will leave malware behind. Where business information includes active, code-like, functionality – such as functions in spreadsheets – it is possible to carry malware into the extracted information. However CTR only extracts and carries structures that are known to be safe.
An example that has been in the headlines is the “DDEAUTO” fileless malware technique. This can live in field codes in Microsoft Word documents or formulae in Microsoft Excel. Field codes and formulae carry important information, but AUTODDE is a long-deprecated mechanism that is no longer documented. As a result it isn’t recognised by the Content Threat Removal defence so is not included in the extracted information and therefore doesn’t appear in the final delivered data.
When presented with unknown or obscure features, like DDEAUTO, malware detection fails to recognise it and allows it through. In contrast, Content Threat Removal fails to recognise it so discards it.
Content Threat Removal is the only way of defeating the unknown content threat. Fileless malware is nothing special. It is defeated in the same way as any other threat lurking in content.
Dr. Simon Wiseman, CTO at Deep Secure
Image Credit: Andriano.cz / Shutterstock