Threats 101
Ryan Berg
Feb 2016

The Rise of Fileless Malware: A Barkly Malware Research Chat

With an average of 230,000 malware samples being created every day, traditional signature-based security solutions like antivirus are facing an impossible task. With that kind of volume of signatures to update, they simply can’t keep up. To make matters worse, this year we’re likely to see an influx of script-based malware that utilizes PowerShell — an automation tool that comes standard with Windows 7 and 10 — to perpetrate fileless attacks.

The result? Infections that traditional antivirus products can’t identify.

In this week’s chat, the Barkly malware research team looks at the evolution of fileless malware — what it enables attackers to do, why it’s difficult to prevent, and how worried companies should be about its development.

The Team:

  • ryan (Chief Scientist)
  • kirk (Director of Research)
  • rick (Principal Malware Researcher)
  • forrest (Malware Researcher)
  • matt (Malware Research Co-Op)

 

ryan: So it looks like a lot more attention is being paid to non-PE malware. First off, someone want to explain to those who are not familiar with the term what ‘PE malware’ refers to?

forrest: PE malware is essentially a stand-alone executable file (usually with a .exe extension). All of the malicious code is contained within this file, and it simply runs automatically when an infected user starts up their system.

How traditional security tools like antivirus work is they scan all of the files on the system, looking for suspicious patterns typically found within malicious .exe files, and then simply delete the files to remove the malware. But in order for that to work, the .exe file must be physically stored on the hard drive somewhere in the Windows file system.

rick: There are other kinds of malware that utilize scripts (Flash, Java, etc.) or macros. They require a file to infect, but instead of it being an executable it's a program file. For example, Office macros will require an Office document like a DOC or XLS file to reside in. More recently, fileless is making a major impact.

ryan: Why is the distinction important, or isn’t it?

forrest: The distinction is important because there are many different ways to execute malicious code on a Windows computer. There are dozens of different programing languages which can be used maliciously, as well as shell scripting languages such as Batch and PowerShell built into Windows. The ability to steal information from someone’s computer, damage files, etc. is not something that only malicious code inside of a .exe file can do.

How Going Fileless Helps Attackers

what_fileless_malware_means.jpg

kirk: In terms of the benefits of going fileless for attackers, this post from Trend Micro provides a good overview:

“Improvements in security file scanners are causing malware authors to deviate from the traditional malware installation routine. It's no longer enough for malware to rely on dropping copies of themselves to a location specified in the malware code and using persistence tactics like setting up an autostart feature to ensure that they continue to run. Security file scanners can easily block and detect these threats.

"A tactic we have spotted would be using fileless malware. Unlike most malware, fileless malware hides itself in locations that are difficult to scan or detect. Fileless malware exists only in memory and is written directly to RAM instead of being installed in target computer’s hard drive."

In terms of drawbacks, running in RAM means the computer has to be on, but then again, users’ infrequent reboots and shutdowns combined with the use of hibernate and low power sleep states means malware can exist for long periods of time even just in RAM.

rick: Fileless malware doesn’t necessarily care about persistence. It gives up persistence in lieu of stealth and the ability to hide from many security tools. As @kirk mentioned, though, even if it is only resident in memory, it can still gain substantial execution on a target’s network.

ryan: Fileless essentially means not resident on disk, but we should keep that separate from persistence that refers to the ability of the malware to persist across reboots, as there are other ways to gain persistence while still technically fileless.

rick: Another con: Like @forrest pointed out, PE malware is usually self-contained, with the only prerequisite being a standard Windows install. Many of these other kinds of malware, however, require prerequisite software to be running on the machine. For example, the Java VM, or a specific browser like Internet Explorer.

ryan: It would seem like using scripting languages has both its advantages and disadvantages. If it’s a script vs. being compiled doesn’t this make it easier to reverse engineer (RE)?

rick: Even catching it running is difficult, because the analyst would need to carve the malware out of memory live, using tools that could potentially be detected by the malware.

Fileless malware also makes it difficult for security teams to analyze it, since many times they are driven by alerts pointing back to a malicious file doing bad things. If they aren’t able to catch the malware running they have difficulty trying to do forensics on the box.

forrest: In some cases, a scripting language can also be very difficult to RE since it can be obfuscated and made almost un-readable to a human. A good example of a non-PE malware using this kind of obfuscation is in the malicious macro that Bartallex and Dridex use. This macro is so scrambled that manually reading it (or detecting it using a byte pattern, like antivirus may try to do) is very difficult.

matt: In terms of fileless persistence, it’s also possible to add a small script to the autostart registry, and then on reboot the malware would get executed without being a persistent file, similar to what POWELIKS does.

ryan: Not throwing obfuscated Powershell in Ida are we?

rick: Many of the obfuscation techniques are text substitutions or run-time decoding. Very easy for the author to create variations to defeat signatures. Operation Clandestine Wolf did something similar.

The initial vector was a Flash file written to disk, but then it injected another Flash file in memory that did the exploitation.

ryan: So how do you know you are infected if there is no file to scan?

rick: You have to have extremely good sensors in place to detect and record it. Many sensors are defeated by encryption.

ryan: Wait, isn’t there an anti-encryption movement? Let’s just wait for that right?

rick: I don’t think the bad guys signed up for that.

kirk: I’m not going to hold my breath for that one.

ryan: So if this is so hard to RE and difficult to detect why isn’t it even more popular? Or is it and we just don’t know?

rick: Because malware only needs to be as advanced as the security it’s defeating.

ryan: @rick: Are you throwing shade? :-)

rick: As the computer security community evolves, so will malware. I think we’ll be seeing more fileless malware since it’s difficult to perform forensics unless you have good sensor instrumentations which can, again, be very expensive and require large security teams to manage.

matt: I agree with @rick. Until other malware ceases to be as successful, the need to switch to more advanced malware is less of a priority. I think that the success of macro malware and other ransomware has slowed down the movement just a bit. People always say, “If it ain’t broke don’t fix it,” right?

rick: Yeah! Just look at the resurgence of macro malware. That’s about as basic as you can get. No exploit needed, relies on human interaction, and it has been wildly successful.

ryan: You can be a very successful lockpicker without ever picking a lock (as long as the doors are never locked in the first place).

matt: Or if you knock and the person inside opens (enabling macros when the malicious document asks).

ryan: It’s funny, I was just working on a spreadsheet for my wife and wrote a macro to reverse names and add a comma separation, then thought, if I sent this would they open it? Good social experiment for another day.

rick: Change the A’s to E’s and the 1’s to 0’s. That would drive a spreadsheet person insane.

ryan: The other thing that seems like an advantage of script-based attacks is you don’t have to worry about compilation environment and low-level incompatibilities.

rick: True, but you are also relying on the user having the runtime environment. Probably not much of an issue for common runtimes like .net, Java, and Flash.

So you probably won’t see any widespread Ruby worms targeting Windows.

kirk: Luckily for the attacker, if the browser has the plugin installed they can detect its presence before deploying.

forrest: I think this is actually an important point — the dependence of scripting-based attacks on runtime environment and interpreters — which relates to the rise of these types of attacks with PowerShell, for example.

Attackers Utilizing PowerShell

powershell_2.jpg

ryan: PowerShell is not your grandfather’s shell anymore.

matt: PowerShell does come default with Windows 7 and 10.

forrest: In the past, you could write malware in Perl but couldn’t depend on it being executed properly on a good percentage of target computers, because they may not have the correct environment. Now, with PowerShell on Win7 and up by default, a significant percentage of Windows computers on the Internet can run advanced malicious scripts.

rick: Great point. PowerShell has started gaining widespread adoption for both legitimate and non-legitimate purposes.

ryan: PowerShell plus an internet connection and the world is your oyster (isn’t that the saying?).

So if you are looking to up your RE: Learn Windows PowerShell 3 in a Month of Lunches

rick: Yes, the beauty of PowerShell for malware authors is that it has a very rich integration with the operating system. I once saw a 3-liner PowerShell to dump out all the domain accounts on a network. Try doing that from shellcode. Or dumping your address book in two lines. I think that would take at least ~300 lines to do it robustly without crashing in C as a PE.

Add that to a webshell backend, you could have fileless malware that’s a few bytes in size with little forensic artifacts on the hosts. And to capture the network artifacts for that would require expensive network monitoring equipment (e.g. a SEIM, full packet capture, SSL decryption, Bro…).

Also, network monitoring becomes more difficult as the enterprise perimeter continues to disintegrate (telecommuting, BYOD, remote sites, business travel, mobile, etc.).

So How Big of a Threat is Fileless Malware?

It’s like using an icicle as a murder weapon. To catch the killer, you’ll need to have a surveillance camera installed instead of counting on your ability to find the murder weapon.

ryan: Ok, so without sounding hyperbolic (there are plenty of go-to security sources for that), on a scale of 1-10 how worried should organizations be about this? Let’s make that a Scrum vote.

rick: lol. I resisted making a Scrum joke.

kirk: 5

ryan: 5

forrest: 7

rick: 6. It’s a concern. It’s part of vulnerability management. Just another thing for people to manage.

matt: At the moment it’s probably more like a 5, but going forward I would expect it to be more like a 7 as it gets used more (and as more people upgrade to newer versions of Windows that have PowerShell by default).

forrest: It presents some new challenges to the standard antivirus approach to detection. Since there is a transition away from PE malware and just scanning for .exe files which may be malicious and deleting them, not all security software may be equipped to deal with the problem effectively. Still, it is nothing  fundamentally game-changing. Non-PE and even fileless malware can still be found using the old signature-based detection strategies.

ryan: The big thing is you have to be aware of this style of attack and think about what people, processes, and products you have in place that are able to address this. But if you aren’t even good at PE-based malware you might want to focus on that first. Just look at VirusTotal. You’ll see that’s still the lion’s share.

kirk: Sure. Even fileless malware usually still respects the types of files. For example, a PE image may not be written to disk but they may still use that format for the malware in memory.

rick: I think it is game-changing for the forensics side charged with trying to reconstruct what happened during an attack. Especially for small organizations that don’t have the expensive network infrastructure.

Before this, small organizations could hire a forensics firm, point them to some logs and machines, and they could create a timeline of what happened. Fileless malware ups the game.

It’s like using an icicle as a murder weapon. To catch the killer, you’ll need to have a surveillance camera installed instead of counting on your ability to find the murder weapon.

Get our next malware research chat delivered straight to your inbox by subscribing to our blog here.

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.