无文件恶意软件(Fileless Malware)对大多数人来说可能是一个新术语,但安全行业多年来都知道它。去年,全球超过 140 家企业受到了这种无文件恶意软件(Fileless Malware –)的攻击,包括银行、电信和政府组织。无文件恶意软件(Fileless Malware),顾名思义,是一种不接触磁盘或在进程中使用任何文件的恶意软件。它在合法进程的上下文中加载。然而,一些安全公司声称,无文件攻击会在受损主机中留下一个小二进制文件来发起恶意软件攻击。此类攻击在过去几年中显着增加,并且比传统的恶意软件攻击风险更大。
无文件恶意软件攻击
无文件恶意软件(Fileless Malware)攻击也称为非恶意软件攻击(Non-Malware attacks)。他们使用一组典型的技术进入您的系统,而无需使用任何可检测到的恶意软件文件。在过去的几年里,攻击者变得更加聪明,并开发了许多不同的方式来发起攻击。
无(Fileless)文件恶意软件会感染计算机,不会在本地硬盘上留下任何文件,从而避开了传统的安全和取证工具。
What’s unique about this attack, is the usage of a piece sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machine’s file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses). The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victim’s infrastructure, says Microsoft.
无文件恶意软件驻留在您计算机系统的随机存取内存(Random Access Memory)中,没有防病毒程序直接检查内存 - 因此它是攻击者侵入您的 PC 并窃取您所有数据的最安全模式。即使是最好的防病毒程序有时也会错过内存中运行的恶意软件。
最近感染全球计算机系统的一些无文件恶意软件感染包括 – (Fileless Malware)Kovter、USB Thief、PowerSniff、Poweliks、PhaseBot、Duqu2等。
无文件恶意软件如何工作
无文件恶意软件登陆内存(Memory)后,可以部署您的本地和系统管理Windows内置工具,如PowerShell、SC.exe和netsh.exe来运行恶意代码并获得对您系统的管理员访问权限,从而携带输出命令并窃取您的数据。无文件恶意软件(Fileless Malware)有时也可能隐藏在Rootkit(Rootkits)(Rootkits)或Windows 操作系统的注册表中。(Registry)
一旦进入,攻击者就会使用Windows 缩略图(Windows Thumbnail)缓存来隐藏恶意软件机制。然而,恶意软件仍然需要一个静态二进制文件才能进入主机 PC,而电子邮件是最常用的媒介。当用户点击恶意附件时,它会在Windows 注册表(Windows Registry)中写入一个加密的有效负载文件。
众所周知,无文件恶意软件(Fileless Malware)使用Mimikatz和Metaspoilt等工具将代码注入您的 PC 内存并读取存储在那里的数据。这些工具可帮助攻击者更深入地侵入您的 PC 并窃取您的所有数据。
行为分析和无文件(Fileless)恶意软件
由于大多数常规防病毒程序使用签名来识别恶意软件文件,因此很难检测到无文件恶意软件。因此,安全公司使用行为分析来检测恶意软件。这种新的安全解决方案旨在解决用户和计算机以前的攻击和行为。然后通过警报通知任何指向恶意内容的异常行为。
当没有端点解决方案可以检测到无文件恶意软件时,行为分析会检测任何异常行为,例如可疑登录活动、异常工作时间或使用任何非典型资源。该安全解决方案在用户使用任何应用程序、浏览网站、玩游戏、在社交媒体上交互等期间捕获事件数据。
Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware says Microsoft.
如何防御和检测无文件恶意软件(Fileless Malware)
请遵循基本的预防措施来保护您的 Windows 计算机(precautions to secure your Windows computer):
- 应用(Apply)所有最新的Windows 更新——(Windows Updates –)尤其是操作系统的安全更新。
- 确保(Make)您安装的所有软件都已修补并更新到最新版本
- 使用可以有效扫描计算机内存并阻止可能托管漏洞利用(Exploits)的恶意网页的优质安全产品。它应该提供行为(Behavior)监控、内存(Memory)扫描和引导扇区(Boot Sector)保护。
- 在下载任何电子邮件附件(downloading any email attachments)之前要小心。这是为了避免下载有效负载。
- 使用强大的防火墙(Firewall),让您有效控制网络(Network)流量。
阅读下一篇(Read next):什么是离地攻击(Living Off The Land attacks)?
Fileless Malware Attacks, Protection and Detection
Fileless Malware may be a new term for most but the security industry has known it for years. Last year over 140 enterprises worldwide were hit with this Fileless Malware – including banks, telecoms, and government organizations. Fileless Malware, as the name explains is a kind of malware that doesn’t touch the disk or use any files in the process. It gets loaded in the context of a legitimate process. However, some security firms claim that the fileless attack leaves a small binary in the compromising host to initiate the malware attack. Such attacks have seen a significant rise in last few years and they are riskier than the traditional malware attacks.
Fileless Malware attacks
Fileless Malware attacks also known as Non-Malware attacks. They use a typical set of techniques to get into your systems without using any detectable malware file. In the past few years, the attackers have become smarter and have developed many different ways to launch the attack.
Fileless malware infects the computers leaving behind no file on the local hard drive, sidestepping the traditional security and forensics tools.
What’s unique about this attack, is the usage of a piece sophisticated malicious software, that managed to reside purely in the memory of a compromised machine, without leaving a trace on the machine’s file system. Fileless malware allows attackers to evade detection from most end-point security solutions which are based on static files analysis (Anti-Viruses). The latest advancement in Fileless malware shows the developers focus shifted from disguising the network operations to avoiding detection during the execution of lateral movement inside the victim’s infrastructure, says Microsoft.
The fileless malware resides in the Random Access Memory of your computer system, and no antivirus program inspects the memory directly – so it is the safest mode for the attackers to intrude in your PC and steal all your data. Even the best antivirus programs sometimes miss the malware running in the memory.
Some of the recent Fileless Malware infections that have infected computer systems worldwide are – Kovter, USB Thief, PowerSniff, Poweliks, PhaseBot, Duqu2, etc.
How does Fileless Malware work
The fileless malware when it lands into the Memory can deploy your native and system administrative Windows built-in tools like PowerShell, SC.exe, and netsh.exe to run the malicious code and get the admin access to your system, so as to carry out the commands and steal your data. Fileless Malware sometime may also hide in Rootkits or the Registry of the Windows operating system.
Once in, the attackers use the Windows Thumbnail cache to hide the malware mechanism. However, the malware still needs a static binary to enter the host PC, and email is the most common medium used for the same. When the user clicks on the malicious attachment, it writes an encrypted payload file in the Windows Registry.
Fileless Malware is also known to use tools like Mimikatz and Metaspoilt to inject the code into your PC’s memory and read the data stored there. These tools help the attackers to intrude deeper into your PC and steal all your data.
Behavioral analytics and Fileless malware
Since most of the regular antivirus programs use signatures to identify a malware file, the fileless malware is hard to detect. Thus, security firms use behavioral analytics to detect malware. This new security solution is designed to tackle the previous attacks and behavior of the users and computers. Any abnormal behavior which points to malicious content is then notified with alerts.
When no endpoint solution can detect the fileless malware, behavioral analytics detects any anomalous behavior such as suspicious login activity, unusual working hours or use of any atypical resource. This security solution captures the event data during the sessions where users use any application, browse a website, play games, interacts on social media, etc.
Fileless malware will only become smarter and more common. Regular signature-based techniques and tools will have a harder time to discover this complex, stealth-oriented type of malware says Microsoft.
How to protect against & detect Fileless Malware
Follow the basic precautions to secure your Windows computer:
- Apply all the latest Windows Updates – especially the security updates to your operating system.
- Make sure that all your installed software is patched and updated to their latest versions
- Use a good security product that can efficiently scan your computer’s memory and also block malicious web pages that may be hosting Exploits. It should offer Behavior monitoring, Memory scanning, and Boot Sector protection.
- Be careful before downloading any email attachments. This is to avoid downloading the payload.
- Use a strong Firewall that lets you effectively control Network traffic.
Read next: What are Living Off The Land attacks?