Why Fileless Malware Will Continue Its Rapid Expansion

Fileless malware has received a lot of attention lately, and with good reason. In the last year, fileless malware, also commonly referred to as a zero-footprint attack, has successfully infiltrated a number of financial and other institutions that are generally thought of as being very secure. These kinds of attacks are evolving—a recent report by McAfee found that fileless malware rose 267 percent in Q4 2017—and are now even being used by cybercriminals to mine cryptocurrency.

Any new malware variant will cause a stir if it’s successfully disrupting our lives, at least until vendors patch vulnerabilities and anti-malware tools can detect it. Once under control, the attention given to most malware quickly subsides. But if you cannot detect it to begin with, how can you stop it? For many organizations, there will be no quick resolution—we are in this one for the long haul.

So why is fileless malware so dangerous, and why will it continue to expand for the foreseeable future? In simple terms: It works. Like everyone else, cybercriminals will usually take the path of least resistance, and since this type of malware successfully defeats most security controls, it is rapidly becoming the attack methodology of choice. Its success is due to a number of factors.

No Signatures to Detect

Fileless malware resides and operates completely within RAM and does not generally place malicious executables on the file system. Most malware detection tools on the market still depend on and look for known malware signatures within objects and files. Since these products are ineffective against fileless malware, companies that deploy these tools need to adopt new technologies that are fundamentally different from their existing products, meaning organizations will need to dedicate a significant amount of time and resources on redesigning their solutions.

Static Analysis Doesn’t Work

Static document analysis has become an essential component of advanced malware detection because of its ability to find structural or other abnormalities in the file itself, not in how it is executed. While there are a number of malware detection tools on the market built to hunt for malware by detecting these abnormalities, they suffer from the same problem as signature-based technologies since, in this case, there is no file to detect and/or analyze.

RAM is an Ideal Location for Malware

Because fileless malware resides entirely in RAM, most security controls can’t even see it, let alone analyze it. So, it’s easy to see why it is attractive for malware authors. Executing malicious code in the memory of a system that doesn’t shut down or reboot for extended periods of time is an ideal situation.

It’s Profitable to Cybercriminals

It takes a great deal of time to develop new malware. To maximize their return on investment, cybercriminals will look for malicious technologies that can’t be easily defeated. Fileless malware is fundamentally different, and a lot of time will pass before most organizations can effectively respond to it. To put it more simply: The longer it takes to detect the malware, the more profitable it will become to cybercriminals.

Overall, fileless malware is stealthy and dangerous. It is not easy to detect, and therefore not easy to identify. Although there are solutions that have figured out how to effectively detect and mitigate it, the majority of organizations aren’t adding this type of protection to their security suite. Because this malware is so attractive to cybercriminals, these kinds of attacks will continue to rapidly expand for the foreseeable future, and all organizations should prepare.

Featured eBook
A Hindsight Look at The Equifax Breach

A Hindsight Look at The Equifax Breach

In this whitepaper you will understand the root cause of this breach and how it could have been easily prevented, learn how to detect open source vulnerabilities in real-time for quick remediation and get a detailed implementation plan to ensure your organization won’t become the next Equifax. This complimentary download is offered by WhiteSource. Download Now ... Read More
Christopher Kruegel

Christopher Kruegel

Christopher Kruegel’s research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security, and intrusion detection. Christopher is a Professor of Computer Science at UC Santa Barbara. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. Christopher regularly serves on program committees of leading computer security conferences including: Program Committee Chair of the Usenix Workshop on Large Scale Exploits and Emergent Threats (LEET, 2011); the International Symposium on Recent Advances in Intrusion Detection (RAID, 2007); the ACM Workshop on Recurring Malcode (WORM, 2007), and the ACM Conference on Computer and Communications Security (CCS 2016). He was also the head of a working group that advised the European Commission (EC) on defenses to mitigate future threats against the Internet and Europe’s cyber-infrastructure.

christopher-kruegel has 1 posts and counting.See all posts by christopher-kruegel