Fileless malware protection test (October 2017)

In times of digitalization nearly every aspect of public and private life, there is no shortage of new and interesting techniques to circumvent security. Although for several years the first violin in the midst of the malware still play pests using asymmetric cryptography, we cannot complain about the shortage and such ways of cheating the safeguard products level preparation and complex cycle of escalation of infections outweigh the viruses from the family of ransomware.

Considered a threat in this report is a so-called bezplikowe viruses (malware fileless). Although vector infection most commonly starts traditionally from delivery of the malicious file on the computer of the victim, by a scam or attack drive-by download through the use of an exploit — it's similarity to the common attacks with the executable on this end. Malware type "fileless" works directly in your computer's memory. In this scenario, running a virus will not be moved to quarantine by security software, because there is a file, but a set of instructions to perform, to operate on system processes.

The authors of the malicious code, who are often experts in their field, may use this dependency, so as not to leave any traces on your hard drive and make it difficult to detect malware by antivirus program. Threat of "fileless" have several features in common with Rootkits: can store data in the registry, which is a base for operating system settings, and certain applications, and even capture and modify low-level API functions. In addition, as rootkits can hide the presence of processes, folders, files, and registry keys, in that install their own drivers and services on your system. Bezplikowe malware can access permissions "ring 0". The process started at this level performs the code with the privileges of the kernel, can get unlimited access to all processes, drivers, and services.

Among the presented in this report are unfortunately security programs that have problems with malware detection fileless. Viruses like bezplikowe rootkits have the ability to avoid detection: to give an attacker remote access to the infected machines can cause the escalation of privilege and use security holes. This family of malware is often used in attacks (. Advanced Persident Threat) to be carried out on a large scale or in attacks on high-level employees. According to the report "Fileless attacks against enterprise networks" published by Kasperky Lab, cyber criminals use malware bezplikowe to attack close to 140 companies around the world, mainly in the United States The United States, United Kingdom, Russia, France, Ecuador, Brazil, Tunisia, Turkey, Israel and Spain. Among the captured on target actors and institutions includes banks, telecommunications companies and government organisations.

In a test conducted in October 2017 year AVLab experts have used the techniques and tools used by cyber criminals to break the security and remote access to the infected machine without saving any the data on your hard disk. Described bezplikowe malware is very hard to detect if security products do not have the mechanisms that control the run malicious scripts. Detection of these scripts is the more problematic if the malicious code is executed by the interpreter system. With this method it becomes possible infection of a computer without raising an alarm by the security program.

Technical basics

The test was conducted in a controlled environment, niezagrażającym the security of data or computer systems.

To check the efficiency of the protection of different security modules each test program uses four types of malware files, which contained similar instructions.

  • File download instructions included .bat M1 virus by PowerShell with the appropriate parameters.
  • Compiled file M2. exe included similar instructions.
  • M3 file. exe has been obfuscation technique (obfuskacji).
  • M4 file .docm contained a malicious macro instructions to start PowerShell with the appropriate parameters.

Using the software WireShark to capture packets, we can see the exact way to deliver malware from a test server that contains the web-application (which is used to attack computers) to the operating system with the installed security software.

Delivery of malware from the test server to the operating system.

More technical details, methodology, results and awards, can be found in the report prepared in Polish and English.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.