Blog
09.21.2017

Preventing file-less Malware Attacks: How hackers invade systems

Fileless malware attacks operate in a computer’s RAM memory rather than on hard drives and this gives hackers a stealthier way to invade networks and applications. Because no (or very little) malware or foreign code is placed inside the victim’s system, such attacks are called “zero footprint, macro or non-malware” fileless attacks. This is also why anti-virus signatures are likely to miss a breach or attack (along with the odds that the attack itself may have no existing signature in the first place).

This ease of entry and ability to sneak in under the radar is making fileless malware attacks grow rapidly in popularity. In just the 11 months from January to November of 2016, fileless attacks increased from 3% to 13% of attacks. Now, 1 in 3 attacks has a fileless component to its strategy. So far, these attacks, including ransomware attacks, have invaded over 140 enterprises across 40 countries, affecting banks, telecoms, government agencies and more. One such example was the widely publicized attack on the Democratic National Committee in 2016.

Satya Gupta, founder and CTO at Virsec Systems, Inc, points out that the recent Equifax breach is also an example of a fileless attack, which used a command injection vulnerability in Apache Struts. "In this type of attack, a vulnerable application does not adequately validate users’ input, which may contain operating system commands."

Satya continued, "As a result, these commands can get executed on the victim machine with the same privileges as those of the vulnerable application. This mechanism totally blindsides any anti-malware solution that is not looking at the application’s execution path to determine if the application is not executing its natural code." He also notes, “Patching would have prevented the breach, since a patch was released in March.”

Memory corruption attacks
Buffer overflow attacks, also called buffer overruns, corrupt memory. They occur when a program that writes data to a buffer overruns the buffer’s boundary and overwrites adjacent memory locations.

Heap overflow – what is it?
A heap overflow, aka heap overrun, is a type of buffer overflow exploit. Different from overflows that exploit the stack, heap overflows or heap overruns occur in the heap region where the application dynamically allocates memory at run time. ‘Heap’ is a region of process memory that stores dynamic variables and heap memory contains program data. When the heap overflow exploit is carried out, the data is corrupted in such a way that the application is also corrupted, making it overwrite internal structures.

Return-to-libc Attack
Return-to-libc attack is another computer security attack that typically starts with a buffer overflow. The attacker doesn’t need to inject their own code – it’s executed as a fileless attack. A non-executable stack feature can prevent some types of buffer overflow exploits, but a return-to-libc attack gets past that feature by using executable code. These attacks leverage preexisting functions.

Remote code execution and PowerShell execution
Remote code execution (RCE) is the ability to trigger code execution over a network, including WANs like the Internet. Apache Struts had a vulnerability in its core code (CVE 2017-11778) that allowed attackers to take full control of the application. The problem is user-provided input is insufficiently validated, resulting in a vulnerability that can be carried out by remote code execution.

Powershell is another avenue that is often abused by fileless malware attacks, also launched remotely, known as powershell remote execution. Organizations can use tools to detect malicious PowerShell scripts. Powershell scripts are used to configure execution policies. PowerShell scripts can be run as executables using PSToExe (Powershell to exe).

Return Oriented Programming
Return-oriented programming (ROP) is a computer security exploit technique where an attacker executes code even when security defenses are present, such as executable space protection and code signing. The attacker gains control and can hijack the program control flow, then take advantage of machine instructions already present in the machine’s memory, called gadgets. Chained together, in this memory corruption ROP attack, these ROP gadgets give an attacker the ability to take control and perform arbitrary operations on a machine.