December 19, 2016

Bodiless malware: How it works


In our previous article on this topic, we looked into the history of memory-only attacks, also taking a glance at attack scenarios and appropriate defensive technologies. Now it is time for a deeper look at the kill chains of such attacks — and also at the range of Kaspersky Lab’s technologies and solutions to effectively counter them.

Initial penetration

The most common scenario for bodiless malware to infect a target system usually involves the use of a malicious Web resource hosting exploits. The resource may be one created with malicious intent or a legitimate site that became compromised. Phishing messages are a common means to lure people to such resources. Or, if criminals can compromise popular websites, then they don’t have to trick anyone into visiting. They may also target sites frequented by employees of certain industry types in hopes of getting access to a particular kind of data. Or they can even hunt for staff members of a previously chosen target company, using well-crafted spear-phishing e-mails. In any case, their targets are users with unpatched — or yet unknown (zero-day) — vulnerabilities in their software. The malicious code uses those vulnerabilities to execute alien code on their machines.

Regardless of the attackers’ final goal, the hosted exploit starts by conducting a code injection into a process running on the target machine. Malware components are downloaded and launched directly in the machine’s memory, without ever touching the file system. As with more typical drive-by infections, this process doesn’t require any action from the user, and unless the user’s security solution uses advanced detection mechanisms, there is usually no indication that anything out of the ordinary is happening.

Horizontal movement

What happens at the next stage varies. If the infected system is the end target, the malware performs the actions it was programmed to perform and, with the next reboot, disappears without a trace.

Then again, the plan may require going deeper into the corporate infrastructure, involving access to different machines and data. One common technique uses particular remote code execution (RCE) vulnerabilities  to allow the malware to move horizontally. Or, for example, after successful privilege escalation, it can use PowerShell remoting commands to perform RCE in a way recognized as legitimate.


If the attackers count persistence among their goals, they can attain it with relative ease — if a critical mass of compromised systems exists on the network. Memory-resident malware disappears when the computer is rebooted, but as long as some infected systems — which can include servers and domain controllers — remain powered on and connected, they will reinfect systems on reboot.

Chasing shadows

The effect of “filelessness” on the overall detection capability of a given security system can be rather unsettling. Without any signs — even temporary ones — left at the file system level, many detection techniques are useless. Even the most sophisticated multifactor structural heuristics need an object to evaluate. Some scenarios are especially vulnerable: For example, agentless security solutions for virtualized environments lack access to the protected virtual machines’ RAM because of API limitations.

Also, bear in mind that certain incident response arrangements, such as performing digital forensics on an affected system or obtaining samples for malware analysis, become considerably less effective if conducted by internal ITSec staff unused to the specifics of this type of malware.

Catching the shadow

There’s nothing magical about bodiless malware, and some countermeasures are effective against it. But, as with any other kind of advanced malware, catching it requires a comprehensive approach. Best practices mandate the use of a multilayered security approach — which you will find in Kaspersky Lab’s security solutions and technologies. Let us take a brief look at how such an approach works.

URL reputation and anti-phishing

Malicious links launch bodiless malware into the corporate infrastructure, and attackers will use any means to direct their victims to these insidious URLs.

Therefore, the first countermeasure is preventing users from opening such resources. When they come by e-mail, Kaspersky Anti-Spam catches them, using a variety of factors. For example, URLs in incoming messages are checked against our extensive, cloud-powered database. Any URLs known to be malicious, including those encountered by Kaspersky Security Network participants, are immediately blocked.

In cases of well-crafted spear-phishing or drive-by infection attempts occurring at previously unknown or newly compromised legitimate websites, heuristic anti-phishing analyzes the linked page and, if it encounters anything suspicious (malicious scripting, illegitimate redirects, etc.) blocks the site.

Vulnerability assessment and patch management

Exploiting vulnerabilities in users’ software is a bodiless infection’s bread and butter. In fact, that is also true of the majority of other malware. Scores of new vulnerabilities are discovered every day, many of them critical vulnerabilities that allow the execution of arbitrary code in the attacked system.

Monitoring software vulnerabilities throughout an entire corporate infrastructure is one of IT security’s most complex tasks, and it requires proper monitoring and automation tools. Kaspersky Systems Management toolset includes both vulnerability assessment and automated patch management tools, giving the administrator a constant, clear view of the state of installed software — and the ability to apply updates and patches quickly and conveniently, with the most important ones given the highest priority automatically. Such an automated approach saves much time and effort for busy IT staff and IT security officers.

Automatic exploit prevention

Still, according to the principle of multilayered security, merely having automated patching is not sufficient for maintaining adequate security. Some business processes may require postponing patching, for example, leaving a window open for an attack.

Among many other security layers, Kaspersky Endpoint Security  and Kaspersky Security for Virtualization | Light Agent contain Automatic Exploit Prevention (AEP) technology, which can discern suspicious actions characteristic of exploits, and block them immediately. It is worth noting that AEP can stop even zero-day exploits targeting previously unknown vulnerabilities — the scope of activities surrounding the exploitation of vulnerabilities remains rather limited and, therefore,  predictable when approached armed with a profound knowledge of the threat landscape.

Behavioral analysis by System Watcher

With bodiless malware leaving no trace at the file system level, the only way to catch it at the endpoint level is by watching over the behavior of the processes running in the machine’s RAM. Kaspersky Endpoint Security and Kaspersky Security for Virtualization | Light Agent contain an advanced security layer called System Watcher, which does exactly that, discerning suspicious patterns of activities of the running program. For example, a Web browser trying to perform a process injection into a neighboring process is very odd. Putting together several suspicious actions enables System Watcher to form a reliable judgment of the process’s maliciousness and block it if necessary. New behavior indicators are continuously sought and new patterns assembled on Kaspersky Lab’s premises with the help of constantly running machine-learning processes. In the meantime, a constant link to Kaspersky Security Network helps to verify the verdicts obtained, ensuring the lowest false positive (FP) rate possible.

Beyond endpoints: Advanced detection solutions

Despite taking all of those precautions, a wise security specialist never rules out the possibility of an endpoint becoming infected. And even malware that leaves no trace within infected machines’ file systems can be spotted by its activities within a corporate network.

Kaspersky Anti-Targeted Attack Platform is an advanced detection solution that is more than capable of spotting and analyzing such activity. Comprising multiple security layers of its own, it lists among its features the Targeted Attack Analyzer, which receives network traffic metadata from network and endpoint sensors across the whole IT infrastructure, and compares the resulting picture to a normal baseline. For example, attempts to communicate with some Internet addresses that are considered unusual for this particular infrastructure triggers an immediate alarm: It’s a reason to perform a thorough check of the source machine.


Despite some attempts to spread fear, uncertainty, and doubt, steering people and businesses toward purchasing dubious “silver bullet” solutions, using memory-based malware remains just a single technique among the plethora of tricks employed by cybercriminals. Yes, such malware can be called advanced compared with more ordinary strains, but a true cybersecurity strategy can fight it effectively.

IT security should be as dynamic as the threat landscape — perhaps even more so — never resting, always striving to improve its position. For that, much work is needed: educating staff, having a reliable source of security intelligence, and being able to receive timely help from experts.

For all of this, Kaspersky Lab can become a unified entry point, providing everything required for a truly comprehensive IT security strategy.