October 6, 2016

A Disembodied Threat

Business

Ghost Riders in the Cybersky

One of the most sophisticated mechanisms malware uses to stay below security systems’ radars is having no detectable file body. Malware creators use various techniques to accomplish that, perhaps the most insidious of which is the execution of the malicious code wholly within the machine’s volatile memory, leaving no traces in the file system. Such an approach makes the malware considerably harder to detect, and, after the system is rebooted, very hard to trace.

This technique is definitely not new; cases of memory-only malware infection have been known since the beginning of the 2000s. But, during all these years, such cases remained relatively rare. As well, with persistence a key goal, many of them relied on an infected “mothership” system residing within the attacked infrastructure and carrying the malware in a more traditional form.

But at a certain point, the situation started changing. The issue of cyberespionage emerged on the surface of the ever-changing threat landscape, teeming with a variety of scenarios. Some of them didn’t require persistence at all. Quite the opposite: In surgical hit-and-run operations, speed and stealth matter much more than prolonged rooting within a compromised system. Nevertheless, despite the precautions of malware creators, some samples were eventually caught in security researchers’ nets, providing more insight into the nature of bodiless malware.

V for Volatile

In February 2013, after the publication of an extensive report on the APT1 (or “Comment Crew”) cyberespionage campaign, a surge of follow-up work by security vendors and researchers resulted in a new term. In contrast to the existing Advanced Persistent Threat (APT) buzzword, the new phenomenon was dubbed “AVT,” with the V standing for volatile. The term didn’t attain the popularity of APT and was used mostly to spread fear, uncertainty, and doubt, evoking pictures of a new kind of (mostly) state-sponsored — and quite formidable — foes and necessitating the purchase of new, sophisticated (and quite expensive) products and services.

Yet there was a seed of verity in the AVT-related hype: The expectations of more and more threats using memory-only malware as a key technique to avoid detection were reasonable. And as they emerged, it became clear that the reality was in some ways worse than the predictions; hardly an exclusive technique, AVTs made it right into the holsters of cybercriminal highwaymen. In fact, it had already been there — as some reports by Kaspersky Lab researchers revealed even prior to the emergence of the term AVT — but the growing number of sightings is definitely something to pay attention to.

bodyless_main

 

Volatile vs. Bodiless/Fileless

Quite naturally, many people would consider “bodiless” and “memory-only” malware synonymous. In fact, one is a subset of the other: all memory-only malware is bodiless, but not all bodiless malware lives in volatile memory. Not having a file in which to reside doesn’t mean the malware cannot hide somewhere else.

Known hiding places of nonvolatile bodiless malware include the system registry, service areas of the hard drive, and even flash chips containing a hard drive’s firmware. The latter case is extremely rare — and practically undetectable by any means short of thorough forensic procedure — but the first two are worrisome enough to justify being ever watchful for something more cunning.

Getting back to the matter of terminology, calling bodiless malware “volatile” or “memory-only” would be more accurate. However, so many people equate bodiless with volatile, in fact, that you would probably not confuse anyone using the term.

Scenarios and Countermeasures

Most common cyberattack scenarios can involve the usage of bodiless malware. For example:

  • Classic spear-phishing scenario with malicious attachment. When the user opens the attachment (for example, a specially crafted .docx file), an existing vulnerability allows an injection into the existing Microsoft Word process in the computer’s memory. After that, the compromised process starts doing things it is not supposed to, such as downloading and launching additional pieces of malware right in the machine’s memory.
  • Drive-by scenario (including watering hole attacks from already compromised popular Internet resources). Using the exploit, either the injection is made into the browser process or a new child process is started in memory.

Note that it is also possible for attackers to use legitimate programs to perform quite a wide variety of tasks without ever interacting with the file system. The most far-reaching of these programs is the PowerShell interpreter, which exists in practically any contemporary version of Microsoft Windows, starting with Windows 7.

Regardless of the scenario, those security layers working on the file system level are mostly useless. In case of drive-by/waterholing, there can be no files, even temporary ones, dropped in the file system. Malicious attachments that have highly sophisticated obfuscation (a likely case with attackers skilled enough to base their attack on fileless malware) can bypass static detection layers. And using legitimate software, especially software integral to Microsoft’s operating systems, makes detection even more complicated.

Still, it is quite possible to withstand such attack. Keeping the principle of multilayered security in mind, we believe an adequate security solution requires the following security layers:

  • Advanced mechanisms employing behavioral methods for dynamic detection of malicious activity on the endpoint. Even if the original (host) process is legitimate, the actions it starts taking after the malicious code injection, especially when studied in combination, are far from normal, and they can be detected. In Kaspersky Endpoint Security for Business, as well as in Kaspersky Security for Virtualization | Light Agent, the System Watcher subsystem performs this detection.
  • Specialized exploit mitigation techniques. Such techniques are invaluable because exploiting software vulnerabilities is one of the key approaches attackers use. Both of the abovementioned Kaspersky solution possess this security layer.
  • Application Control with Dynamic Whitelisting. Application control can also be of great help, especially when deployed in Default Deny mode; besides ruling out all the untrusted software, it can restrict the use of potentially dangerous legitimate programs — including certain system components, such as PowerShell — with the exception of those rare cases when its use is explicitly required by a working process. This feature is also available in both Kaspersky Endpoint Security (Select tier and up) and Kaspersky Security for Virtualization | Light Agent.