When Whac-A-Mole Won’t Work: Fileless Malware

The term "Whac-a-mole" (or "Whack-a-mole") is used colloquially to denote a repetitious and futile task: each time a task is finished, or a problem is dealt with, yet another problem appears elsewhere.

The Rise of Fileless Malware

Finding malware exploits can sometimes feel like a game of Whac-A-Mole. No sooner is a malware signature identified, users notified, and patches applied then a new exploit or a variation of an existing exploit appears. Businesses that hold a lot of personal data, meaning pretty much all businesses, can be left exposed with potential for a huge loss.

What complicates things is that malware can also be “fileless”.  There is no typical “.exe” binary file with a signature to be identified. Malware has typically used files that it makes resident on a target machine to carry out an attack. But a fileless malware attack does not touch the disk of the target. A fileless malware attack is where a hacker can leverage applications that are already installed in a computer, loading malicious code instructions only into memory. Imagine opening a document that runs a macro or clicking on a website link to launch a video.  That one action could cause, in one example, a malicious PowerShell script to be launched that might delete or damage files.

Though fileless attacks have become more frequent, this sort of malware has been seen for at least 15 years. The Lehigh virus was an example of this technique. The virus was carried in a maliciously altered DOS system file with the malicious code and the payload running in memory. It would run a command line script to overwrite the boot sector of a machine, preventing the target from booting.

Malware attacks can be difficult to prevent and with ever-changing signatures or, in the case of fileless attacks, no detectable signature, malware can bypass the effectiveness of some antimalware protection services or whitelists.

In the 2018 Ponemon Institute State of Endpoint Security Risk study, respondents predicted 62% of attacks targeting respondents' companies in 2019 would be file-based while 38% would be fileless attacks.

In an earlier study, the 2017 State of Endpoint Security Risk study by Ponemon found that the number of fileless attacks increased by 45% in 2017 and that 77% of successful breaches involved fileless techniques.

Extended Endpoint Protection

So, what to do? Do stretched IT teams clench their teeth and continue the game of Whac-A-Mole?

Typical endpoint protection solutions use machine learning to generate models every 4 to 6 months to identify malicious files before they execute.  The problem with this approach is that businesses must manage decreasing accuracy over time and deal with false positives.

In simple terms, it would be great that before any application, binary, video or whatever is executed, a super-fast check could be made to look for a “goodware” or “badware” signature. If there is no signature then, somehow run an automated check, leveraging responsive machine learning to help decide what to do.

Unlike solutions that generate models every 4 to 6 months to identify malicious files, Alert Logic Extended Endpoint Protection automatically gathers thousands of samples a day and uses machine learning to analyze these samples to improve coverage and accuracy.

Customers then transparently receive new models to get the best protection. The end result is fewer false positives because the model has already been trained with the specific software that customers are running.

From the perspective of the end user, this protection adds 1/5 of a second to the time it takes to open an application. The negligible difference in performance is worth the added protection and probably beats Whac-A-Mole any day.

Alert Logic’s endpoint protection intelligently blocks attacks through a combination of machine-learning and attribute analysis, and real-time behavior analysis and provides deep CPU-level visibility without impacting performance. Our next-generation endpoint coverage dynamically combines machine-learning and behavior indicators to identify and block malicious techniques and malware in real-time.

You can learn more about Alert Logic Extended Endpoint Protection here: https://www.alertlogic.com/solutions/extended-endpoint-protection/

 

About the Author

Tony Bailey - Director, Product Marketing

Tony Bailey

Tony has been involved in security, cloud and SaaS product marketing and product management for several years. This work includes security vulnerability response program management, application firewall appliances, security partner programs, security guidance programs, developer adoption of cloud platforms and, enterprise adoption of SaaS and subscription solutions. Tony has also worked in product and program management at marketing cloud analytics and enterprise application businesses. Tony is passionate about being the voice of the customer and, building and executing measurable plans that meet business objectives.

More Posts by Tony Bailey