To date, there are a number of so-called fileless infections. By fileless infections or fileless malware, we are referring to an infection or malware that does not write any files to the infected system’s hard drive.
By leaving as little traces behind as possible, malware authors try to postpone detection by security vendors for as long as possible. Which is another big step in the arms war between malware and security products and the process of making file-based detections by security vendors something of the past.
In some modern exploit kits (Angler in particular), fileless infection is rapidly becoming the run-of-the-mill method. If we want to classify fileless infections, the first split will be depending on whether the infection wants to be resident or if it will be gone after doing its job or sometimes after a reboot.
Hit and RunBased on that property USB Thief, PowerSniff and exploit kits can be categorized as “hit and run” malware. They run on the infected system, do their job and disappear. This makes it hard for researchers to get samples and study their behavior.
- Fileless exploit kits run directly in memory and often seen in malvertising. They can fingerprint the system that they are active on and then infect them further by downloading and running other malware.
- PowerSniff is spread by mail as a macro in an attached Word document. It gathers information on the infected system and sends that to a Command & Control server.
- USB Thief resides on infected USB devices installed as a plugin in popular portable software. It gathers information on the targeted system and writes that to the USB device.
Here to stayAnd then there are the likes of Poweliks, PhaseBot and Kovter that use rootkit techniques to hide in the Windows registry.
- PhaseBot uses PowerShell to run components that are encoded scripts it has hidden in the registry. PhaseBot can execute commands issued by the botnet operator.