App Review Fileless malware demo:Why antivirus alone is not enough

[Prayag]

Hello,this is the practical malware video.
Forward to 2:46 for real testing and malware execution.
A fileless malware uses trusted windows processes to do its dirty deed while also evading detection by AVs as it does not drop any file on the system.
Some drop a few files in some locations but their main process has been already injected into registry and trusted processes so detecting the file dropped will not help as in the case of this video.
All the registry changes and file modifications should be reversed.
This malware will auto delete itself once successfully executed.(Have u noticed in the video?)

 

[Daniel Keller]

Thank you for making this video! Very interesting.

 

[ravi prakash saini]

I liked the last line of disclaimer most

 

[brod56]

I agree that it is very hard to be found once it is installed in the system.
However, if real time protection was enabled the only way I can see this infecting the system is with a new variant, which is not detected yet, and once installed will never get removed.

 

[blackTears]

Sacn with an outdatet EEK...

 

[Prayag]

Sacn with an outdatet EEK...

yeah that's the interesting point.
Updated avast could not detect what outdated eek did detect.
And it doesn't matter as i have told the sample was not a zero day. It was old.

 

[Prayag]

I liked the last line of disclaimer most

thanks.

 

[mekelek]

any top, even mid tier AV would have stopped this malware (in fact they did according to malware hub tests) without an issue.

 

[Prayag]

the title is the total opposite of what the video actually shows. I would name it: "why COMODO isn't enough"
any top, even mid tier AV would have stopped this malware (in fact they did according to malware hub tests) without an issue.

actually,with only comodo HIPS enabled,the malware was stopped completely.I have set it to autoblock any suspicious file.
Don't you see the procedure carefully?
I have said that we will see what changes are made my malware and I have allowed all the changes so that the malware could be run and we will be able to see what happens when fileless malware gets successfully loaded into memory(what a traditional av can do then).
You can skip to 2:46 to see the procedure and the testing.

 

[mekelek]

actually,with only COMODO HIPS enabled,the malware was stopped completely.I have set it to autoblock any suspicious file.
Don't you see the procedure carefully?
I have said that we will see what changes are made my malware and I have allowed all the changes so that the malware could be run and we will be able to see what happens when fileless malware gets successfully loaded into memory(what a traditional av can do then).

did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.

 

[Prayag]

did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.

I have also encountered an old fileless malware previously which was not a zero day(was quite old),but not detected by updated avast+eek.
Attack on US restaurants made me remember that incident and so i have made this video with an old malware,that could be detected easily in file format but once it injects itself to memory processes,it becomes a completely new type of attack.
I have tried to do my best,to make it a more realistic test because a real fileless malware just uses vulnerability to get into the system,which can easily evade detection.
I have also tried to define the most I can do.

 

[Prayag]

Actually i have made this video for my friends who don't know anything about such type of malware.
So I tried to keep it simpler,(haven't used too technical words, i think).

 

[mekelek]

https://malwaretips.com/threads/filess-malware.72648/
Fileless malware tested there.

 

[Prayag]

did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.

According to me, how much powerful an AV is,it doesn't matter.
You always need a much powerful solution to these problems,which an av can't provide even yet.
Read the conclusion that have been placed at the end of video to see which type of solutions i have recommended to counter modern day's malware attacks.

 

[Prayag]

https://malwaretips.com/threads/filess-malware.72648/
Fileless malware tested there.

Actually,this test says a lot but don't you observe there that even the big names like kaspersky have the hard time detecting it through its dynamic mechanisms.
Further, Juan Diaz made a video in which avast blocked some payloads but couldn't detected all the payloads so the system was finally infected by the ransomware,even after blocking it.
This malware was also probably run from a system not from a browser,so it isn't a real world simulation of fileless attack,as far as i know.In this case,the signatures can easily block such attacks before execution as has also been shown in my video.
Also,there is a difference in how the malware executed,which process or software it has exploited,how it comes to the system,which governs whether the known fileless attack would be detected by an AV.
As for unknown fileless attacks,the situation is more critical.
I suggest you to see my video once more when you have time as i have tried to explain the most there.
For countering such attacks,known or unknown,I would say again that antivirus alone is not enough.
Thank you for reading so far.

 

[BugCode]

C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video

 

[mekelek]

C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video

I wasn't "attacking" his video ,but the clickbait title he named his thread with.

 

[Prayag]

C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video

It was a nice appreciation and a source of encouragement to me.
Thanks for your kind (maybe godly) words.

 

[S3cur1ty 3nthu5145t]

I'm with @cruelsister on the statement she made about this term "fileless Malware" being used to loosely.

At OP, thank you for the video and share.

 

[floalma]

@Prayag :
Could you tried with Qihoo 360 and show the results ?