App Review Fileless malware demo:Why antivirus alone is not enough

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160


Hello,this is the practical malware video.
Forward to 2:46 for real testing and malware execution.
A fileless malware uses trusted windows processes to do its dirty deed while also evading detection by AVs as it does not drop any file on the system.
Some drop a few files in some locations but their main process has been already injected into registry and trusted processes so detecting the file dropped will not help as in the case of this video.
All the registry changes and file modifications should be reversed.
This malware will auto delete itself once successfully executed.(Have u noticed in the video?)
 
Last edited:

brod56

Level 15
Verified
Top Poster
Well-known
Feb 13, 2017
737
I agree that it is very hard to be found once it is installed in the system.
However, if real time protection was enabled the only way I can see this infecting the system is with a new variant, which is not detected yet, and once installed will never get removed.
 
  • Like
Reactions: AtlBo

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
any top, even mid tier AV would have stopped this malware (in fact they did according to malware hub tests) without an issue.
 
Last edited:

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160
the title is the total opposite of what the video actually shows. I would name it: "why COMODO isn't enough"
any top, even mid tier AV would have stopped this malware (in fact they did according to malware hub tests) without an issue.
actually,with only comodo HIPS enabled,the malware was stopped completely.I have set it to autoblock any suspicious file.
Don't you see the procedure carefully?
I have said that we will see what changes are made my malware and I have allowed all the changes so that the malware could be run and we will be able to see what happens when fileless malware gets successfully loaded into memory(what a traditional av can do then).
You can skip to 2:46 to see the procedure and the testing.
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
actually,with only COMODO HIPS enabled,the malware was stopped completely.I have set it to autoblock any suspicious file.
Don't you see the procedure carefully?
I have said that we will see what changes are made my malware and I have allowed all the changes so that the malware could be run and we will be able to see what happens when fileless malware gets successfully loaded into memory(what a traditional av can do then).
did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.
 

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160
did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.
I have also encountered an old fileless malware previously which was not a zero day(was quite old),but not detected by updated avast+eek.
Attack on US restaurants made me remember that incident and so i have made this video with an old malware,that could be detected easily in file format but once it injects itself to memory processes,it becomes a completely new type of attack.
I have tried to do my best,to make it a more realistic test because a real fileless malware just uses vulnerability to get into the system,which can easily evade detection.
I have also tried to define the most I can do.
 

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160
did i just totally fast scroll through that part? lol, sorry, had a long day
anyways, in that case, ignore the first part, but the title is still misleading, top/mid tier AVs would have done the same.
According to me, how much powerful an AV is,it doesn't matter.
You always need a much powerful solution to these problems,which an av can't provide even yet.
Read the conclusion that have been placed at the end of video to see which type of solutions i have recommended to counter modern day's malware attacks.
 

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160
Actually,this test says a lot but don't you observe there that even the big names like kaspersky have the hard time detecting it through its dynamic mechanisms.
Further, Juan Diaz made a video in which avast blocked some payloads but couldn't detected all the payloads so the system was finally infected by the ransomware,even after blocking it.
This malware was also probably run from a system not from a browser,so it isn't a real world simulation of fileless attack,as far as i know.In this case,the signatures can easily block such attacks before execution as has also been shown in my video.
Also,there is a difference in how the malware executed,which process or software it has exploited,how it comes to the system,which governs whether the known fileless attack would be detected by an AV.
As for unknown fileless attacks,the situation is more critical.
I suggest you to see my video once more when you have time as i have tried to explain the most there.
For countering such attacks,known or unknown,I would say again that antivirus alone is not enough.
Thank you for reading so far.
 

BugCode

Level 10
Verified
Well-known
Jan 9, 2017
468
C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video :)
 

mekelek

Level 28
Verified
Well-known
Feb 24, 2017
1,661
C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video :)
I wasn't "attacking" his video ,but the clickbait title he named his thread with.
 

Prayag

Level 4
Thread author
Verified
Well-known
Mar 27, 2017
160
C'mon dudes. It's nice to have "new" video makers here. I don't care if it already tested in Hub, this is videomaker view and conlusion that type of malware with that type of "defendline". @Prayag you don't have to defend your video what some guys comment and what you have done there, alltrought it is novice/average users very informative. And i agree many of here how stalking in backround doesn't now allkind of abreaviation of allkind Av's & etc...what 85% here use how wrote here in forum.

Thanks for your video :)
It was a nice appreciation and a source of encouragement to me.
Thanks for your kind (maybe godly) words.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top