Thanks for the great and informative post @Umbra ! Truly appreciate your thoughts and contributions here at MT!
No, because I know the IT security news is mostly bullshit.
- Mar 24, 2017
- 481
Pretty much this, I mean to have malware you need to have a file unless you ask someone to type something in the cmd box or the browser's address bar but how many people would even do that anyway?
Also in a business environment, most people wouldn't even have access to cmd, regedit, PowerShell etc. so yeah I call it bull too.
Unless of course, the malware file is sitting on a server and a piece of deployment software is used to push that malware out to the computers without saving the file to the computer's C: drive before running it. At that point, you have bigger issues anyway before you get to that.
- email weaponized attachment > user Clicking it > oops = wannacry
- Misconfigured ports with SMB open = wannacry
etc...etc...
You don't need powershell access for powershell-based fileless attack to execute, by using ReflectiveDll Injection, the malware runs all in memory and uses.NET assemblies/libraries to start execution of the Powershell scripts.
You can even load a malware with powershell integrated in it if the security measures implemented by the admins is too tight.
So no it is not BS, it is true actual and known methods used by many red teams/hackers, and you will see more and more of them in the coming years...
Now does home users will be targeted as much as businesses/corporations/administrations, that is another story.
Last edited by a moderator:
- Mar 24, 2017
- 481
I guess the next step is using SRP to prevent programs/scripts from running outside windows/program files etc (and that something that should (IMO) be done anyway) but then that still wouldn't stop everything though or may be too tight for some enviroments.
Testing would need to be done to make sure that login scripts still work etc (and something done to make sure that login scripts are not being tapmered with).
- Nov 5, 2011
- 5,855
"Are you worried about Fileless Malware?"
- No, cause
* I don't have PowerShell,
* I defend my cmd.exe with extensions like 'Block Malicious File Downloads',
* then I defend my Registry too.
Thank you!
- No, cause
* I don't have PowerShell,
* I defend my cmd.exe with extensions like 'Block Malicious File Downloads',
* then I defend my Registry too.
Thank you!
- Apr 13, 2013
- 3,147
You outdid yourself with this topic, Umbra! Yes indeed, folks should be both aware and worried about "fileless" attacks. Although this crap has been around for over 15 years (remember the Code Red and Slammer worms?), there was no need to implement such things widely until the AV vendors got a Bee in their Bonnet and started implementing Machine Learning (Oh Lord, KMN). The obvious way a Kind and Gentle Blackhat can avoid such advanced file analysis routines is to use something that isn't dependent on files.
A case in point here would be the inability of Cylance to stop Umbra's favorites, Metasploit and MimiKatz, from infecting system during the "Unbelievable Tour". Machine Learning may be a cool concept, but does not rise to the level of a corrupt Human Brain.
Yes indeed, one can increase protection from the various fileless malware thingies by stuff like precluding PS from running and doing a constant monitoring of the Registry. However if one needs to do these things isn't it apparent that you are just making up for the deficiencies in your base security solution? And have fun screwing around with protection against Windows Management Instrumentation (WMI) malware.
Just my opinion, but what do I know?
A case in point here would be the inability of Cylance to stop Umbra's favorites, Metasploit and MimiKatz, from infecting system during the "Unbelievable Tour". Machine Learning may be a cool concept, but does not rise to the level of a corrupt Human Brain.
Yes indeed, one can increase protection from the various fileless malware thingies by stuff like precluding PS from running and doing a constant monitoring of the Registry. However if one needs to do these things isn't it apparent that you are just making up for the deficiencies in your base security solution? And have fun screwing around with protection against Windows Management Instrumentation (WMI) malware.
Just my opinion, but what do I know?
Indeed it is not new, it wasn't much used but now it became more popular since 2-3 years.
Here we are
then come ReflectiveDll injection, Download Cradles, and all those sweet powershell metasploit tools that can be obfuscated at will... And we know how corrupt red teams' mind can be
That is what people seems to miss, Windows is full of vulnerabilities-by-design, which is a heaven for any pentester. Windows is a house full of hidden holes that MS fix (if they want) when they are discovered.
- Pray? that is easy to do but won't save you
- Waiting MS remove totally powershell or Python? not likely even praying mat be more successful
- You do everything in an VM ? not very convenient...
- Use Qubes OS? ummmm...maybe... but Qubes is to linux what linux is to Windows from the point of view of an Average Joe...
The article didn't specify. So, I'm going to ask here.
Which AV products are inefficient against file less malware? (Probably best for Umbra not to answer this one since I don't want him to get in trouble at his job.)
Which AV products are inefficient against file less malware? (Probably best for Umbra not to answer this one since I don't want him to get in trouble at his job.)
Good read, thanks @Umbra!
Generally speaking, no product is "efficient" against file-less attacks. They are designed to evade modern security solutions; security solutions can mitigate attacks after they are known and attempt to block future ones, but nothing stops malware authors from performing extensive testing to ensure that their attack will be undetected by a lot of products.
Security solutions which have good zero-day protection or focus on dynamic a lot nowadays from vendors such as Avast, AVG, Emsisoft, Kaspersky and a few others may intervene and protect the user. No product will stop them 100% though.
As an example... Kaspersky have Application Control for their Internet Security edition. You could restrict the browser to what operations it can perform on the system and thus if a file-less attack for remote code execution is deployed, the malicious code executing within the browser due to this very rare exploit developed by someone very experienced may fail to actually successfully execute the payload simply due to the restrictions. In this example, even though the exploit was deployed successfully, the payload for the file-less attack failed.
Look at products which focus dominantly on static analysis as opposed to dynamic analysis nowadays; those will be the products which are less likely to intervene and protect someone from a file-less attack.
Generally speaking, no product is "efficient" against file-less attacks. They are designed to evade modern security solutions; security solutions can mitigate attacks after they are known and attempt to block future ones, but nothing stops malware authors from performing extensive testing to ensure that their attack will be undetected by a lot of products.
Security solutions which have good zero-day protection or focus on dynamic a lot nowadays from vendors such as Avast, AVG, Emsisoft, Kaspersky and a few others may intervene and protect the user. No product will stop them 100% though.
As an example... Kaspersky have Application Control for their Internet Security edition. You could restrict the browser to what operations it can perform on the system and thus if a file-less attack for remote code execution is deployed, the malicious code executing within the browser due to this very rare exploit developed by someone very experienced may fail to actually successfully execute the payload simply due to the restrictions. In this example, even though the exploit was deployed successfully, the payload for the file-less attack failed.
- Jun 14, 2017
- 264
I'm worried before using my computer I don't want to become the victim of malware and fileless malware challenging AV vendors but in the last good peoples wins but before creating any malware antidote is a long process like I see in wannacry (because analyse can take time how malware works and which sector it's infecting and which vulnerability it is using) I don't want to became the victim of malware and especially first one. I'm not using but I hope my AV provide me protection against this malware. @Umbra very good article I love to read these types of articles very much. This can use an extension to infect the user with almost hidden malware.I can protect my computer if I do major and monitor my computer process and connection.
- Jul 6, 2017
- 2,392
@Opcode: a question, would Sandboxie be helpful
Last edited:
In fact what should be considered and what is often ignored is the concept of attack chain.
A complex malware, whatever it is, doesn't do all its malicious tasks at once, it often follows steps or more accurately "stages" (i.e: execution > exploitation (which can be multiple) > persistence) .
Now products based on how their modules are implemented/designed may kicks-in at certain points in the attack chain, but all is based on how the malware proceed and what it is supposed to do; if the the malware is out of the scope of the security solution; there is not much to block. Fortunately, most fileless malware have a purpose (ransomware, data collection, remote connection to the attacker, etc...) and may be caught (or not) by security solutions while perpetrating that purpose.
It is why hackers/red teams try to obfuscate their malware as much as possible.
A complex malware, whatever it is, doesn't do all its malicious tasks at once, it often follows steps or more accurately "stages" (i.e: execution > exploitation (which can be multiple) > persistence) .
Now products based on how their modules are implemented/designed may kicks-in at certain points in the attack chain, but all is based on how the malware proceed and what it is supposed to do; if the the malware is out of the scope of the security solution; there is not much to block. Fortunately, most fileless malware have a purpose (ransomware, data collection, remote connection to the attacker, etc...) and may be caught (or not) by security solutions while perpetrating that purpose.
It is why hackers/red teams try to obfuscate their malware as much as possible.
Microsoft itself advises not to allow these things to run if they are not needed as part of best practices. The problem is, Microsoft routinely tells that only to Enterprises, government agencies and their Admins, but does not tell anybody else. Microsoft puts out advisory after advisory to disable processes to reduce attack surface. It is a recommended best practice. I don't see how that practice should not be used by home users - particularly home users.
Microsoft is to blame for shipping a bunch of vulnerable stuff that is not needed by most users in its general OS. The attack surface is there because of what Microsoft put in it. No one else is to blame for Microsoft's own poor security except for Microsoft itself. 3rd-party security soft publishers should not be blamed for not fixing Microsoft's massive pile of garbage. Microsoft does what it wants, unilaterally - without any coordination or input from the industry, and Microsoft routinely disregards the industry - and that is one of the primary reasons for the critical state of Windows security.
If you want to blame someone for the current state of Windows security, then you need look no further than Microsoft itself. Windows security was never handled properly from the very beginning - a lot of things were never handled correctly from the very beginning - and now we find ourselves where we are at.
Don't blame 3rd-party vendors for Microsoft's own mistakes.
That's my opinion.
Last edited by a moderator:
- Jul 3, 2015
- 8,153
Yes, Sandboxie would be very helpful to prevent fileless attacks, but, of course, only for the apps that you are running in sandbox.
For more general protection, use a good anti-exe or software restriction policy.
Comodo, just as one example, has a decent list of vulnerable processes, but most of them are partially disabled by default. You have to tweak it a bit.
ReHIPS gives you both sandboxing and vulnerable process protection, all in one package.
There are other solutions, this is just a couple ideas.
What would be most effective for the user that knows nothing about security is not to use Windows, but instead use Chromebook instead. The typical Windows user doesn't need Windows, but would much better served by Chromebook - and not use Android Apps - but "users want to use stuff" and they will just mess that option up all by themselves too.
Last edited by a moderator:
- Jul 6, 2017
- 2,392
Yes, of course, you can add certain Windows vulnerabilities to Comodo. But. The source of infection would be Internet, whether Facebook Youtube or email. Or simply browsing. But if it does, virtually the malware will not get to your system, (I say). Thanks for the answer, friend.
The IT security press reports things in a way that creates panic among the average Joe - who doesn't know any better and cannot make sense of most of what is being reported. All Average Joe knows is something bad has happened and he needs to protect himself because the IT security press reported something bad happened (but IT security press did not explain whether Average Joe consumer is at risk or not) - so the IT security press is absolutely guilty of fear mongering.
They have been doing this for years, they have been confronted about it for years, they have been criticized about their methods for years - and haven't changed their practices, and they are not going to change. Blowing things out of proportion is in their financial interests.
They have been doing this for years, they have been confronted about it for years, they have been criticized about their methods for years - and haven't changed their practices, and they are not going to change. Blowing things out of proportion is in their financial interests.
Similar threads
