Memory-Only Malware: Look Mom, No Files!

Thursday, September 09, 2010

Pascal Longpre


It always strikes me, when I look at current security solutions, how things have stayed the same over the last 12 years, since I started working in the computer security field.

This is especially true when looking at desktop computers in large corporations. Most of them still rely on a good old signature-based antivirus as their only protection. The signature detection method made sense when you had a few thousand malwares.

But it has become way less reliable since the number of new signatures released yearly exceeds a million.

For the last three years, since we began researching and developing ECAT, our flagship detection product, we’ve come across more and more advanced malware that lives in memory only. No files are ever written to disk.

Since A/V solutions rely on file filtering to detect malware patterns, they’ve become mostly useless to detect and block these kinds of threats, even when they are made public.

The Metasploit penetration testing framework is a perfect example of this where an attacker can fool a victim into visiting a website that will exploit a vulnerability in the browser or one of its plug-ins like Acrobat Reader (just Google "Operation Aurora" for real life examples).

Once this is done, the malware payload, Meterpreter, uses the target application as a host and lives within its memory space. Meterpreter offers the attacker the ability to migrate its code to another active process and to upload plug-ins that can be used to elevate privileges or to move laterally within the network.

The method used to load the code is called "reflective loading" in the Metasploit world. We refer to it as "floating code".

It is similar to the loading of DLLs (Dynamically Loaded Libraries) but doesn’t require a file on disk.Detecting these attacks is not easy and requires a completely different approach than the one used by signature based products since no files are used.

Live memory analysis tools like GMER and Rootkit Unhooker will help you investigate systems identified as potentially affected. Unfortunately, using these manual tools is not practical on hundreds of enterprise systems. The threats we face with this kind of attacks are real and present.

The Metasploit framework can be freely downloaded and used by a sixteen year old with very minor prior knowledge.

Most security products are useless against it and considering the recent increase in browsers and Adobe plug-in product vulnerabilities, securing the corporate networks from these attacks now requires a novel approach than the traditional ones.

Cross posted from Silicium Security

Possibly Related Articles:
Viruses & Malware
Information Security
malware Metasploit
Post Rating I Like this!
Ray Tan We can not rely our security on signature-based antivirus any more.
Antivirus can not detect those unknown virus and attacks such as DDOS attacks, TCP syn flood and so on.
shawn merdinger I'd say younger than 16 can easily ramp up on Metasploit. With the Web version a monkey with a pulse can hose your box.
Sergiy Shabashkevich >securing the corporate networks from these attacks now requires a novel approach than the traditional ones.

HIPS is the answer.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.