{"id":6385,"date":"2016-12-19T18:02:51","date_gmt":"2016-12-19T23:02:51","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=6385"},"modified":"2020-02-26T11:11:08","modified_gmt":"2020-02-26T16:11:08","slug":"bodiless-malware-how-it-works","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bodiless-malware-how-it-works\/6385\/","title":{"rendered":"Bodiless malware: How it works"},"content":{"rendered":"

In our previous article on this topic<\/a>, we looked into the history of memory-only attacks, also taking a glance at attack scenarios and appropriate defensive technologies. Now it is time for a deeper look at the kill chains of such attacks \u2014 and also at the range of Kaspersky Lab\u2019s Next Gen technologies and solutions to effectively counter them.<\/p>\n

Initial penetration<\/h3>\n

The most common scenario for bodiless malware to infect a target system usually involves the use of a malicious Web resource hosting exploits. The resource may be one created with malicious intent or a legitimate site that became compromised. Phishing messages are a common means to lure people to such resources. Or, if criminals can compromise popular websites, then they don\u2019t have to trick anyone into visiting. They may also target sites frequented by employees of certain industry types in hopes of getting access to a particular kind of data. Or they can even hunt for staff members of a previously chosen target company, using well-crafted spear-phishing e-mails. In any case, their targets are users with unpatched \u2014 or yet unknown (zero-day) \u2014 vulnerabilities in their software. The malicious code uses those vulnerabilities to execute alien code on their machines.<\/p>\n

Regardless of the attackers\u2019 final goal, the hosted exploit starts by conducting a code injection into a process running on the target machine. Malware components are downloaded and launched directly in the machine\u2019s memory, without ever touching the file system. As with more typical drive-by infections, this process doesn\u2019t require any action from the user, and unless the user\u2019s security solution uses advanced detection mechanisms, there is usually no indication that anything out of the ordinary is happening.<\/p>\n

Horizontal movement<\/h3>\n

What happens at the next stage varies. If the infected system is the end target, the malware performs the actions it was programmed to perform and, with the next reboot, disappears without a trace.<\/p>\n

Then again, the plan may require going deeper into the corporate infrastructure, involving access to different machines and data. One common technique uses particular remote code execution (RCE) vulnerabilities \u00a0to allow the malware to move horizontally. Or, for example, after successful privilege escalation, it can use PowerShell remoting commands to perform RCE in a way recognized as legitimate.<\/p>\n

Persistence<\/h3>\n

If the attackers count persistence among their goals, they can attain it with relative ease \u2014 if a critical mass of compromised systems exists on the network. Memory-resident malware disappears when the computer is rebooted, but as long as some infected systems \u2014 which can include servers and domain controllers \u2014 remain powered on and connected, they will reinfect systems on reboot.<\/p>\n

Chasing shadows<\/h2>\n

The effect of \u201cfilelessness\u201d on the overall detection capability of a given security system can be rather unsettling. Without any signs \u2014 even temporary ones \u2014 left at the file system level, many detection techniques are useless. Even the most sophisticated multifactor structural heuristics need an object to evaluate. Some scenarios are especially vulnerable: For example, agentless security solutions for virtualized environments lack access to the protected virtual machines\u2019 RAM because of API limitations.<\/p>\n

Also, bear in mind that certain incident response arrangements, such as performing digital forensics on an affected system or obtaining samples for malware analysis, become considerably less effective if conducted by internal ITSec staff unused to the specifics of this type of malware.<\/p>\n

Catching the shadow<\/h2>\n

There\u2019s nothing magical about bodiless malware, and some countermeasures are effective against it. But, as with any other kind of advanced malware, catching it requires a comprehensive approach. Best practices mandate the use of a multilayered security approach \u2014 which you will find in Kaspersky Lab\u2019s security solutions and technologies. Let us take a brief look at how such an approach works.<\/p>\n

URL reputation and anti-phishing<\/h3>\n

Malicious links launch bodiless malware into the corporate infrastructure, and attackers will use any means to direct their victims to these insidious URLs.<\/p>\n

Therefore, the first countermeasure is preventing users from opening such resources. When they come by e-mail, Kaspersky Anti-Spam catches them, using a variety of factors. For example, URLs in incoming messages are checked against our extensive, cloud-powered database. Any URLs known to be malicious, including those encountered by Kaspersky Security Network participants, are immediately blocked.<\/p>\n

In cases of well-crafted spear-phishing or drive-by infection attempts occurring at previously unknown or newly compromised legitimate websites, heuristic anti-phishing analyzes the linked page and, if it encounters anything suspicious (malicious scripting, illegitimate redirects, etc.) blocks the site.<\/p>\n

Vulnerability assessment and patch management<\/h3>\n

Exploiting vulnerabilities in users\u2019 software is a bodiless infection\u2019s bread and butter. In fact, that is also true of the majority of other malware. Scores of new vulnerabilities are discovered every day, many of them critical vulnerabilities that allow the execution of arbitrary code in the attacked system.<\/p>\n

Monitoring software vulnerabilities throughout an entire corporate infrastructure is one of IT security\u2019s most complex tasks, and it requires proper monitoring and automation tools. Kaspersky Systems Management toolset includes both vulnerability assessment and automated patch management tools, giving the administrator a constant, clear view of the state of installed software \u2014 and the ability to apply updates and patches quickly and conveniently, with the most important ones given the highest priority automatically. Such an automated approach saves much time and effort for busy IT staff and IT security officers.<\/p>\n

Automatic exploit prevention<\/h3>\n

Still, according to the principle of multilayered security, merely having automated patching is not sufficient for maintaining adequate security. Some business processes may require postponing patching, for example, leaving a window open for an attack.<\/p>\n

Among many other security layers, Kaspersky Endpoint Security<\/a> \u00a0and Kaspersky Security for Virtualization | Light Agent<\/a> contain Automatic Exploit Prevention (AEP)<\/a> technology, which can discern suspicious actions characteristic of exploits, and block them immediately. It is worth noting that AEP can stop even zero-day exploits targeting previously unknown vulnerabilities \u2014 the scope of activities surrounding the exploitation of vulnerabilities remains rather limited and, therefore,\u00a0 predictable when approached armed with a profound knowledge of the threat landscape.<\/p>\n

Behavioral analysis by System Watcher<\/h3>\n

With bodiless malware leaving no trace at the file system level, the only way to catch it at the endpoint level is by watching over the behavior of the processes running in the machine\u2019s RAM. Kaspersky Endpoint Security<\/a> and Kaspersky Security for Virtualization | Light Agent<\/a> contain an advanced security layer called System Watcher, which does exactly that, discerning suspicious patterns of activities of the running program. For example, a Web browser trying to perform a process injection into a neighboring process is very odd. Putting together several suspicious actions enables System Watcher to form a reliable judgment of the process\u2019s maliciousness and block it if necessary. New behavior indicators are continuously sought and new patterns assembled on Kaspersky Lab\u2019s premises with the help of constantly running machine-learning processes. In the meantime, a constant link to Kaspersky Security Network helps to verify the verdicts obtained, ensuring the lowest false positive (FP) rate possible.<\/p>\n

Beyond endpoints: Advanced detection solutions<\/h3>\n

Despite taking all of those precautions, a wise security specialist never rules out the possibility of an endpoint becoming infected. And even malware that leaves no trace within infected machines\u2019 file systems can be spotted by its activities within a corporate network.<\/p>\n

Kaspersky Anti-Targeted Attack Platform<\/a> is an advanced detection solution that is more than capable of spotting and analyzing such activity. Comprising multiple security layers of its own, it lists among its features the Targeted Attack Analyzer, which receives network traffic metadata from network and endpoint sensors across the whole IT infrastructure, and compares the resulting picture to a normal baseline. For example, attempts to communicate with some Internet addresses that are considered unusual for this particular infrastructure triggers an immediate alarm: It\u2019s a reason to perform a thorough check of the source machine.<\/p>\n

Conclusion<\/h2>\n

Despite some attempts to spread fear, uncertainty, and doubt, steering people and businesses toward purchasing dubious \u201csilver bullet\u201d solutions, using memory-based malware remains just a single technique among the plethora of tricks employed by cybercriminals. Yes, such malware can be called advanced compared with more ordinary strains, but a True Cybersecurity<\/a> strategy can fight it effectively.<\/p>\n

IT security should be as dynamic as the threat landscape \u2014 perhaps even more so \u2014 never resting, always striving to improve its position. For that, much work is needed: educating staff, having a reliable source of security intelligence, and being able to receive timely help from experts.<\/p>\n

For all of this, Kaspersky Lab can become a unified entry point, providing everything required for a truly comprehensive IT security strategy.<\/p>\n","protected":false},"excerpt":{"rendered":"

In our previous article on this topic, we looked into the history of memory-only attacks, also taking a glance at attack scenarios and appropriate defensive technologies. Now it is time<\/p>\n","protected":false},"author":610,"featured_media":15279,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[2467,36,2642,422,2483],"class_list":{"0":"post-6385","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-bodiless","10":"tag-malware-2","11":"tag-next-gen","12":"tag-threats","13":"tag-true-cybersecurity"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bodiless-malware-how-it-works\/6385\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bodiless-malware-how-it-works\/6385\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bodiless-malware-how-it-works\/6385\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/bodiless\/","name":"bodiless"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=6385"}],"version-history":[{"count":13,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6385\/revisions"}],"predecessor-version":[{"id":33745,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/6385\/revisions\/33745"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15279"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=6385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=6385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=6385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}