Fileless malware, also known as non-malware malware, is a relatively new and dangerous threat that emerged in 2014 and has grown much more prevalent ever since due to its effectiveness. In short, it is malware that doesn’t have any of their own files, compared to the more normal malware approach of having a malicious file working as a program, installed on the hard drive of your computer. How can it possible for a malicious program to not be installed on your computer? Well, there are 3 ways, but they all boil down to the fact that it uses legit system resources already installed on the computer to perform malicious tasks. Why is that potentially more dangerous than regular malware? Because it’s rarely detected by traditional antivirus software. As usual, no prior computer science education needed. Feel free to send questions if there’s something you don’t understand. :)
How do fileless malware infect computers? Almost exclusively through Exploit kits (which I wrote more about here), which looks for weaknesses in your already installed software, such as Flash or Java. The fileless malware then piggybacks itself on the administrative powers of the legit software to modify settings, download more malware such as ransomware or harvest information from you. Not uncommonly, zero-day vulnerabilities (which I wrote more about here) are abused for achieving this. Since no files where downloaded and installed to the hard drive, it can’t be scanned and detected by traditional antivirus software. So once in the computer, how does the fileless malware stay there? Usually by one of three possible ways:
The registry hives is sort of like a library where programs can store their settings and preferences. Fileless malware hijacks legit software entries with its own code, effectively pretending to be a part of the legit software.
Memory persistent malware will only be present in the RAM. The RAM is like a computers short-term memory, where all the currently run programs store information, it’s an ever-changing place which clears completely after each reboot. Therefore, malware which resides in the RAM only will be cleared out a reboot, but it may have already caused damage before that happens. Technically, it’s not fileless since it does indeed have files residing in the RAM, but none on the hard drive, which is what antivirus software can scan.
Technically, this isn’t a completely fileless type of infection as it requires a piece of software known as rootkit, this is very dangerous and close to impossible to detect, almost like an invisibility cloak for software. A rootkit will gain administrator powers and hide whatever it has been ordered to hide from the public eye. This means it can make malware run in the background completely undetected from you and antivirus software. It’s very difficult to detect these types of attacks as the rootkit naturally also hides itself.
To sum it up, you can get infected (without knowing) by visiting websites loaded with an exploit kit, which silently deploys a fileless malware through vulnerable software like Flash, Java, Microsoft Word documents, etc. and then resides hidden from your antivirus software by not writing itself to the hard drive, or by having a rootkit with it to mask itself like it had an invisibility cloak.
So how can you protect yourself against fileless malware attacks? That’s a really tricky question, since you can’t really do that. As I mentioned, antivirus software are usually unable to detect these infections, and you yourself probably won’t notice them until it’s too late. Your best bet is to always keep your system updated, as the updates patches the security flaws allowing fileless malware to piggyback itself into your system.
