Fileless malware detection

Discussion in 'other anti-malware software' started by aigle, Dec 3, 2014.

  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, I am curious to know which type of products are good for fileless malware detection.

    - conventional AV that scan only disk read and right might fail as there are no files written to disk?

    - Classical HIPS- will they give some sort of pop up alert about malware injection?

    - Sandboxes- they will probably keep system clean but data might be stolen?

    - Anti-Exploit software-I think they might be best in such detection?

    Any one has a solid insight here? Please share.

    http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3510
     
  2. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    1,640
    Location:
    Toronto, Canada
    You are right, in that the best method to mitigate against this kind of attack vector would be Anti-Exploit, since exploitation of a running process is what is happening here. Not sure though if traditional Anti-EXE or whitelisting would help here though, as an attacker might try to hook on the whitelisted application (code injection, remote-thread execution) and then force a CreateProcess() from within it.
     
  3. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    You are correct, these type of infections from Angler Exploit Kit and Poweliks are typically bypassing AV, anti-EXE and whitelisting. The best bet to detect and block these attacks is anti-exploit.

    Some interesting reading:
    https://blog.malwarebytes.org/exploits-2/2014/09/fileless-infections-from-exploit-kit-an-overview/
    http://malware.dontneedcoffee.com/2014/08/angler-ek-now-capable-of-fileless.html
     
  4. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    I also recommend the video in the malwarebytes blog post by Jerome Segura, one of our researchers. In the video you can see the traditional Angler EK infection vs the file-less infection alongside an anti-EXE.
    --https://youtube.com/watch?v=1LYs9pHQnm0
     
  5. guest

    guest Guest

    Okay, anti-exploits passed the filter, but what about classical HIPS and restricted sandboxes?
     
  6. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    My guess is they'll be bypassed just as anti-EXE is bypassed, but you should test yourself. Kafeine has the Fiddler capture of the file-less Angler EK available on his blog. Simply export/dump the files to disk and serve them from an apache/nginx server to your test VM.
     
  7. guest

    guest Guest

    Sorry, I am lacking the required capability to do my own test. But my thinking is if the user doesn't default-allow all types of permissions la la la to trusted apps (for CHIPSes) or limiting accesses of apps in restricted environments (for sandboxes) might actually do the job.
     
  8. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    The bottom line is that the payload will run, which is less ideal than the exploit being detected and the payload not ever running.

    Keep in mind that even if sandboxed, if your browser is popped by this or any other exploit, you should consider your browsing sessions compromised and everything you do within those sessions (entering passwords on a website, emails, banking, etc.) should be considered at risk.
     
  9. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Is the launching server necessary?
    I just tried it before with Fiddler's AutoResponder, and at least MBAE warned & blocked exploit.
    I may be wrong though.
     
  10. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
    You're right, you can also use Fiddler's AutoResponder. Saving to a local webserver is easier if you want to have multiple EKs being served in order to automate testing, testing different versions of the same kit, etc.
     
  11. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for clarifying.
    I will do some day, but it has been long time since I removed my LAMP server on VM as I rarely use it and I'm too lazy to doing it again.
    Anyway thankfully there're many capable people here and still I can use Fiddler with Autoresponder, it's more handy.
     
  12. guest

    guest Guest

    Ah, okay. So my ol' A-Z intrusion chain analogy should apply into effect again. :D
     
  13. CoolWebSearch

    CoolWebSearch Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    1,217
    Everyone should test both properly configured Google Chrome and properly configured Sandboxie against these exploit to actually see how tough these restricted sandboxes truly are and if do they offer provide any kind of protection against these exploits (including file-less metasploit)...
     
  14. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I guess advanced HIPS like Comodo defense plus might give an alert about memory injection. But I am not sure. Wish some one could test it.
     
    Last edited: Dec 4, 2014
  15. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi, if you test Comoro Defense plus, please do post your results.
     
  16. SanyaIV

    SanyaIV Registered Member

    Joined:
    Oct 17, 2013
    Posts:
    238
    I am also interested in Comodo Internet Security HIPS and Sandbox tests.

    I read above about "Fiddler's AutoResponder" would using this accurately test the defense? Is said tool/application in any way malicious, or is it more like a leaktest? If more like a leaktest I could try it myself if anyone could tell me where to get it, but I don't like running actual malware on my machine on purpose.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I am also interested but seems it's a bit difficult testing. Who will bell the cat?
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Can you perhaps give examples of malware that's able to bypass protection from HIPS. It's still not clear to me how malware that's running in-memory only can actually do any damage. Would ransomware and (banking) trojans be able to run correctly inside some exploited process? With that I mean, without them having to load files on disk and execute a separate process.
     
  19. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,175
    Location:
    USA
  20. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes I've read those, but my point is that the only thing they seem to do is download and execute other malware to infect systems, and those will be stopped by HIPS. So it seems like malware that's running in-memory only can't do damage by itself, it would not be able to hijack the browser to steal money (banking trojans), and it would not be able to encrypt any files (ransomware). They can't do that from inside the exploited process without the help from other malware running as a separate process, if I'm correct.
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I tried a lot but I am unable to run the malware. Not sure how it can be run unless I have some live exploit URLs.:(
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      143.3 KB
      Views:
      73
  22. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I have tried again with but I am not sure if I am able to inject IE. Seems I did but I am not sure. Can any expert confirm? BTW no peep from Defence Plus and MalwareBytes AntiExploit. GesWall seems to be failed as well. But I am not sure of any thing.
     

    Attached Files:

    • 2.JPG
      2.JPG
      File size:
      102.6 KB
      Views:
      52
    • 3.JPG
      3.JPG
      File size:
      102.6 KB
      Views:
      48
    • 5.JPG
      5.JPG
      File size:
      133.3 KB
      Views:
      48
    • GesWall log.txt
      File size:
      1 KB
      Views:
      11
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    @SanyaIV
    Fiddler is local proxy usually used to monitor & capture web traffic. One of its advantage is it can capture SSL traffic too by MITM.
    But it also can be used exploit test as it has AutoResponder, as name suggests it can automatically simulate server response.
    So it's not malicious program and also exploit packet itself is not malware itself, however it can be dangerous.

    @aigle I posted how-to in MBAE thread, please refer to it.
    It seems from your first pic that you haven't imported traffic because your right pane only have one line.
    Also note, the most important process is correctly setting up vulnerable system.
    Those exploit kit are often case sensitive so whenever you can firstly look up what version of vulnerable program is needed for your exploit. If I can't look up firstly I use Norton's IPS & browser protection as they give CVE number and so I can determine what program is needed.

    Finally, in this case any process explorer or such is useless if you only look at spawned process. Memory only means exploit is done inside the your compromised legitimate process such as iexplore.exe so you have to look into inside the memory. However it requires some expertise, so I rather recommend use MBAE to see exploit was done i.e. first disable CIS protection and enable MBAE and confirm it blocks exploit, next disable MBAE and enable CIS.

    But I expect that Comodo won't prevent this type of exploit as it is done within compromised process and don't need to inject sth to another process in theory. Sorry I'm not so intimate with Comodo, and that test requires I first rollback my system, setting up vulnerable system, and configure Comodo's HIPS so I leave the test to you or any other. Of course however, I reply you if you have question, at least I'm free today though I can't reply tomorrow (in my local time).
    [EDIT: now I remembered old Comodo had memory firewall. So IDK whether Comodo can block it.]
     
    Last edited: Dec 5, 2014
  24. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Ok, thanks. Regarding first pic, I probably did not injected IE. What is your opinion about other screenshots?
     
  25. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    He already explained.
    If no other measure was taken, mem-only-expl can steal sensitive date which is stored in browser memory and/or file/folder where the browser is allowed to access (e.g. that browser's cookie folder) and send it to remote server via of course compromised process. IOW, firefox.exe steal info from itself and send data as firefox.exe.

    But in Chrome case, it's a bit hard. As renderer process don't have any right, simple tactics are unavailable and some device is needed. If attacker can locate WebSecurityEnabled frag, then he can turn off this switch to remove same origin policy. Then steal cookie (this will be allowed as it is common and needed task for browser) and send it via iframe as now same origin are not enforced (assumed attacker injected malicious iframe into e.g. banking site). If you had enabled --enable-strict-isolation it becomes even harder as now process for banking site and for injected iframe are isolated.
     
Loading...