Fileless malware: Invisible threat or scaremongering hype?

Discussion in 'malware problems & news' started by Minimalist, Nov 17, 2017.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    7,565
    Location:
    Slovenia
    https://blog.emsisoft.com/2017/11/17/fileless-malware-attacks/
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Emsisoft "dropped the ball" on the PowerShell recommendation. That will only disable PowerShell 2.0. Only applicable if your using Win 7 and haven't downloaded a latter ver. of Powershell. Win 7 is the only Win ver. that uses PowerShell 2.0 as the "internal" ver. of Powershell. Also, PowerShell 2.0 is disabled by default in Win 10 CEF.
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    I agree with the fact that "file-less" attacks are a sneaky and serious threat, but far from unstoppable. And I don't expect to see them being used in attacks on home-users. Most malware like banking trojans, ransomware and keyloggers will remain file-based.
     
  4. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,097
    Fileless malware attack sources can be webpages that means it will be used on potentially anyone whose system is vulnerable to it
     
  5. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    but most exploits uses v2.0 because it is so permeable that not using it would be a crime :p
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Actually, it is the reverse.

    When malware runs a Powershell script, it uses the internal ver. of Powershell installed. The only exception is when my malware specially codes that Powershell 2.0 is used. This method is not the norm. Additionally, if malware uses a .bat script for example that is coded as, powershell.exe -nop etc., it will use the internal version of Powershell.

    Actually, malware will download Powershell 2.0 to some directory and run it there if the attacker decides to use it and it is not installed.

    If you totally want to stop Powershell 2.0 use, uninstall .Net 2.0 since it is required to run PowerShell 2.0. Folks that use VoodooShield can't do that since it uses .Net 2.0:rolleyes:
     
  7. plat1098

    plat1098 Registered Member

    Joined:
    Jan 18, 2016
    Posts:
    1,113
    Location:
    Da mean streets of Brooklyn
    What makes this a little better is that Powershell 2.0 is out in the Fall Creators Build, having been replaced w/PS 5.0. So those of us on the latest Windows 10 bought ourselves some time there, right?

    Edit: oops, I see you'd already stated that, apologies @itman. :blink:
     
    Last edited: Nov 19, 2017
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Yes and no.

    By default, .Net 2.0 and 3.5 are not installed in Win 10 CE and CEF. However and most important if an app requires either of the previous noted .Net versions, Windows will automatically install the .Net version required.o_O So if you install something like Voodoshield, .Net 2.0 will be auto installed. As noted previously with .Net 2.0 installed, malware can download Powershell 2.0 and run it.
     
  9. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    And we just talk about one interpreter (powershell), fileless malware can be set to use others...
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
  11. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    yes , MimiKatz is way too famous, and considered an high class credential stealer with various powerful capabilities, its author is a French researcher who was "forced" to release publicly the code after he caught a Russian spy breaking in his hotel room, trying to bypass his laptop login password, before a conference where the researcher was supposed to present Mimikatz...
     
  12. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    5,487
    Location:
    U.S.A.
    Fileless Malware on the Rise, Becoming Top Endpoint Threat
    https://www.infosecurity-magazine.com/news/fileless-malware-on-the-rise/
     
  13. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    4,054
    Location:
    Europe then Asia
    i'm not surprised at all, filesless malware aren't new, they became just more popular.
     
  14. reasonablePrivacy

    reasonablePrivacy Registered Member

    Joined:
    Oct 7, 2017
    Posts:
    107
    Location:
    Some country in the European Union
    Fileless Malware: Attack Trend Exposed
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,890
    Location:
    The Netherlands
    Thanks, interesting stuff. Will do some reading, it seems to be one of the most clear and easy to understand articles about this subject.
     
  16. Infected

    Infected Registered Member

    Joined:
    Feb 9, 2015
    Posts:
    764
    Fileless Malware Demystified

    Code:
    https://youtu.be/atL1WmmMJJw
     
Loading...