A STUDY ON FLM (Fileless Malware) VULNERABLE TO THE PROGRAM

MEMORY

N.KRITHIKA
PG SCHOLOR, DEPARTMENT OF CSE
SRI RAMAKRISHNA ENGINEEERING COLLEGE
COIMBATORE, INDIA
krithikanatarajan22@gmail.com

Abstract
Security is one of the main challenges in todays era. Many organization and
governments spend more money about 1 trillion on providing security to their data. This
paper investigates FLM (Fileless malware) that exists on a ram. This survey paper deals with
how the FLM works detection and prevention mechanism.
Keywords: Root kits, Window registry,
I INTRODUCTION
Fileless infection is a malicious coding that exists only in memory rather than installed
to the target computer hard drive. It is written directly to ram and used by the cyber security
hackers. This malware hides their location that cannot be easily identified by any scanner or
antivirus software. Fileless malware was first appeared in August 2014 with the Trojan. It is
also called as Non-malware attacks, fileless, memory-based or living-off-the-land attacks
[1]. These are capable of gaining the control of computers without using download option.
Every day 230000 malware being created, traditional signature base security solution like
antivirus does not detect / handle all the threats.
On 18 March 2012, exploit found in Russian adware. The recent researchers at
Kaspersky labs have found that malware which does not install any files on its pc. It uses its
payload to inject the encrypted data from the web directly into memory of jawaw.exe.process.
The infection tries to attack the window user account control for that it install lurk Trojan and
connect with related botnets.
According to security researches in 2016, the attacks are of Fileless patterns. The
report from Carbon Black says that researchers have found 33 % of rise in attack level. The
Power Shell and WMI non malware attacks ruined up by 90%. This type of attacks becomes
greater through Power Shell attacks in 2017.
 The survey is conducted recently in networks of 140 banks, governments. FLM attack
becoming much more common said by GARTNER security analyst. The latest /newest threat
was observed by unnamed bank security team they found malicious code inside the memory
of banks domain controller. The five nations named US, FRANCE, ECUADOR, KENYA and
UK are the most affected countries by FLM. Thieves use this FLM to steal the cash from Atm
said by LITAN researcher.
The prediction by Symantec group says that FLM are increasing in the coming year with
the increase of technology. The devices are facing espionage and explosive attacks. Symantec
predicted that all the enterprises/ creativeness will start to move towards WIFI and Cloud
based services.
II HOW USER ENTER INTO THEIR FILELESS MALWARE
The user visits this FLM malware by a malicious website where they redirected to
attackers ad. Because the infection does not exists as a file. The malware cannot be rectified
if we reboot because the malware present only in the ram. So traditional antivirus and
antimalware solution cannot detect this type of attack. By gaining this as importance the
attackers may able to steal data or download more persistent malware
III WHY CYBER CRIMINALS USE FILELESS MALWARE
By profiting the importance the hackers may steal data or download malware into the
devices. The main aim of the attackers is to steal the information and sell them for gaining
money. The reasons for hackers to inject FLM into the computer are
Stealth: This is used by the hackers to avoid being caught by security product for a infinity
amount of time
Persistent: this technique is used by attackers to keep the infection in the system to be
undetected.
Privilege escalation: Once the malware enter into the system, it has a high privilege to make
use of weakness that will give them a admin access to the pc and hackers do what they want
in the system.
Information gathering: gathers the information about the damage and this make use of
attackers to damage/ destroy the other system that are not affected by FLM.
IV TYPES OF FILELESS MALWARE
Various forms of FLM that penetrate into the system are
Memory residence malware: It makes use of memory space of a process or authentic
windows file. It loads its malicious code into the memory space and stay there until it
triggered. It is not an FLM threat but we can include as FLM threats group. This is not
completely of Fileless threat but we can include in this category.
Root kits: Often reside in kernel these Root kits exist behind computer user to gain
administrator access. This 100 percent file less malware.
Window registry: It resides in window registry. It is a database that stores low level settings
for os and certain application. It is a difficult place to navigate for normal user.
Macros: Macros are hidden their nature even after they downloaded the payloads. Macro
malware act as a normal even after performing malicious acts.
V HOW RANSOMWARE FLM (FILELESS MALWARE) WORK
Consider the real life scenario where most of the user uses chrome that has a flash player
installed. Once it is outdated we end up with website that host for angler exploit kit. They
scan for vulnerabilities and find the flash plug-in in the system. It instantly starts running in
chrome .for example payload is one of the Ransomware it will connect to command and
control server by hackers and gain the encryption key for gaining access to the computer.
Ransomware becomes one of the businesses to the crime groups. To evade detection attackers
uses an advance technique named as FLM where the code is embedded in scripting language
or straightly written into the memory using an administrator tools as Power Shell without
written into the disk. The working architecture is depicted as in fig 1.
VI DETECTION AND PROTECTION
DETECTION
Patch system is used to avoid the most wide spread weakness. Restrict the Microsoft
power shell administrator tools. Put in products that has protection against in memory attacks
Symantec, trend and mcafee.[2] Need to look for new effective defenses, such as Morphisecs
Moving Target Defense, which protects endpoints from exploit-based attacks. Its technology
morphs the runtime environment so authorized code runs safely while malicious code is
blocked and trapped.
PROTECTION
FLM causes system to run very slow by infecting in ram. To protect against FLM by
creating multilayer threat protection or firewall .The better way to stop FLM is to find
infection before happening. Keep updating necessary security control, antivirus software and
operating system. Block the page that host the Exploit kit. If we use proactive security
products in pc that block the unwanted sites as soon as we search it. Blocking the payload
delivery that is once the exploit kit finds any infection in our system it connect to command
and control servers to download the payload and place it in ram memory. To avoid this type
of malware happening in future, protect the system by necessary security suits. By doing this
we can prevent the infection enter into the system by blocking the malicious server and stop
the payload to be downloaded. By blocking the communication between our pc and attackers
servers the attackers cant able to retrieve data from pc.
[2] Need to look for new effective defenses, such as Morphisecs Moving Target
Defense, which protects endpoints from exploit-based attacks. Its technology morphs the
runtime environment so authorized code runs safely while malicious code is blocked and
trapped.
VII HOW FILELESS MALWARE PENETRATE INSIDE PC
FLM enter into the pc through spam emails or if the user downloading victim
attachments. By playing the online games, using infected removable storage devices.
Browsing the unwanted website and by tapping several sponsored images and links. If we
install pirated version of software in our system and using older version of firewall / antivirus
software. There are various chances of FLM to enter into the pc. By downloading freeware
and shareware programs from the weak website are the major reasons for FLM penetration.
One click FLM
The One click FLM uses JavaScript it arrives on the computer through .hta file that
places JS payload into registry. The JS provoked every time when windows
callsrundll32.exe.javascript:L\..\mshtml,RuHtml Application; alert(Payload);
JS reads and decodes the encoded data from Subkeys. Thus this data injects Payload into the
memory. Payload checks the registry entry every hour to know that the entry has been
deleted. If it is deleted, it creates again to make the infection obstinate. The first threat FLM
technique uses Trojan.powerliks in 2014,Trojan.Bedep,Trojan.Kovter.
The common infection for FLM includes Drive by Download, Downloader and One click-
fraud.
Drive by download: In august 2014, Angler EK is the kit to be infected by a computer
without the malware on disk. The infection inoculated into the process which can be run on
Exploit plug-in.
Downloader: Even though this method downloads files on to the disk. After it get executed,
it will retrieve the final payload and delete itself. The final payload remains in memory act as
FLM.
One click fraud: It targets on Japanese and Chinese users. This technique uses the workers
to click the files, by doing this the files gets downloaded by a one click without user
intervention. In this way FLM enters into the ram.
VIII DELETING FIRELESS MALWARE
Removing the malware is a major challenging task
a) Restart the pc in safest mode:
If we find the system is very slow then restart the system.. The popup appears select
the startup option and in that search for FLM applications and uncheck all unknown items
from system configuration .Now click and select restart to start the computer to normal mode
b) Remove FLM from task manager:
Press ctrl +alt + delete to open task manager. Find if any FLM related applications that
are running on pc. And now select and delete the required FLM virus from task manager.
c) Remove FLM related starting items
Press win + r at the same time and type msconfig then press enter or ok. The popup
appears select the startup option and in that search for FLM applications and uncheck all
unknown items from system configuration. Now click and select restart to start the computer
in normal state.
d) Deleting FLM from window registry
Press win + R -> open run box and type regredit on search box press enter that guides
to registry entities
e) Finding the hidden files and folders created by FLM:
 Open control panel and search for folders and from that check the show hidden files
and then click ok.
CONCLUSION
FLM mainly targets on banking industry. The security tool with different tricks makes
detection very difficult. First party data protection such as Media Scanner protects data
against leakage by detecting and report to user. As future work, after successful disinfection
removal and cleaning process, the user is instructed to update antivirus software to avoid
FLM. Not only this malware exists in computer, there is various infections that need to be
found out to protect our system from illegal behavior.
REFERENCES
[1]https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/
[2]http://blog.morphisec.com/less-is-more-dangerous-a-dissection-of-fileless-in-memory-
attacks
[3]https://securingtomorrow.mcafee.com/business/security-connected/fileless-malware-
execution-with-Powershell-is-easier-than-you-may-realize/
[4]http://www.removemalwarevirus.com/learn-easy-solution-to-remove-fileless-malware-
quickly
[5]https://www.crowdstrike.com/blog/fileless-ransomware-works/
[6]http://www.theregister.co.uk/2012/03/18/fileless_malware_found/
[7]https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=761
[8]http://www.darkreading.com/vulnerabilities---threats/fileless-malware-takes-2016-by-
storm/d/d-id/1327796
[9]http://www.computerworld.com/article/3167863/security/fileless-malware-attacks-used-at-
banks-have-been-around-for-years.html
[10]https://blog.barkly.com/rise-of-fileless-malware-barkly-malware-research-chat
[11]https://www.lifehacker.com.au/2015/12/fileless-malware-explained-infographic/
[12]http://www.computerworld.com/article/3167589/security/hard-to-detect-fileless-attacks-
target-banks-other organizations.html
[13]http://www.computerworld.com/article/3167589/security/hard-to-detect-fileless-attacks-
target-banks-other-organizations.html