File-less malware attacks – Can we fight them?

File-less malware attacks are on the rise. As a result, much has been written on this sophisticated form of attack, which is able to evade traditional anti-virus solutions due them not needing to install any malware to infect the victim’s machine. Instead, they take advantage of existing vulnerabilities in every computer and uses common system tools, such as Windows Management Instrumentation (WMI) or PowerShell to inject malicious code into normally safe and trusted processes.

It is here that our ZoneAlarm Anti-ransomware has proven very effective in increasing our detection of evasive file-less malware. In brief, ZoneAlarm Anti-ransomware is a behavioral detection engine that detects and remediates all forms of malicious behavior, leveraging forensics to effectively and uniquely identify unknown malware behaviors and accurately classify malware to its malware family. This robust protection capability adapts to the malware’s evolution over time and can be used to detect and prevent endless types of attacks including those using legitimate scripting tools maliciously.

Since the introduction of ZoneAlarm Anti-ransomware we have detected many highly-evasive file-less attacks. One recent case of which, caught in the wild on a customer’s PC, was a concealed file-less payload that was tucked deep inside WMI’s file system, only to be subtly invoked and run in the background by the Windows system when a certain event, such as system boot, was detected.

This was done by creating a permanent WMI Event Consumer object which would run PowerShell, a trusted and signed process by Microsoft which is already available on all Windows operating systems, with inline scripts to detect and upload Windows Credentials to a server on a public cloud computing service. Unlike traditional signature based malware, this attack went deep into the system without a file written to the disk, and without any malicious or illegitimate process running on the OS. It was, however, effectively picked up by our behavioral analysis systems that helped to detect it, despite the obfuscated nature of the script.

Indeed, scripting languages are increasingly being used by attackers due to them being quicker and easier to produce than full scale file-based malware. Furthermore, scripts provide more difficulties for security vendors.

So when more and more file-less attacks are being seen in the wild, it is important businesses and end users understand the nature of these types of attacks and just how difficult they are to detect by traditional anti-virus protections. In fact, traditional endpoint protections are useless against such sophisticated methods which are totally resistant to such products and even so-called ‘Next Generation Antivirus (NGAV)’ solutions are incapable of identifying these highly evasive attacks. ZoneAlarm Anti-ransomware proved its purpose in the above instance and will continue to do so with all known and unknown attacks yet to be seen.

Get ZoneAlarm Extreme Security

Get it now

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Our Products

ZoneAlarm Extreme Security

Extreme Security

Virus free.
100% Guaranteed.

Learn more
ZoneAlarm Anti Virus

Pro Antivirus & Firewall

Virus and spyware protection.

Learn more
ZoneAlarm Firewall Pro

Pro Firewall

Blocks hackers and intruders

Learn more

Recent Tweets

Trusted by nearly 100 Million users worldwide