Fileless malware runs entirely from memory to make detection harder
Traditional malware infections usually require a file object to be placed on the system which makes it relatively easy for them to be detected and removed.
Now though there’s a stealthier threat uncovered by security company Malwarebytes. Poweliks is an infection that runs without a filesystem object, completely from the registry and memory using rundll32.exe, javascript and a create on-the-fly dll.
Code can be injected into the machine via a fake landing page which makes traditional security solutions like white listing ineffective in combating it.
It doesn't place a physical file on the system, instead Poweliks injects code into processes which are currently running, like Internet Explorer. This allows it to run on the back of the legitimate process and thus avoid detection.
Security researcher Jerome Segura says, "There are many advantages of doing that. For starters, by never dropping anything onto the hard-drive, you reduce your payload's footprint on a system and chances for it to get detected. It is typically much easier to detect a piece of malware on disk than one hiding in memory".
To ensure that it can survive after a system restart it places code in hidden registry keys allowing it to execute and infect the legitimate process again after a reboot.
A newly released version of Malwarbytes Anti-Rootkit is able to remove Poweliks. There's also more information on fileless infections and how they work on the Malwarebytes blog.
Image Credit: alphaspirit/Shutterstock