How to defend against file-less malware?

15 July 2019

Stories on file-less malware are constantly appearing in the news. Zeljka Zorz’s post “A file-less campaign is dropping the Astaroth info-stealer” (1), published on 9 July 2019 in Help Net Security, gives a great introduction into the techniques used in file-less attacks.

Andrea Lelli’s technical analysis (2) shows that the malware downloads some DLLs and injects them into the userinit.exe process after becoming persistent. So, no big development since the first report on a file-less malware, Poweliks (3), published in 2014.

Pattern based anti-malware solutions are still no effective means to protect against file-less malware because the malware uses the hacker’s favorite toolkit, the Windows OS, for installation of the malicious payload.

But there is no reason to panic. The Windows OS is part of the problem; the Windows OS is also part of the solution.

First things first.

Don’t work with permanent administrative privileges!

It cannot be repeated often enough! Userinit.exe is part of the Windows OS. Admin privileges are required to load a DLL into the userinit.exe process. So, no admin rights, no DLL injection.

Now the big change.

We need change!

We need change!

In a Windows environment, Microsoft AppLocker does the job. AppLocker is an efficient solution; it is part of the Windows OS and it can be configured centrally by group policies. AppLocker is an effective solution; all kind of dropper malware is blocked, and with DLL rules enforced, DLL injection is no longer possible. Thus, AppLocker is the perfect solution for SMBs to overcome the shortcomings of pattern based anti-malware solutions. For a brief overview on AppLocker see my post (4).

If AppLocker does not fit into your computing environment, for example in production, look at the application whitelisting solutions from the big anti-malware solution providers. Application whitelisting provides additional features, e.g. the lockdown of systems, which is of interest especially in production because of the much longer solution lifecycles.

Application whitelisting is the long overdue change in the strategic approach to cyber security. Give it a try. Once you locked down your systems you can take care of the really important issues. Like supporting your business in digitalization initiatives.

Have a great week.


References

  1. Zorz Z. A fileless campaign is dropping the Astaroth info-stealer [Internet]. Help Net Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.helpnetsecurity.com/2019/07/09/astaroth-fileless-malware/
  2. Lelli A. Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack [Internet]. Microsoft Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
  3. Jochem K. Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques [Internet]. IT Security Matters. 2014 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2014/08/09/poweliks-malware-variant-employs-new-antivirus-evasion-techniques/
  4. Jochem K. Windows Applocker – The almost forgotten IT security workbench [Internet]. IT Security Matters. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2019/01/05/windows-applocker-the-almost-forgotten-it-security-workbench/
Advertisements