19 June 2016
Preventing the execution of whatever scripts or executables from User Space is one of the basic security concepts of AppGuard. Unfortunately, the User Space concept does not work in the case of fileless malware. A very prominent representative of this malware type is Poweliks. Poweliks was first detected in August 2014. It hides its payload in the Windows registry, no file is written during the first infection phase.
During this last write process AppGuard’s MemoryGuard enters the game:
Memory protection is designed to prevent one process (originator) from altering or reading the memory of another process (target). Attackers try to re-allocate memory, place executable code into the newly allocated memory, and then execute this code. This type of attack is known as memory code injection and memory scraping. This attack has been widely used in file-less malware which exists only in memory, and Trojan downloader type of malware.
Sound’s easy. Again, ProcessExplorer is the perfect means to show how MemoryGuard works:
In Protected mode icons and process descriptions are no longer displayed. Process Explorer retrieves these details from the process memory, and MemoryGuard blocks read access.
In Protected mode important process details are no longer displayed. Process Explorer reads these details from a process’ memory and displays them in the Properties dialogue. If AppGuard is operated in the default mode Protected, MemoryGuard blocks this reading operations, thus details about the process cannot be retrieved.
MemoryGuard is a really charming concept, and out-of-the-box available after installation.
Have a good weekend.