You know how it works. Your end users visit an infected site and inadvertently download the latest type of malware. If your antivirus software is up to snuff, it will prevent the download or, at the very least, locate and isolate the invading file on the user's hard drive. But what if there is no file on the hard drive to detect? What if instead the malware resides only in memory, running under a trusted process that you, the antivirus software and the operating system itself assume cannot be breached?
That's exactly what happened in Russia earlier this year, when more than 300,000 computers were infected with a unique type of malware -- the fileless bot. After the bot ran unencumbered for several months, Kaspersky Lab announced that it had discovered a rare type of infection being propagated through Russian online information resources. Advertisements supplied to the sites by AdFox, a third-party ad network, contained Java malware that directed browsers to a download server run by cybercriminals.
How the fileless bot works
Step 1: Users visit the infected site. They don't need to take any other action. Without their knowledge, users are redirected to the cybercriminals' server, which we'll call the "master server."
Step 2: The master server injects an encrypted dynamic link library (DLL) file into the Java process (javaw.exe) on users' computers. The Java process runs in the machine's memory. The DLL takes advantage of a well-known vulnerability in Java (more on that in a bit).
Step 3: The malware establishes communication between the user's computer and the master server. Included in the information sent to the master server are technical details about the infected machine. In this sense, the malware runs just like any other bot -- as a software robot that can execute automated tasks over the Internet. However, the AdFox bot is fileless and runs completely in memory.
Step 4: The malware disables User Account Control (UAC), a Windows security component that's supposed to defend users' systems from hackers. The malicious software then seizes the permissions necessary to install a more robust type of malware. In the case of the Russian computers, that downloaded malware was the Lurk Trojan horse, an application whose main function is to steal sensitive data to gain access to online banking services.
Step 5: The Lurk Trojan raids the cookie jar.
As noted above, the fileless malware exploits a known Java vulnerability (CVE-2011-3544). In Russia, cybercriminals exploited this vulnerability to attack Windows computers. However, Mac OS also supports Java, so Apple computers are potentially just as vulnerable. Fortunately, Oracle issued a patch in October 2011, so only computers that were not updated are susceptible.
More on malware and desktop security
Windows 8 may be more secure, but don't ignore desktop vunerabilities
Protecting endpoints with data loss prevention software
Security expert praises Windows 8 memory defenses
How to thwart password attacks with user account security
However, for those computers without the patch, the cybercriminals could easily load their bot into the trusted Java process. And the antivirus software, for the most part, had no idea it was there. In fact, the bot was essentially invisible.
A world of fileless malware trouble
Although attacks that took Russia by storm are relatively rare, similar ones have occurred in the past decade, most notably the Code Red and Slammer worms. Both of these worms took advantage of a vulnerability known as a buffer overflow, which also allows for a type of fileless attack similar to what we saw in Russia.
Given that these types of attacks have now occurred several times, there's no reason to assume that they won't happen again. And not necessarily just in Russia or against only Windows computers. And not necessarily limited to the Lurk Trojan. Other countries and operating systems are just as vulnerable, and other malware can spread just as easily.
The good news is that, because the fileless bot lives in memory, a simple system restart will get rid of the problem (if it's not already too late). As long as your users don't visit the same or other infected sites, they should have no further problems. And, of course, you should also ensure that the Java apps on their computers are up to date and that they have the latest security patches. This will at least protect them from the bot that hit Russia.
But as with any type of malware, the rules keep changing, and just because you can protect users from the latest fileless attack is no reason to assume that everyone is safe. What happened in Russia might not stay in Russia.
In addition, Apple recently announced that when it releases the next Mac OS update, Java will no longer be included with its browsers. Whether this has anything to do with the fileless bot is difficult to say. But Adam Gowdiak, a researcher at Polish firm Security Explorations, has reportedly identified two new security bugs in Java, so Apple is apparently playing it safe.
This was first published in December 2012