'Fileless' malware installs directly into RAM

  • 19 March 2012
  • 1 reply
  • 16 views

  • Fresh Face
  • 4 replies
There is a report out of Kaspersky Labs that there's a new form of "drive by" malware that exploits a known Java vulnerability, (CVE-2011-354) to inject an encrypted dll from the web directly into the memory of the javaw.exe process. To qote the article in The Register, "That mode of operation means Windows and MacOS are both affected by the exploit, which is hard for many antivirus programs to spot given it runs within a trusted process."
 
The article is here:
 
http://www.theregister.co.uk/2012/03/18/fileless_malware_found/
 
It would be nice to know if Webroot can detect this type of exploit.

1 reply

Userlevel 7
While I can't speak for our developers, I can put my two cents in as a security professional.  This kind of infector is nearly impossible for any antivirus to detect, since memory is so volatile that monitoring it even a hundredth of the time would be prohibitive on the system.  I'd have to check on certain technology items, however, since the infection vector very well may be calling certain kernel APIs that are interdicted, thus opening the path for detection of the initial insertion.
 
That being said, it's not all doomsday. :)
 
The first mitigating factor is that the hole in Java that is used to perform this exploit was patched in October of 2011.   We in the security industry will ALWAYS advise that your front line of defense is to keep your software up to date.  If you are using Java 6 R 29 or above, or Java 7 R 2 or above, you're fine and this cannot hit you at all.  If you're not sure what version you're using, go find out your Java version here and update if necessary.  That page will provide all the information you need.
 
The second bit of good news is that this kind of infection is and can only be a beachhead, or dropper infection.  Being in memory only means that the moment the Java executable shuts down, the infection is gone.  Reboot and Poof!  No more infection.  So its entire goal is to bypass Windows security in order to install a persistent infection.  Needless to say, this persistent infection has to be a file, so that is definitely caught by SecureAnywhere.
 
So yes, this is definitely a rare kind of threat, and a serious one, but it requires old software on your computer and is transient.  So it's not Doomsday YET.  The bad guys are working on it though, so stay safe!

Reply