Fileless malware and programmatic method of detection

Fileless malware and programmatic method of detection

연구 분야: Strategies

학회: Journal of Computing Sciences in Colleges, Volume 36, Issue 3

Fileless malware lives unnoticeably in a computer system's main memory and executes its malicious processes freely. Although the anti-malware industry knows about this sophisticated form of attack and provides protective capabilities to detect such threats, Fileless Malware is violently relentless which makes the detection process so difficult, and yet challenging. The moment cybersecurity professionals came out with a robust and effective countermeasure, malware threat landscapes were also evolved to avoid detection and increasingly becoming more sophisticated. Furthermore, since fileless malwares does not use or reside on the file system, they could not be easily detected on any signature-aware antivirus detection system. Due to this fact, fileless malware attack vector is disastrous for any organization (government, private). It is reliance on an existing operating system and approved tools makes the attack too subtle. Despite the illusive nature of fileless malware, cybersecurity professionals use forensic tools to trace the attacker, which most, if not all of the time could be unsuccessful as the attackers might implement an anti-forensic tools to evade detection and or traces. This research work/ experiment aims at compromising a computer system by executing malicious scripts or payloads on a web browser remotely using JavaScript without requiring an installation of a file on the targeted computer system. The method of the attack is to take advantage of the feature of a Web Interface's Application Programming Interface (API), ActiveXObject, provided by Microsoft Corporation. Accordingly, the potential exploitation may only be possible to the users accessing websites by using Internet Explorer web browsers. Extensible + Apache + MariaDB + PHP + Perl (XAMPP) webserver were installed on a Microsoft Windows 8 machine to initiate fileless malware processes and a Java Development Kit and Java Runtime Environment 8 were the programming language for the implementation of a method of detection. Finally, we were also able to replicate the execution of legitimate CMD commands on a remote host through a malicious JavaScript. Hence, it only takes one mistake, or one click from an unaware user to get exploited, unintentionally. Fortunately, we were able to implement a monitoring process to detect such a threat using a Java code which executes the CMD command programmatically every three seconds using the technique of Multi-Thread Programming (i.e., Ability to control sequence of time for execution). In other words, when the ActiveXObject is active, it will detect the malicious CMD process. Such information would be valuable to an observer who should be able to react to this suspicious CMD activity promptly.