urlscan.io logo urlscan.io
SecurityTrails logo

blog.barracuda.com Open in urlscan Pro
4.234.25.19  Public Scan

Back to summary
URL: https://blog.barracuda.com/2023/12/01/malware-101-file-system-evasion-memory-only-registry-resident
Submission: On January 05 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://blog.barracuda.com/search

<form method="GET" class="cmp-search-box__form" action="https://blog.barracuda.com/search">
  <input class="cmp-search-box__form__input" type="search" name="searchTerm" aria-label="Search for" placeholder="Search" value="" data-cmp-hook-header="searchInput">
  <a href="#" class="cmp-search-box__form__search-btn" aria-label="Search" data-cmp-hook-header="searchSubmit">
        <span class="cmp-search-box__form__search-btn__icon"></span>
    </a>
</form>

Text Content

 * Home
 * Ransomware Protection
 * Research
 * AI and Security

 * Home
 * Ransomware Protection
 * Research
 * AI and Security

TYPE AND PRESS ENTER TO SEARCH


MALWARE 101: FILE SYSTEM EVASION — MEMORY-ONLY AND REGISTRY-RESIDENT

Topics:
Dec. 1, 2023
|
Jonathan Tanner
Tweet
Share
Share
Tweet
Share
Share

Malware detection is easiest when the malware is written to disk or in transit
since the file system and network traffic are both simple to observe and scan
files from for the presence of malware. With the exception of implants, it is
difficult to avoid network traffic scans, but the file system can be avoided
somewhat. There are a few different techniques to achieve this of varying
complexity.

Two such techniques — memory-only and registry-resident — are often referred to
as "fileless" malware, which is almost as much a misnomer as "serverless," but
nonetheless is a commonly used classification term worth knowing. While
"serverless" malware is always still running on servers, just not ones the user
has to provision, "fileless" refers to the storage location of the malware
itself not being part of the standard file system (or having some layer of
abstraction between the malware artifact and the file system). "Fileless"
malware always does involve files in the sense that the malware artifact is
technically a file, the initial infection method is almost certainly in the form
of a file, and, with the exception of memory-only variants, the malware does
reside on disk in some form.


HOW MEMORY-ONLY AND REGISTRY-RESIDENT MALWARE EVADES DETECTION

Memory-only malware, as the name implies, is loaded into memory rather than
residing on disk, typically by injecting malicious code into an existing process
that is running. As the malware can't materialize out of nowhere into memory,
some form of file must be used to load and execute the malware itself. This
does, however, make it more difficult for anti-malware software to detect the
final payload since scanning memory can be a daunting task as it changes rapidly
and without a notification system, whereas updating files on the disk will
generate notifications that anti-malware software can hook into.

The main drawback of this evasion technique, however, is that memory is cleared
when a system restarts, and thus the malware will not longer exist unless there
is some system in place for placing it into memory again, which can somewhat
defeat the purpose of hiding it in memory in the first place. Of course, this
could also be a benefit if the objective of the malware is not long-term because
a restart will wipe malware artifact, whereas simply deleting a file will leave
behind remnants of the original file (as discussed in the article about
deleters).

The Windows registry is essentially a key-value store (a type of database). It
typically stores information about user preferences and variables used by the
operating system and installed software, but technically anything conforming to
the storage format can be stored in the registry, including malware. By storing
malware in the registry instead of on the file system, attackers can evade
anti-malware solutions that don't check the registry for this technique. While
the registry itself is still stored as files on disk, there is an extra layer of
abstraction to storing malware in the registry rather than on the file system
directly. This payload can then be set to launch when the system starts up.


USING SYSTEM-PROVIDED TOOLS TO HIDE

To further make detection more difficult, memory-only and registry-resident
malware will typically utilize tools provided by the operating system as much as
possible — referred to as "living off the land." This reduces the amount of
actual code — and especially code easily distinguishable as malicious — that can
be detected by signatures and static analysis. For example, a simple backdoor
only requires opening a port, which is common among legitimate software and a
feature provided by operating systems via networking libraries.

Using only system-provided tools and features can somewhat limit capabilities,
especially for Linux where different distributions may not bundle as many
libraries by default. Windows, however, has a wide variety of libraries
available for software (and malware) to utilize without worrying about whether
or not a particular library has been installed either by the OS itself or as a
dependency of the software installed on the system.

Hiding malware in memory or the Windows registry can be a very effective evasion
technique. For example, Duqu 2.0 was a memory-only worm and spyware that managed
to infect numerous telecom companies as well as a company that creates
anti-malware software. By hiding malware "deeper" into the system, attackers can
more easily evade some antimalware solutions.

However, memory and the Windows registry are still places that anti-malware
software can access relatively easily if they are programmed to do so
(especially the registry). Even more sophisticated types of malware evasion
burrow even deeper into the system, which will be covered in part two of file
system evasion.

You can read the rest of the Malware 101 series here. 

 

Jonathan Tanner

Jonathan is a Senior Security Researcher at Barracuda Networks. Connect with him
on LinkedIn here.

Related Posts:
Malware 101: Detection and remediation
Malware 101: Prevention
Malware 101: File system evasion — rootkits and bootkits
Malware 101: Using logic bombs to evade detection
Tweet
Share
Share
Tweet
Share
Share

--------------------------------------------------------------------------------


Popular Posts

How AI is changing ransomware and how you can adapt to stay protected Enhancing
email security: Navigating new Google and Yahoo DMARC changes Meet Patrick
O’Donnell: Barracuda’s new SVP of Worldwide MSP Sales Password protection in the
age of AI Quishing: What you need to know about QR code email attacks

Topics

13 Email Threat Types Ransomware Protection Microsoft 365 Email Protection
Network Protection Application and Cloud Protection Data Protection and Recovery
Healthcare Education Industrial and IoT Security Managed Services Digital
Transformation Barracuda Engineering

Resources

Free Email Threat Scan Cyber Liability Insurance Guide Careers at Barracuda
Barracuda Engineering Barracuda News Room

2024 © Journey Notes
 * Email Protection
 * Application Protection
 * Network Protection
 * Data Protection
 * Managed XDR




HOW BARRACUDA USES COOKIES




YOUR PRIVACY


YOUR PRIVACY

Barracuda Sites may request cookies to be set on your device. We use cookies to
let us know when you visit our Barracuda Sites, to understand how you interact
with us, to enrich and personalize your user experience, to enable social media
functionality and to customize your relationship with Barracuda, including
providing you with more relevant advertising. Note that blocking some types of
cookies may impact your experience on our Barracuda Sites and the services we
are able to offer.


 * STRICTLY NECESSARY COOKIES
   
   
   STRICTLY NECESSARY COOKIES
   
   Always Active
   Strictly Necessary Cookies
   
   These cookies are necessary for the website to function and cannot be
   switched off in our systems. They are usually only set in response to actions
   made by you which amount to a request for services, such as setting your
   privacy preferences, logging in or filling in forms. You can set your browser
   to block or alert you about these cookies, but some parts of the site will
   not then work.


 * ANALYTICS COOKIES
   
   
   ANALYTICS COOKIES
   
   Analytics Cookies
   
   These cookies help Barracuda to understand how visitors to our pages engage
   within their session. Analytics Cookies assist in generating reporting site
   usage statistics which do not personally identify individual users.


 * PERFORMANCE COOKIES
   
   
   PERFORMANCE COOKIES
   
   Performance Cookies
   
   These cookies allow us to count visits and traffic sources so we can measure
   and improve the performance of our site. They help us to know which pages are
   the most and least popular and see how visitors move around the site. If you
   do not allow these cookies we will not know when you have visited our site,
   and will not be able to monitor its performance.


 * TARGETING COOKIES
   
   
   TARGETING COOKIES
   
   Targeting Cookies
   
   These cookies may be set through our site by our advertising partners. They
   may be used by those companies to build a profile of your interests and show
   you relevant adverts on other sites. They do not directly identify you, but
   are based on uniquely identifying your browser and internet device. If you do
   not allow these cookies, you will experience less targeted advertising.


 * FUNCTIONAL COOKIES
   
   
   FUNCTIONAL COOKIES
   
   Functional Cookies
   
   These cookies enable the website to provide enhanced functionality and
   personalisation. They may be set by us or by third party providers whose
   services we have added to our pages. If you do not allow these cookies then
   some or all of these services may not function properly.

Back Button


ADVERTISING COOKIES

Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts

Select All

 * REPLACE-WITH-DYANMIC-HOST-ID
   
   
   33ACROSS
   
   33ACROSS
   
   View Third Party Cookies
   
    * Name
      cookie name

 * REPLACE-WITH-DYANMIC-VENDOR-ID
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   
   
   33ACROSS
   
   3 Purposes
   
   View Privacy Notice
   
   REPLACE-WITH-DYANMIC-VENDOR-ID
   
   Consent Purposes
   
   Location Based Ads
   
   Consent Allowed
   
   Legitimate Interest Purposes
   
   Personalize
   
   Require Opt-Out
   
   Special Purposes
   
   Location Based Ads
   
   Features
   
   Location Based Ads
   
   Special Features
   
   Location Based Ads



Clear Filters

Information storage and access
Apply
Confirm My Choices



COOKIE ACCEPTANCE

We use cookies to make our website work. We and our partners would also like to
set optional cookies for analytics purposes, as well as to measure and improve
the performance of the website, and to remember your preferences and provide you
enhanced functionality and personalization. Click on the Cookies Preferences
button to find out more and set your preferences.

Click on the Accept All button if you consent to the use of all such cookies. If
you choose to allow the use of such cookies, you will be able to withdraw your
consent at any time. Please refer to our Privacy Policy to better understand
your rights.Privacy Policy

Accept All Cookies
Cookie Preferences