Malware 101: File system evasion — memory-only and registry-resident

Malware detection is easiest when the malware is written to disk or in transit since the file system and network traffic are both simple to observe and scan files from for the presence of malware. With the exception of implants, it is difficult to avoid network traffic scans, but the file system can be avoided somewhat. There are a few different techniques to achieve this of varying complexity.

Two such techniques — memory-only and registry-resident — are often referred to as "fileless" malware, which is almost as much a misnomer as "serverless," but nonetheless is a commonly used classification term worth knowing. While "serverless" malware is always still running on servers, just not ones the user has to provision, "fileless" refers to the storage location of the malware itself not being part of the standard file system (or having some layer of abstraction between the malware artifact and the file system). "Fileless" malware always does involve files in the sense that the malware artifact is technically a file, the initial infection method is almost certainly in the form of a file, and, with the exception of memory-only variants, the malware does reside on disk in some form.

How memory-only and registry-resident malware evades detection

Memory-only malware, as the name implies, is loaded into memory rather than residing on disk, typically by injecting malicious code into an existing process that is running. As the malware can't materialize out of nowhere into memory, some form of file must be used to load and execute the malware itself. This does, however, make it more difficult for anti-malware software to detect the final payload since scanning memory can be a daunting task as it changes rapidly and without a notification system, whereas updating files on the disk will generate notifications that anti-malware software can hook into.

The main drawback of this evasion technique, however, is that memory is cleared when a system restarts, and thus the malware will not longer exist unless there is some system in place for placing it into memory again, which can somewhat defeat the purpose of hiding it in memory in the first place. Of course, this could also be a benefit if the objective of the malware is not long-term because a restart will wipe malware artifact, whereas simply deleting a file will leave behind remnants of the original file (as discussed in the article about deleters).

The Windows registry is essentially a key-value store (a type of database). It typically stores information about user preferences and variables used by the operating system and installed software, but technically anything conforming to the storage format can be stored in the registry, including malware. By storing malware in the registry instead of on the file system, attackers can evade anti-malware solutions that don't check the registry for this technique. While the registry itself is still stored as files on disk, there is an extra layer of abstraction to storing malware in the registry rather than on the file system directly. This payload can then be set to launch when the system starts up.

Using system-provided tools to hide

To further make detection more difficult, memory-only and registry-resident malware will typically utilize tools provided by the operating system as much as possible — referred to as "living off the land." This reduces the amount of actual code — and especially code easily distinguishable as malicious — that can be detected by signatures and static analysis. For example, a simple backdoor only requires opening a port, which is common among legitimate software and a feature provided by operating systems via networking libraries.

Using only system-provided tools and features can somewhat limit capabilities, especially for Linux where different distributions may not bundle as many libraries by default. Windows, however, has a wide variety of libraries available for software (and malware) to utilize without worrying about whether or not a particular library has been installed either by the OS itself or as a dependency of the software installed on the system.

Hiding malware in memory or the Windows registry can be a very effective evasion technique. For example, Duqu 2.0 was a memory-only worm and spyware that managed to infect numerous telecom companies as well as a company that creates anti-malware software. By hiding malware "deeper" into the system, attackers can more easily evade some antimalware solutions.

However, memory and the Windows registry are still places that anti-malware software can access relatively easily if they are programmed to do so (especially the registry). Even more sophisticated types of malware evasion burrow even deeper into the system, which will be covered in part two of file system evasion.

You can read the rest of the Malware 101 series here.