Malware is ever-evolving as attackers develop new variants to bypass or defeat enterprise network security defenses. Fileless malware, in particular, has created headlines in recent years thanks to its ability to bypass several of the protections employed by traditional antivirus solutions.
The vaporworm threat has now emerged as the next evolution of malware. It combines the subtlety of fileless malware with the extensibility and adaptability of self-spreading worms.
Traditional malware and antivirus systems are file-focused. They infect your laptop when an executable file is downloaded and executed. These files are inadvertently downloaded through an array of attack vectors such as phishing, net application vulnerabilities, etc.
Traditional antivirus (AV) solutions are effective against these types of malware because they scan each file on the system and compare them to known “signatures” of malicious files. If a file matches the signature, it is quarantined and deleted.
Fileless malware was developed to defeat this file-focused technique.
These types of malware operate entirely within the computer’s memory. By never writing itself to disk, they are able to evade traditional file-focused antivirus software.
Fileless malware accomplishes its goals by taking advantage of multiple powerful programs that are engineered into each laptop (such as PowerShell) and that are used by legitimate administrators. It operates from memory rather than a file written to disk, thereby becoming stealthier and harder to detect than its traditional cousins.
While fileless malware is dangerous, vaporworms advance the threat to the next level. A vaporworm could be a fileless malware variant that has the added ability to propagate itself without human interaction.
WannaCry and NotPetya are examples of worms. These malware variants don’t use phishing or require human-aided mechanisms to spread themselves. Instead, they take advantage of vulnerabilities in systems to infect.
For example, WannaCry used the EternalBlue exploit developed by the National Security Agency. This exploits leveraged vulnerabilities within the Server Message Block (SMB) protocol employed for file sharing on Windows devices.
Instead of generating phishing emails and making an attempt to gather clicks, worm authors develop and launch their malware. The malware spreads on its own by scanning for vulnerable devices and sending copies of itself to them to execute.
WatchGuard Technologies’ info security predictions for 2019 highlight the severity of this threat.
Cyber criminals are continuing to reshape the threat landscape as they update their tactics and escalate their attacks against businesses, governments and even the infrastructure of the internet itself.
WatchGuard Technologies CTO Corey Nachreiner
When managing any worm variant, a proactive approach is important.
Identify and Patch Vulnerabilities: This type of malware spreads by identifying and exploiting vulnerabilities in your systems. Failure to identify and patch any of the vulnerabilities presently being employed by worms may result in your system being infected with malware.
Vulnerability Scanning: With vaporworms, performing daily vulnerability scans is imperative. Since vaporworms are not likely to be detected by traditional antivirus, once it gets onto a device, there’s a high probability that it will remain unless removed by an expert.
Penetration Testing: Pen testing is another great way to defend against vaporworms. A pen test is a simulated cyber attack to identify vulnerabilities in your systems before the bad actors do. Also known as ethical hacking, a pen test includes manual analysis by a security analyst, or white hat, to identify imperfect logic, misconfigurations, vulnerability chaining, and more to uncover the security impact to your business.