BSidesLV 2016 has ended
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
Wednesday, August 3 • 14:30 - 15:00
Latest evasion techniques in fileless malware

Sign up or log in to save this to your schedule and see who's attending!

This talk will dive into latest file-less malware, how such types of malware can hide via new evasion techniques, their application in latest attacks then discuss what other possible ways file-less malware of the future could hide to evade detection.

In the past, malware developers have implemented different techniques to circumvent detection of their malicious code. For instance, memory resident malware load their code into the memory of legitimate processes, even operating system files, while rootkit malware cloak themselves in the kernel.

Unlike their predecessors, the main difference in the new types of file-less malware are that they no longer drop small compiled binaries on the compromised system during their malicious activities. They instead proceed with their attack directly from the windows registry in a real, file-less manner by self-destroying any temporary traces of themselves on the file system prior to executing the malicious code. These techniques have made such types of malware better at evading detection. To understand these new techniques further, different file-less malware examples such as Kovyer, Poweliks, XseKit, kovter, corBOT etc., will be examined.

In the modern computing world, achieving average persistency without much effort from a malware perspective has gotten easier as devices remain online for longer periods, likely to go to sleep more often with fewer reboots in between making it possible to keep malicious code running for days. In such context, the fact that file-less malware might need to trade off persistence for stealth is not so much an issue anymore and makes these types of malware most ideal for attacks where implementation of a long-term persistency is not really required for its success. For instance, in ransomware attacks family, file-less malware need to only remain alive long enough to encrypt and remove original files then ask for a ransom. In contrast, attacks where malware would need to remain undetected for months or even years -as in information gathering purpose for example -relying solely on file-less malware evading techniques might not be as effective.

avatar for Andrew Hay

Andrew Hay

CISO, DataGravity
Andrew Hay is the CISO at DataGravity where he advocates for the company’s total information security needs and is responsible for the development and delivery of the company’s comprehensive information security strategy. Prior to that, Andrew was the Director of Research at OpenDNS... Read More →


Wednesday August 3, 2016 14:30 - 15:00
Proving Ground Florentine E