New Windows fileless fly-by viruses out there

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,086
https://thehackernews.com/2019/09/windows-fileless-malware-attack.html

There's a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That's because, first, it's an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.
 

DrLobotomy

Supreme [H]ardness
Joined
May 19, 2016
Messages
6,736
The infection begins when malicious ads drop HTML application (HTA) file on users' computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

So it isn't fileless.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,086
"fileless"
It was a quote of Hacker news, complain to them...

Hacker News said:
This means that the malware doesn't rely on any vulnerability exploit or traditional trojan downloader to download anything on the targeted system. Instead, it completely relies on system tools and commands during its entire attack chain to masquerade as a regular activity.
 

notarat

2[H]4U
Joined
Mar 28, 2010
Messages
2,292
So an easy work-around would be to change the file association of HTA to Notepad to prevent the "malicious" HTA file from running said java scripts and powershell commands...
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,086
So an easy work-around would be to change the file association of HTA to Notepad to prevent the "malicious" HTA file from running said java scripts and powershell commands...
That's almost what outlook etc. does on Windows - break functionality and stop users from using them to stop the attacks :)
 

auntjemima

[H]F Junkie
Joined
Mar 1, 2014
Messages
8,212
Yawn, wrong sensationalist info from a Linux fanatic about windows. Who'd have thought!?

Pretty much waited for the thread to implode. His usually do. Rushes to post whatever he can against Windows without reading anything. Then replies with "well, they wrote the article, not me!".

Genius.
 

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,052
Apparently not. The reality is that every antivirus is playing catch up.
I remember when the Monkey virus was making rounds, infecting computers with up-to-date AV installed. This was in the DOS 6.22 days.

Considering this virus is (once again) something that has to be manually ran by the user, the Best anti-virus is the link between your brain and your keyboard.
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,086
I remember when the Monkey virus was making rounds, infecting computers with up-to-date AV installed. This was in the DOS 6.22 days.

Considering this virus is (once again) something that has to be manually ran by the user, the Best anti-virus is the link between your brain and your keyboard.
Which part of the fly-by nature of the infection didn't you understand? For ages flaws in document preview, office products etc. have been utilised to perform attacks where the user only needs to receive an e-mail or view a JPG image or an ad with javascript. All that is required is for you to browse regular internet sites that have images or associated javascript. Any regular site can host a malicious ad or javascript through many possibilities. Sometimes the site itself got hacked, sometimes the ad distribution system was poisoned with a malicious payload... The site maintainer has zero knowledgee that his source of ad revenue is actually infecting many or all of the visitors of his site. Worms utilise flaws in network protocols and distribute themselves completely autonomously.

If you think you're safe when you're not clicking something yourself, boy you have a lot to learn.

It's nasty for web site owners but leaving javascript and ads enabled to produce them income is akin to having sex with multiple strangers with no protection. Sure you can eat bottles of antibiotics to prevent VD until you catch one which is resistant.
 
Last edited:

jardows

2[H]4U
Joined
Jun 10, 2015
Messages
2,052
Which part of the fly-by nature of the infection didn't you understand? For ages flaws in document preview, office products etc. have been utilised to perform attacks where the user only needs to receive an e-mail or view a JPG image or an ad with javascript. All that is required is for you to browse regular internet sites that have images or associated javascript. Any regular site can host a malicious ad or javascript through many possibilities. Sometimes the site itself got hacked, sometimes the ad distribution system was poisoned with a malicious payload... The site maintainer has zero knowledgee that his source of ad revenue is actually infecting many or all of the visitors of his site. Worms utilise flaws in network protocols and distribute themselves completely autonomously.

If you think you're safe when you're not clicking something yourself, boy you have a lot to learn.

It's nasty for web site owners but leaving javascript and ads enabled to produce them income is akin to having sex with multiple strangers with no protection. Sure you can eat bottles of antibiotics to prevent VD until you catch one which is resistant.
I'm not sure what part of this you consider to be new. This sort of risk has been present for quite a while. I even get Apple computers into the office that have been infected this way.

And, from the article:
The infection begins when malicious ads drop HTML application (HTA) file on users' computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.
For the virus to actually do anything, the .hta file has to be manually run. So this one is actually less dangerous than the viruses (especially ransomware) that could hijack the computer just by the mere presence of the malicious code on the web site. The specific technical mechanism of this virus may be new (new viruses are being developed constantly) but the basic premise of infection and prevention is the same
 

B00nie

[H]F Junkie
Joined
Nov 1, 2012
Messages
9,086
I'm not sure what part of this you consider to be new. This sort of risk has been present for quite a while. I even get Apple computers into the office that have been infected this way.

And, from the article:

For the virus to actually do anything, the .hta file has to be manually run. So this one is actually less dangerous than the viruses (especially ransomware) that could hijack the computer just by the mere presence of the malicious code on the web site. The specific technical mechanism of this virus may be new (new viruses are being developed constantly) but the basic premise of infection and prevention is the same
Ok you are correct, this specific attack requires the user to click something. However numerous attacks do not.
 
Top