Table 2 Comparison between file-based malware and fileless malware
From: An emerging threat Fileless malware: a survey and research challenges
Techniques | Traditional file-based malware | Fileless malware |
|---|---|---|
Source code | Yes | No |
Malicious file | Yes | No |
Malicious process | Yes | No (Uses trusted OS processes) |
Complexity | Moderate | Very high |
Detection complexity | Moderate | Very high |
Persistence | Medium | Low |
File Types | • Executable files • Script embedded in a format that executes scripts (PDF, Word, Excel etc.,) | • JavaScrpt • WMI • PowerShell • Flash • WScript/ CScript |
Targets | Executable file with single targeted OS/ patch level combination | Can target many different OS/ path level combinations |
Obfuscation methods | • Encrypt file • Archive file • Executable file disguised as another type of file • Executable file embedded in another file | • Encoding • Escaped ASCII/ Unicode values • String splitting • Encryption • Randomization • Data obfuscation • Logic structure obfuscation • White space |
Anti-virus detection | Possible with known signature | Not possible |
Sandboxes detection | Physically availability of file | Not possible |
Behavior-based heuristics and unsupervised machine learning | File-based malware shows abnormal behavior in the system after compromising the targeted host. Hence, these systems are designed to detect such behavior. | Fileless attacks are designed to behave like a benign process in the system, so they may not alarm as an anomaly. Hence, very difficult to detect. |