back to article 'Fileless' malware installs into RAM

Researchers at Kaspersky Labs have found malware which, unusually, does not install any files on its victims PCs. The researchers aren’t quite sure how unusual it is, describing it as both “unique” and “very rare”, but no matter how scarce this type of malware is it does sound rather nasty as it “… uses its payload to inject …


This topic is closed for new posts.
  1. Sean Timarco Baggaley


    Would that be the same Java that isn't even included with a default OS X install any more?

    I haven't even bothered enabling Flash, let alone Java, in years. Neither are endorsed as standards by the W3C, so any website that cannot be viewed without either (or both) of them is clearly not standards-compliant. Such sites should be shunned until their developers get a clue.

    (In the interests of not feeding the anti-Apple trolls, I should probably mention that I also use Windows and, yes, Flash and Java are both absent from my Windows 7 partition too. I haven't missed them.)

    If you do get hit by this malware, you're holding the internet the wrong way.

    1. Test Man

      Re: Java?

      This would be the Java that you download for both Mac and Windows, although as the article suggests, the latest version offered on the website now is not vulnerable.

    2. Destroy All Monsters Silver badge

      Re: Java?

      "Java ... not endorsed as standard by the W3C"

      And what exactly would it mean for the W3C to "endorsed Java as standard"? And what would it endorse? The Bytecode and Class file defintions? A particular implementation of a JVM? The Java language? Version 1.5 or 1.6? The whole Java library coaltrain? What?

    3. Anonymous Coward
      Anonymous Coward

      Re: Java? - Please, please, please

      tell Cisco developers and others to stop using Java for the management GUI of their products so I can purge them from my machines.

      1. Gerhard Mack

        Re: Java? - Please, please, please

        Cisco is one reason I am nervous about installing Java updates ever since a security update a couple of years ago rendered Java incompatible with our Cisco firewall.

        1. Dr Who

          Re: Java? - Please, please, please

          Sorry about the TLAs but I've always thought that anyone who's serious about IOS uses the CLI not the GUI ...

          1. Anonymous Coward
            Anonymous Coward

            @Dr Who - Re: Java? - Please, please, please

            Although there are some aspects where CLI is king, sometimes big-iron corporate firewalls with thousands of network objects, rules, access-lists and crypto-maps are easier to handle via GUI. For example Packet Tracer and Packet Capture Wizard are invaluable troubleshooting tools that require a GUI.

      2. Frank Bitterlich
        Thumb Up

        Re: Java? - Please, please, please

        I strongly second that. Their Java GUI is a mess, unreliable, and, well, it uses Java. In short: I hate it.

    4. Irongut

      Re: Java?

      Java... not just for the internet.

      I have Java plugins disabled in all my browsers but I need to have the language for some cross platform software that uses it and Android development.

  2. Wile E. Veteran


    The language and "sandboxed" environment that was supposed to save us all from nasties by never running anything untrusted? The language that is supposed to take over the IT world because it is so safe and stable?

    Perish the thought!

    No Windows, No OSX, No penguins. Just daemons.

  3. P. Lee
    Big Brother

    Actually this is quite clever

    If you can infect a java system it is probably something that stays up for a long time and it you are better off re-infecting after a reboot than tipping-off AV or file integrity systems by trying to store something.

    Probably aimed at small-medium corporate systems rather than the home pc or large-enterprise with IDS.

    Of course, you restart your daemons regularly and use a SAN with r/o base systems and SAN mounted software installs so you can regularly check MD5 sums for malicious alterations, right?

  4. Dave Ashe

    How to protect yourself

    Disable Java in Firefox using Chris Pederick's Web Developer toolbar.

  5. I ain't Spartacus Gold badge

    Java got nuked off all my systems, after 2 drive-by downloads in the last 2 months. Both were stopped by the AV, but I'm still paranoid enough that I had to waste a few hours testing to make sure.

    Both times I was on the most up-to-date build.

    Does LibreOffice need Java, in the same way OpenOffice did? If so it might have to go back on the home PC - or I'll just use Google Docs for the very few times I need office-y stuff on it.

    1. Lord Elpuss Silver badge
      Thumb Up


      I've started using an iPad running OnLive Desktop when I need to go places on the web where I should really know better.

      The iPad is pretty much immune to anything currently out there, and the OnLive server instance I have is locked down and it's system files can't be modified so it's pretty much immune too. I believe the OnLive images are killed and rebuilt every night anyway.

      I admit it's not a replacement for a full PC setup, but I'm rapidly finding it my go-to solution for most things Internetty. Doesn't hurt that it gives me a 97Mbit download speed AND because the OnLive servers are based in the US, I can get Hulu and ABCPlayer wherever I am in the world.

      Downside; you do need a decent internet connection to connect to OnIive, so not a permanent solution for most people.

    2. Lallabalalla

      Well, they are essentially the same codebase, so...

      probably yes. Though I haven't tried nuking OOffice and installing Libre.

    3. Al Jones

      LibreOffice doesn't require Java

      Some Extensions still requires Java, but the standard Writer and Calc functionality works fine without a JRE installed..

  6. Koios


    I think it shows what absolute shite most people's patching habits are when a super slick piece of malware that doesn't drop any files to disk can be mated to a year old exploit and still be sucessful.

    This isn't a Windows/Mac/Oracle fail. It's a People fail.

  7. Anonymous Coward
    Anonymous Coward


    Windows - ever so secure!

    1. Koios
      Thumb Down

      Re: Ahhh!

      RTFA. It used a Java exploit.

    2. Blitterbug

      Re: Ahhh!


  8. Steve Mann


    Java is ubiquitous in the world these days for anything as it "makes the developer's life easy".

    IBM use it in their product lines, Symantec use it, hell, every bugger uses it. To think of it as something for internet use is to understate the problem by several orders of magnitude.

    And before people start wittering about Norton anti-virus, I'm referring to the enterprise level product lines there, stuff like Veritas.

    The tendency here seems to be more Java as time goes on, not less, and it's everywhere.

    1. Koios
      Thumb Up

      Re: Bah!

      Java is freaking everywhere in Enterprise. And you know why? Even though it is shite in so many ways it is easy to learn. Thus when you have damn near every CompSci grad and half the population of India with a basic knowledge of the language you can get by with paying crap wages to your coder drones.

  9. Ken Hagan Gold badge

    Installs the Lurk Trojan?

    How does this count as "not installing any files"? Sure, it doesn't install any of its own files, and it taken a somewhat indirect route to installing this one, but if it survives a reboot (which the article states is the point of the exercise) then that sounds a lot like a file to me.

    Now I could imagine a virus whose author was sufficiently confident of his ability to re-infect you after the reboot, who therefore chose not to install any files so as to increase the chances of going undetected. That would be an impressive piece of chutzpah and newsworthy.

    But this, I don't think so. On the evidence of this article, it is just another delivery mechanism for a bog-standard file-system-based Trojan.

    1. Steve the Cynic

      Re: Installs the Lurk Trojan?

      It's worse than that, actually, in the sense of lame-press-release territory. It's nothing more than the way this stuff has always been done, for as long as malware has spread itself via the Internet. All those tasty buffer-overflow bugs, from back in 2000 or even earlier, allowed the malevolent server to plant code into the browser process, and for that code to download other code, either to memory or to files on disk.

      Lame, lame, lame.

      FAIL icon for the people making the announcement.

    2. JohnG

      Re: Installs the Lurk Trojan?

      The Lurk bit is secondary - the initial part doesn't install any files but snarfs some user data (e.g. browser history) and sends it back to the mothership, where a decision is then made about installing Lurk.

  10. mark 63 Silver badge

    so it does install files?

    "That installation attempt is the malware’s key task, as living in RAM means fileless malware won’t survive a system reboot."

    Well yeah! I was keenly reading , interested to find out how the malware got over that hurdle , to discover it does infact install some files, somebody else's code too.

    so I'm not seeing the difference really.

    1. Richard 120

      Re: so it does install files?

      That's what this version does.

      What about the version that they haven't found yet, which just lives in RAM.

      If it's pervasive enough then the botnet could just run in RAM.

      And then when the JVM's die so too does that part of the botnet, so the body is dumped, no evidence.

  11. Anonymous Coward
    Anonymous Coward

    OS X Vulnerable?

    "uses its payload to inject an encrypted dll from the web directly into the memory of the javaw.exe process.”

    Seeing has how OS X has neither .dlls nor a javaw.exe process, how does it affect both Windows and OS X?

    1. Koios

      Re: OS X Vulnerable?

      This particular exploit would fail ... however a Mac with Java installed could be vulnerable to a Java exploit with a payload designed for a Mac.

  12. Robert Carnegie Silver badge

    It has been a while since Slammer

    January 2003: a RAM-resident worm attacking a patched vulnerability in Microsoft SQL Server. If you hadn't patched it, that is. Oh, and performing denial-of-service by drowning your network in infection attempts.


  13. Anonymous Coward
    Anonymous Coward

    Time between reboots?

    Wonder what the average time between reboots is on a laptop is these days? Suspect it gets longer and longer so allows for wider opportunities for this type of attack.

  14. Wile E. Veteran

    People forget

    As a rather wise member of corporate technical staff once noted: It doesn't matter what language, what application, what language, in the end it's all 1's and 0's.

    If you know what kind of CPU you're on and can grab some executable RAM, you can bypass anything.

  15. CyrixInstead

    No Minecraft?

    No Java? But how will I play Minecraft and Project Zomboid?

  16. CyrixInstead

    No Java?

    But how will I play Minecraft and Project Zomboid with no Java?

This topic is closed for new posts.

Other stories you might like