The latest trend these days when it comes to infecting a computer, is to leave no trace on the machine itself. In fact, the goal is to bypass the antivirus solution entirely and utilize built-in features of the Operating System as methods of running in the background. This type of an attack is known as “fileless malware.”
Its goal is to remain hidden and beyond detection. It may use Powershell or WMI which are components in Windows in order to launch specific programs in Windows like the calculator for example. It will cause the calculator to run in the background “hidden” from your eyes. All the while, the infection does whatever its designer created it to do. It can do reconnaissance on the system and gather personal information for example.
You may have the most advanced antivirus available today; you may run malware scanners every day and perform all maintenance on a regular basis; and you may even know pretty much what you are doing. All of those things considered, if your system gets this “fileless malware” it will not be found by any conventional scanning method today.
Meanwhile, once in the system by following the path of least resistance, the perpetrator can retrieve sensitive data and migrate to other machines on the network at their leisure.
Let’s look at an example of how this might happen.
Step 1: Perhaps doing according to a clever spam message promising untold riches, a user clicks on a link and visits a website.
Step 2: When Flash player loads, the ouch! That’s pretty much it.
Step 3: Flash accesses PowerShell, and from here, operating only in the computer’s memory, instructions go through the command line. Those instructions tell it to download a malicious PowerShell script specializing in collecting sensitive data and sending it back to its creator.
The criminal at no time had to figure out how to sneak a malicious program code past the antivirus and malware defenses on your system. This is a very big deal.
Cyber criminals have shifted their focus away from popular malware strategies like brute force automated login attempts or sneaky spear phishing schemes. The reason is simple: Antivirus and anti-malware security programs aren’t looking for where these “fileless malware” attacks are going. They aren’t designed to stop this kind of attack. Antivirus programs are trained to sniff out trouble when a file is written and not when anything else occurs like this.
Does that mean traditional AV suites are useless in detecting this new type of computer takeover? Unfortunately, that is exactly what it means.
Once PowerShell or the WMI is compromised, attackers may remain undetected for however long they like, steeling data whenever they want.
The claim surrounding this brand of malware as being undetectable, is not entirely accurate. When we look at previously created malware and viruses of all sorts, this new type is so different, we think of it as undetectable because we have seen nothing like it before. These steps below aren’t foolproof but do provide a layered, systematic security approach that should minimize risk to your organization.
- Disable PowerShell and WMI if you’re not using them.
- Disable macros if you’re not using them. If you are, digitally sign and use only those vetted specifically for the company. No signature means don’t use it!
- Regularly check security logs for inordinate amounts of data LEAVING the network. Hint: it could be going to a bad guy.
- Look for changes in the system’s usual behavior patterns when compared against baselines.
- Update your software regularly.
To disable WMI, in the Control Panel, click Security and then click Windows Firewall. Click Change Settings and then click the Exceptions tab. In the Exceptions window, select the check box for Windows Management Instrumentation (WMI) to enable WMI traffic through the firewall. To disable WMI traffic, clear the check box.
To disable PowerShell in Windows 8 and 10:
- Go to the Control Panel and select the Programs and Features option.
- Next click on the Turn Windows features on or off link on the left panel.
- When the Windows Features dialog appears, scroll down to Windows PowerShell V2 and uncheck the feature to disable it or check to enable.
It does not appear to be possible to only disable the v2 in Windows 7. Windows 7 comes per default with v2, so it is baked in and not a feature the way it is in Windows 8 and Windows 10.
My guess as to why you cannot find any way to do it for Windows 7 is that Mainstream support for Windows 7 ended back in 2015 and the extended support ends in 1½ year in 2020. So it looks like Microsoft doesn't bother with working around this issue in Windows 7 and basically wants people to upgrade if they need this functionally disabled for security reasons.
What can we learn from this? So Christians are not to think of secret sins as somehow less serious and more respectable than the sins everyone sees. The things hidden in our lives may become visible to others and as they collect pieces of our lives looking for things which may benefit them, our lives become exploited not unlike our computers.
In Luke 8:17, we read, “For nothing is hidden that will not be made manifest, nor is anything secret that will not be known and come to light.”
In Matthew 10:26, we read, “So have no fear of them, for nothing is covered that will not be revealed, or hidden that will not be known.”
Jesus' exposition of the law is a huge blow against the old lie that our image is everything.
Jesus taught over and over again, that sin which is bottled up on the inside, concealed from everyone else's view, carries the very same guilt as the sin which manifests itself in the worst forms of the ungodly act itself. Those who hate others are as guilty as those who act out their hatred; and those who indulge in private lusts are as culpable as wanton adulterers (Matthew 5:21-30).
Here are three reasons secret sin is especially abhorrent:
1. Because God sees the heart.
Scripture tells us "God sees not as man sees, for man looks at the outward appearance, but the Lord looks at the heart" (1 Samuel 16:7). No sin—not even a whispered curse or a fleeting evil thought—is hidden from the view of God. In fact, if we realized that God himself is the only audience for such secret sins, we might be less inclined to write them off so lightly.
The Bible declares that God will one day judge the secrets of every heart (Romans 2:16). He "will bring every act to judgment, everything which is hidden, whether it is good or evil" (Ecclesiastes 12:14).
Not only that, no sin will remain in secret. "The Lord [will] bring to light the things hidden in the darkness" (1 Corinthians 4:5). Jesus said, "There is nothing covered up that will not be revealed, and hidden that will not be known. Accordingly, whatever you have said in the dark shall be heard in the light, and what you have whispered in the inner rooms shall be proclaimed upon the housetops" (Luke 12:2-3). Those who think they can evade shame by sinning in secret will discover one day that open disclosure of their secrets before the very throne of God is the worst shame of all.
It is absolute folly to think we can mitigate our sin by keeping it secret. It is double folly to tell ourselves that we are better than others because we sin in private rather than in public. And it is the very height of arrogance to convince ourselves that we can get away with sin by covering it up. "He who conceals his transgressions will not prosper" (Proverbs 28:13).
All sin is an assault against our holy God, whether it is done in public or in secret. And God, who beholds even the innermost secrets of the heart, sees our sin clearly, no matter how well we think we have covered it.
2. Because sin in the mind is a fruit of the same moral defect that produces deeds of sin.
When Jesus said hatred carries the same kind of guilt as murder, and lust is the very essence of adultery, He was not suggesting that there is no difference in degree between sin that takes place in the mind and sin that is acted out. Scripture does not teach that all sins are of equal enormity.
The fact that we view some sins as being worse than others is patently obvious and thoroughly biblical. Scripture plainly teaches this, for example, when it tells us the sin of Judas was greater than the sin of Pilate (John 19:11). However, all sin is abhorrent to our Holy God.
But in His Sermon on the Mount, Jesus pointed out that anger comes from the same moral defect as murder; and the one who lusts suffers from the same character flaw as the adulterer. Furthermore, those who engage in thought-sins are guilty of violating the same moral precepts as those who commit acts of murder and adultery. Wow! No one has an excuse. “For all have sinned and fall short of the Glory of God.”
In other words, secret sins of the heart are morally tantamount to the worst kind of evil deeds actually performed—even if they are sins of a lesser degree. The lustful person has no right to feel morally superior to a wanton fornicator. The fact that she indulges in lust is proof she is capable of immoral acts as well. The fact that he hates his brother shows that he has murder lurking in his heart.
Christ was teaching us to view our own secret sins with the same moral revulsion we feel for wanton acts of public sin. Does that make sense?
3. Because hidden sin involves the compounding sin of hypocrisy.
Those who sin secretly actually intensify their guilt, because they add the sin of hypocrisy to their offense. Hypocrisy is a grievous sin in its own right. It produces an especially debilitating kind of guilt, because by definition hypocrisy entails the concealing of sin. And the only remedy for any kind of sin involves uncovering our guilt through sincere confession.
Hypocrisy therefore permeates the soul with a predisposition against genuine repentance. That is why Jesus referred to hypocrisy as "the leaven of the Pharisees" (Luke 12:1).
Hypocrisy is in opposition to conscience. There's no way to be hypocritical without burning into the conscience. So hypocrisy inevitably makes way for the most deplorable, soul-tainting, character-damaging secret sins which ultimately removes the importance of integrity. Thus hypocrisy compounds itself, just like leaven. Beware that sort of leaven.
No matter who suggests to you that appearances are everything, don't buy into that lie.
As a matter of fact, your secret life is the real litmus test of your character: "As he thinks within himself, so he is" (Proverbs 23:7). Do you want to know who you really are? Take a hard look at your private life—especially your innermost thoughts. Be honest with God and yourself. Gaze into the mirror of God's Word, and allow it to disclose and correct the real thoughts and motives of your heart. Do not be complacent.
So, is it not better that you reveal your secret sins rather than have those sins exposed for you whether you like it or not? That is up to you.
Notice that with our computers, we can respond to the threats by disabling or turning off or uninstalling items which may be used to expose our private information to the world. When it comes to our lives, God commands that we live lives which reflect His character. No hidden sins exist with God and that is what He desires for us as well.