Security Market Segment LS
Friday, 05 March 2021 11:25

Sophos develops means of blocking execution of fileless malware

Sophos develops means of blocking execution of fileless malware Courtesy Sophos

Global security vendor Sophos claims to have developed a means of blocking malicious software, that is evading detection by loading fileless executables into temporary memory, from running.

The company's engineering director, Mark Loman, said in a detailed blog post, that a new kind of protection had been devised to block code being injected from one memory region with only read/write permissions to a second region where it would also have execute permissions.

He said that from 2003 onwards, CPUs had a technology called NX bit that partitioned memory regions for either processor instructions or storing data. Windows support for this tech was called Data Execution Prevention or DEP.

"For example, a memory region that contains an image shown in the Web browser does not have code execution permissions, whereas the region that contains the core application — the Web browser itself — can execute code," he explained.

Applications needed workspaces within memory to operate and this was dynamically allocated to temporarily store or cache data. This was called the Heap and it would increase or decrease as an application did what it was tasked to do.

"Image memory is normally protected with Execute/Read permissions. Heap memory with only data in it is typically allocated Read/Write permissions. When a Heap memory region is populated with code, permissions are set to Execute/Read/Write or Execute/Read," Loman said, pointing out vital differences between the two.

Loman said DEP ensured that data-only regions of memory could not execute code.

"Because of DEP, every running application ('process') that requires more memory, for instance to unpack code, must allocate or mark this additional memory region with code execution permissions before it can hand over code execution to this region," he said.

"If this memory region does not have at least Execute/Read permissions, an exception is raised by the processor hardware and the process is terminated by the operating system."

In the case of malicious applications, like ransomware, they were generally injected into Heap memory. What Sophos had developed was a means of blocking additional memory allocation when the request came from existing Heap memory, he said.

Called Dynamic Shellcode Protection, it would generate data that helped threat responders to trace the initial access point and also the command-and-control server of the malicious application.

"When a process, regardless of whether it is malicious or benign, violates the Heap memory allocation barrier, the Dynamic Shellcode Protection will block it and notify defenders. Security professionals can then take a closer look at what is going on," said Loman.

"The new protection is not meant as a silver bullet for all attacks, but it does mean that adversaries face a new obstacle that blocks a fundamental behaviour of their stealthy code.

"We hope this will make attackers' jobs harder and more complicated. The Dynamic Shellcode Protection does not rely on the cloud or machine learning. As such it represents a paradigm shift in the ongoing battle against many obfuscated malware and memory-delivered post-exploitation agents, including Cobalt Strike Beacon."

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News