When you are having problems with a PC or server, one troubleshooting step that magically fixes many problems is the good ol' reboot. For one reason or another, clearing out the RAM and cache can work wonders on a finicky PC. But now we may be rebooting for a completely different reason: malware.
A new malware strain has recently been detected that installs itself in a computer's RAM as opposed to its hard drive. The malware uses a Java exploit (CVE-2011-3544) that can potentially affect computers running various operating systems, as Java is a universal framework.
Not only is the malware executed without any files needing to be download and installed to a local drive, it quickly attaches itself to a trusted process already running on your computer's RAM. This makes detection by antivirus software very challenging. While most AV software does indeed scan your RAM, it's not on a continuous basis. So it is highly probable that an exploit could sneak through and camouflage itself well enough to be overlooked by your AV software -- or even disable it all together.
While the obvious malware removal solution is to clear out your computer's RAM by issuing a reboot, the malware may have gone undetected for a period of time and already caused a great deal of damage in the form of stolen data. The real key to stomping out this new file-less malware before any harm is done is to catch it before it reaches your desktop. And the only way this can be done is through a comprehensive "defense-in-depth" security strategy.
The goal of defense-in-depth, according to a National Security Agency whitepaper, is to "deploy multiple defense mechanisms between the adversary and his target. Each of these mechanisms must present unique obstacles to the adversary. Further, each should include both 'protection' and 'detection' measures."
So instead of using just one security component like AV software, a multi-layered security approach should be used that includes components such as intrusion prevention system (IPS), firewall, patch management, authentication, and monitoring system. Unfortunately, many companies continue to ignore the benefits of a defense-in-depth strategy and do not deploy a system with sufficient layers. In fact, many companies rely far too heavily on simple, rule-based firewalls and AV software. And these two security layers alone would not stop this type of malware.
Expect file-less and cross-platform malware to become more prevalent in the coming months because of its effectiveness in neutralizing AV software. And if you happen to stumble onto one of these new RAM-only exploits and think that simply rebooting will solve your problems, think again. Instead, your goal should be to prevent the malware from reaching host computers in the first place. And the best way to do that is to use a comprehensive defense-in-depth strategy to protect your entire network, both inside and out.