At the beginning it was a virus; pieces of assembly code which connected to the files, so that they could modify the “entrypoint”. Afterwards, this technique was twisted and improved as much as possible, they searched for automatic execution, reproduction, and independence of the “guest” (the
malware has already been
standalone since some time), and also so that it could go under the antivirus radar.
“Touch Hard Disk” was the premise (how could they infect it?) and in turn the malware anathema. If it managed to avoid this toll as much as possible, it could get away from the detectors. This technique is called “Fileless”, which sought for an ethereal formula in order to survive within the memory for as long as possible. Hence, it does not touch the disk or delay it too much and it does not land upon what the antivirus firmly controls. "Fileless" has been perfected to such an extent (are you familiar with the
malware which combines macros and Powershell?), that there is already a native formula in Windows to mitigate it as much as possible.
Yet, it's not getting the attention that it should.
 |
The basic AMSI structure, provided by Microsoft |