A File less infection is one where the infection never never the disk and it always remains in Primary memory.
As no file is over disk so it is hard for security products to detect and remove such kind of infections. The first ever case of File less infection was seen in early 2000, with the worm name Code Red, where the worm was using IIS server Remote Code execution exploit and was injecting the malware payload in memory.
Though the issue with such kind of malware is they are gone after the reboot. SO they were not persistent and as they were not persistent so targeting the machine whose up time is very low (For example Home PC) is not very useful.
But with in Year 2014 Poweliks did the break though and found mechanism of remaining persistent or reinfecting the victim after the reboot.
So, we can call it as surviving the reboot.
The malware was found to be spreading by notorious Exploit Kit Angler.
The poweliks found a very interesting way to remain persistent in memory by injecting the payload in run registry entry so when system restart it reinfect itself.
And it create 2 component
- Watchdog: Which keep an eye over registry entry, if entry is removed it recreate it. This part is always in memory.
- Payload: The real payload of malware, which perform the malware action.
In Last couple of year’s I have done some in deep research over File-less infection,
As a result of which I was able to publish few research papers.
My Research papers can be found over
1) One-Click File less infection : Presented At Virus Bulletin 2016, Denver
2) Living Off the land and file less attack techniques : Published with Symantec
Payload of malware is in registry.
This was a brief overview of file less infection.
I hope you guys like it, will try deep diving into the matter in next blog post.
Cheers
UnknownHad Blog 