AMSIext: Our Extension That Detects Malware in the Browser Memory

Innovation and Laboratory Area in ElevenPaths    8 June, 2020
AMSIext: Our Extension That Detects Malware in the Browser Memory

Anti-Malware Scan Interface (AMSI) is aimed at solving a lifelong issue in the antivirus industry: detecting what does not “touch disk”. It was introduced in Windows 10 and is aimed at establishing a native communication channel between the operating system and the antivirus without the need to touch disks, I/O calls, etc. That is, connecting the memory with a detection system in a simple way. This is ideal for the obfuscated script calls that evaluate and rebuild their malicious payload in memory, but they are not detected in disk. That’s why Microsoft already connects Powershell and Office to AMSI, so that the memory of these processes is analysed. But what about browsers? Our extension fixes that.

Malware Evolution

At first, it was the virus: assembly code snippets concatenated to the files by modifying their entry point. Later, this technique was twisted and improved to its limits. The aim was automatic execution, reproduction, independence from “host” (malware is standalone for some time now) and to go unnoticed on the antivirus radar.

“Touch disk” seems to be the premise for infection but also a punishment, because that’s when antiviruses start scanning. If the malware managed to bypass this toll, it could run away from detectors. This technique was called fileless and sought an ethereal formula to subsist in memory as much as possible, avoiding touching disk or delaying it as much as possible − not landing on the disk, which is tightly controlled by the antivirus. Fileless has been improved to such an extent that there is already a native formula on Windows to mitigate it as much as possible. AMSI is a system that makes it easy to connect any information flow in memory by using the antivirus.

How AMSIext Works

Our extension connects the browser to AMSI. It transmits to the AMSI system (static) all potential scripts that pass through the browser before reaching the disk and analyses them to stop browsing if necessary. It works in two ways:

  • If it detects webpages or files with the following extension: js, ps1, vbs, hta, vb, vbe, bat, cmd, jse, wsf, ws, msh, msh1, msh2, mshxml, msh1xml and msh2xml in the browser, even just one webpage pointing to them, the website will be blocked. This prevents the script from needing to touch disk to be detected by the “traditional” antivirus.
  • It adds a right-click option to quickly submit any script to ASMI.

Once sent to AMSI, Windows Defender (usually, although other antivirus can be assigned) will evaluate how malicious the script is. The extension does not perform the evaluation itself, it acts as an interface between the browser and AMSI, which in turn sends it to Windows Defender.

In short, it is a very simple formula to protect ourselves from malicious scripts much earlier than usual. The system, in case Windows Defender makes a mistake, has the possibility to create a white list of domains.

This video explains how it works:

AMSIext is available for Chrome and Firefox and is in beta (with many potential improvements, including the logo) and we will be updating it in the future.

We hope you find it useful.

Leave a Reply

Your email address will not be published.