Microsoft said the advanced technology behind Windows Defender has thwarted a massive malware attack aimed at mining bitcoins from the PCs of infected users.
Microsoft says on the 6th Windows Defender AV blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Within the next 12 hours, more than 400,000 instances of the new variants of Dofoil were recorded, carry a coin miner payload, mainly targetted at Russian PC users.
Microsoft recounts their largely automated battle against the malware in rather thrilling terms, noting:
- Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
- Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
- Within minutes, an anomaly detection alert notified us about a new potential outbreak.
- After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer , or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.
Microsoft says Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials were protected but recommends Windows 10 for the best-layered protection, and even better Windows 10S and Edge for the most comprehensive coverage.
Read all the detail of the new Dofoil attack and how Windows Defender countered it at Microsoft here.
Via the WC