Process hollowing
Microsoft detailed its response to the major security incident in a blog post this week. It said the attack was first noticed at noon on March 6, when Windows computers using Windows Defender antivirus began to report a new and rapidly growing campaign. Defender began to analyse and block the attack, initially removing it from over 80,000 computers.
Over the course of the next 12 hours, the malware proliferated through Russia, Turkey and Ukraine. At least 400,000 machines were infected. The attack was unusually aggressive and spread far more rapidly than typical malware outbreaks. The software used was a Trojan called Dofil.
Windows Defender Dofil cybersecurity response
Microsoft
READ NEXT: Microsoft calls for “dialogue” on blockchain cybersecurity issues
According to Microsoft, Dofoil uses a sophisticated hijacking technique that allows it to persist on Windows machines. The malware masquerades as an instance of “explorer.exe,” the legitimate Windows program that powers the operating system’s user interface and file browser. Dofil launches its own instance of Explorer but then swaps out the app’s code with its own malicious contents. The technique is called “process hollowing” and has a relatively high chance of going unnoticed.
Once the malware is loaded inside its hijacked process, the software starts another malicious instance which is used to host the cryto-mining utility. The same technique is used again, with the miner pretending to be the authentic Windows utility “wuaucclt.exe.” By presenting itself as these programs, the malware reduces its chance of detection by end users or administrators watching log files.
Pre-emptive detection
Microsoft thwarted the attack by using Windows Defender’s machine learning capabilities in the cloud. It claimed that Defender taught itself to recognise the malware “within milliseconds” of its outbreak, which enabled new installs to be blocked at first sight. Additional detection mechanisms then verified the malicious nature of the attack, before providing alerts to Microsoft’s response teams.
“Artificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of our defense system,” said Microsoft. “The AI-based pre-emptive protection provided against this attack is similar to how layered machine learning defenses stopped an Emotet outbreak last month.”
Microsoft said that users of supported Windows versions with Windows Defender or Microsoft Security Essentials will now be protected from the outbreak. The cause of the malware’s rapid spread through Russia, Turkey and Ukraine is probably due to the high usage of unlicensed Windows copies in the country. It’s estimated 64 percent of people use a license which isn’t genuine, so they do not receive security updates.
