Archive

Archive for the ‘antimalware’ Category

Detonating a bad rabbit: Windows Defender Antivirus and layered machine learning defenses

December 11th, 2017 No comments

Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection.

In a previous blog post, we looked at a real-world case study showing how Windows Defender Antivirus cloud protection service leverages next-gen security technologies to save “patient zero” from new malware threats in real-time. In that case study, a new Spora ransomware variant was analyzed and blocked within seconds using a deep neural network (DNN) machine learning classifier in the cloud. In this blog post well look at how additional automated analysis and machine learning models can further protect customers within minutes in rare cases where initial classification is inconclusive.

Layered machine learning models

In Windows Defender AVs layered approach to defense, if the first layer doesnt detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.

For example, the vast majority of scanned objects are evaluated by the local Windows Defender client machine learning models, behavior-based detection algorithms, generic and heuristic classifications, and more. This helps ensure that users get the best possible performance. In rare cases where local intelligence cant reach a definitive verdict, Windows Defender AV will use the cloud for deeper analysis.

Figure 1. Layered detection model

For a more detailed look at our approach to protection, see The evolution of malware prevention.

Detonation-based machine learning classification

We use a variety of machine learning models that use different algorithms to predict whether a certain file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.

For the fastest classifiers in our layered stack, the features may include static attributes of the file combined with events (for example, API calls or behaviors) seen while the scanning engine emulates the file using dynamic translation. If the results from these models are inconclusive, well take an even more in-depth look at what the malware does by actually executing it in a sandbox and observing its run-time behavior. This is known as dynamic analysis, or detonation, and happens automatically whenever we receive a new suspected malware sample.

The activities seen in the sandbox machine (for example, registry changes, file creation/deletion, process injection, network connections, and so forth) are recorded and provided as features to our ML models. These models can then combine both the static features obtained from scanning the file with the dynamic features observed during detonation to arrive at an even stronger prediction.

Figure 2. Detonation-based machine learning classification

Ransom:Win32/Tibbar.A Protection in 14 minutes

On October 24, 2017, in the wake of recent ransomware outbreaks such as Wannacry and NotPetya, news broke of a new threat spreading, primarily in Ukraine and Russia: Ransom:Win32/Tibbar.A (popularly known as Bad Rabbit).

This threat is a good example of how detonation-based machine learning came into play to protect Windows Defender AV customers. First though, lets look at what happened to patient zero.

At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exe from a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Figure 3. Ransom:Win32/Tibbar.A ransom note

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A.

Closing the gap

While we feel good about Windows Defender AV’s layered approach to protection, digging deeper and deeper with automation and machine learning in order to finally reach a verdict on suspected malware, we are continually seeking to close the gap even further between malware release and protection. The cases where we cannot block at first sight are increasingly rare, but there is so much to be done. As our machine learning models are continuously updated and retrained, we are able to make better predictions over time. Yet malware authors will not rest, and the ever-changing threat landscape requires continuous investment in new and better technologies to detect new threats, but also to effectively differentiate the good from the bad.

What about systems that do get infected while detonation and classification are underway? One area that we’re actively investing in is advanced remediation techniques that will let us reach back out to those systems in an organization that were vulnerable and, if possible, get them back to a healthy state.

If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks. Windows Defender Advanced Threat Protection can also alert security operations personnel about malware activities in the network so that personnel can promptly investigate and respond to attacks.

For users running Windows 10 S, malware like Tibbar simply wont run. Windows 10 S provides advanced levels of security by exclusively running apps from the Microsoft Store. Threats such as Tibbar are non-issues for Windows 10 S users. Learn more about Windows 10 S.

New machine learning and AI techniques, in combination with both static and dynamic analysis, gives Windows Defender AV the ability to block more and more malware threats at first sight and, if that fails, learn as quickly as possible that something is bad and start blocking it. Using a layered approach, with different ML models at each layer, gives us the ability to target a wide variety of threats quickly while maintaining low false positive rates. As we gather more data about a potential threat, we can provide predictions with higher and higher confidence and take action accordingly. It is an exciting time to be in the fray.

 

Randy Treit

Senior Security Researcher, Windows Defender Research

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda)

December 4th, 2017 No comments

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

  • 1,214 domains and IP addresses of the botnets command and control servers
  • 464 distinct botnets
  • More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

  • Bot-builder, which builds the malware binary that infects computers
  • Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
  • Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

  • Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
  • Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
  • Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
  • Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
  • Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
  • Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

  • Removable drives
  • Social media (such as Facebook) messages with malicious links to websites that host Gamarue
  • Drive-by downloads/exploit kits
  • Spam emails with malicious links
  • Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

  • Belarus
  • Russia
  • Ukraine
  • Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

  • Download EXE (i.e., additional executable malware files)
  • Download DLL (i.e., additional malware; removed in version 2.09 and later)
  • Install plugin
  • Update bot (i.e., update the bot malware)
  • Delete DLLs (removed in version 2.09 and later)
  • Delete plugins
  • Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

  • Time interval in minutes time to wait for when to ask the C2 server for the next command
  • Task ID – used by the hacker to track if there was an error performing the task
  • Command one of the command mentioned above
  • Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

  • msiexec.exe (Gamarue versions 2.07 to 2.10)
  • wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

  • Be cautious when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

#AVGater vulnerability does not affect Windows Defender Antivirus, MSE, or SCEP

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Malicious macro using a sneaky new trick

May 18th, 2016 No comments

We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M/Donoff – a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs).

However, there wasn’t an immediate, obvious identification that this file was actually malicious. It’s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements).

Screenshot of VBA script editor showing the user form and list of modules

The VBA user form contains three buttons

 

The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form.

It appeared to be some sort of encrypted string.

We went back and reviewed the other modules in the file, and sure enough – there’s something unusual going on in Module2. A macro there (UsariosConectados) decrypts the string in the Caption field for CommandButton3, which turns out to be a URL. It uses the deault autoopen() macro to run the entire VBA project when the document is opened.

Screenshot of the VBA macro script in Module2 that decrypts the Caption string

The macro script in Module2 decrypts the string in the Caption field

 

The macro will connect to the URL (hxxp://clickcomunicacion.es/<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).

The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file – our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.

See our threat intelligence report on macros and our macro-based malware page for further guidance on preventing and recovering from these types of attacks.

-Marianne Mallen and Wei Li
MMPC

No mas, Samas: What’s in this ransomware’s modus operandi?

March 18th, 2016 No comments

We’ve seen how ransomware managed to become a threat category that sends consumers and enterprise reeling when it hits them.  It has become a high-commodity malware that is used as payload to spam email, macro malware, and exploit kit campaigns. It also digs onto victims’ pockets in exchange for recovering files from their encrypted form.  This is where Crowti, Tescrypt, Teerac, and Locky have been very active at.

We’ve also observed some malware authors providing a different method of distribution in the black market called ransom-as-a-service (RaaS).  Malicious actors use RaaS to download the ransomware app builder and customize them accordingly.  We’ve seen two threats,  Sarento and Enrume, built through this type of service and deployed to infect machines during the second half of 2015.

 

How Samas is different from other ransomware?

 

Ransom:MSIL/Samas, which surfaced in the past quarter, has a different way of getting into the system – it has a more targeted approach of getting installed.  We have observed that this threat requires other tools or components to aid its deployment:

Figure 1:  Ransom:MSIL/Samas infection chain 

Samas ransomware’s tools of trade

 

The Samas infection chain diagram illustrates how Ransom:MSIL/Samas gets into the system.   It starts with a pen-testing/attack server searching for potential vulnerable networks to exploit with the help of a publicly-available tool named reGeorg, which is used for tunnelling.

Java-based vulnerabilities were also observed to have been utilized, such as direct use of unsafe JNI with outdated JBOSS server applications.

It can use other information-stealing malware (Derusbi/Bladabindi) to gather login credentials as well.  When it has done so, it will list the stolen credentials into a text file, for example, list.txt, and use this to deploy the malware and its components through a third party tool named psexec.exe through batch files that we detect as Trojan:BAT/Samas.B and Trojan:BAT/Samas.C.

One of the batch files that we detect as Trojan:Bat/Samas.B also deletes the shadow files through the vssadmin.exe tool.

Trojan:MSIL/Samas.A usually takes  the name of delfiletype.exe or sqlsrvtmg1.exe and does the following:

  1. Look for certain file extensions that are related to backup files in the system.
  2. Make sure they are not being locked up by other processes, otherwise, the trojan terminates such processes.
  3. Delete the backup files.

Ransom:MSIL/Samas demonstrates typical ransomware behavior by encrypting files in the system using AES algorithm and renaming the encrypted file with extension encrypted.RSA. It displays the ransom note when it has encrypted the files and will delete itself with the help of a binary in its resource named del.exe.

Figure 2: Click to enlarge the image so you can see the Samas ransom message clearly.

 

So far, we’ve seen a new Ransom:MSIL/Samas variant that shows signs of changing its code from the simple ASCII strings to more hex encoded characters possibly to better evade detection from security vendors.  An example below shows that the files extension names to encrypt has been converted to hex strings:


Figure 3:  Version 1 – Ransom:MSIL/Samas.A

 

Figure 4: Version 2 – Ransom:MSIL/Samas.B

 

It has also changed from using WordPress as its decryption service site, hxxps://lordsecure4u.wordpress.com, and moved on to a more obscure Tor site to help anonymize itself, hxxp://wzrw3hmj3pveaaqh.onion/diana.

Figure 5: Majority of the Ransom:MSIL/Samas infections are detected in North America, and a few instances in Europe

 

Mitigation and prevention

But yes, you can say no mas (translation from Spanish: no more) to Samas ransomware.

To help prevent yourself from falling prey to Samas or other ransomware attacks, use Windows Defender for Windows 10 as your antimalware scanner, and ensure that MAPS has been enabled.

Though ransomware and macro-based malware are on the rise, there’s still something that you or your administrators can proactively do:

 

Marianne Mallen

MMPC

 

Windows 10 to offer application developers new malware defenses

June 9th, 2015 No comments

Application developers can now actively participate in malware defense – in a new way to help protect customers from dynamic script-based malware and non-traditional avenues of cyberattack.

Microsoft is making that possible through the Antimalware Scan Interface (AMSI) – a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. AMSI is currently available through the Windows 10 Technical Preview, and will be fully available when Windows 10 debuts this summer. 

 

How does AMSI help?

To demonstrate the problem we're trying to address, let's look at the traditional cat-and-mouse game that plays out in the malware ecosystem.

We'll use PowerShell as an example, while leveraging the techniques and processes we'll go through apply to all dynamic languages: VBScript, Perl, Python, Ruby, and more.

An example of a malicious PowerShell script

Figure 1: An example of a malicious PowerShell script

While this script simply writes a message to the screen, malware is typically more nefarious. A developer can write a signature to detect this one easily – for example, searching for the string: "Write-Host 'pwnd!'" in any file that the user opens.

So perfect – we've detected our first malware.

After being caught by our first signature, though, malware authors will respond. They respond by creating dynamic scripts.

An example of a dynamic script

Figure 2: An example of a dynamic script.

In this scenario, malware authors create a string representing the PowerShell script to run. But they use a simple string concatenation technique to break our earlier signature. If you ever view the source of an ad-laden web page, you'll see many instances of this technique being used to avoid ad-blocking software.

Finally, they pass this concatenated string to the Invoke-Expression cmdlet – PowerShell's mechanism to evaluate scripts that are composed or created at runtime.

In response, antimalware software starts to do basic language emulation. For example, if we see two strings being concatenated, we emulate the concatenation of those two strings and then run our signatures on the result. Unfortunately, this is a fairly fragile approach, as languages tend to have a lot of ways to represent and concatenate strings.

So after being caught by this signature, malware authors will move to something more complicated – for example, encoding script content in Base64.

An example of a script content in Base64

Figure 3: An example of a script content in Base64.

Being cunning and resourceful, most antimalware engines implements Base64 decoding emulation, as well. So, we're ahead for a time since we also implement Base64 decoding emulation.

In response, malware authors move to algorithmic obfuscation – such as a simple XOR encoding mechanism in the scripts they run.

An example of an algorithmic obfuscation script

Figure 4: An example of an algorithmic obfuscation script.

At this point, we're generally past what antivirus engines will emulate or detect, so we won't necessarily detect what this script is actually doing. However, we can start to write signatures against the obfuscation and encoding techniques. In fact, this is what accounts for the vast majority of signatures for script-based malware.

But what if the obfuscator is so trivial that it looks like many well-behaved scripts? A signature for it would generate an unacceptable number of false positives.

Sample 'stager' script, too benign to detect on its own

Figure 5: Sample 'stager' script, too benign to detect on its own

In this example, we are downloading a web page and invoking some content from it.

The equivalent in Visual Basic script

Figure 6: The equivalent in Visual Basic script.

What makes things worse in both of these examples is that the antivirus engine inspects files being opened by the user. If the malicious content lives only in memory, the attack can potentially go undetected.

 

It's not all doom and gloom! AMSI on the case

The crux of the issue is that scripting engines can run code that was generated at runtime. This is where the new Antimalware Scan Interface comes in.

AMSI architecture

Figure 7: AMSI architecture

While the malicious script might go through several passes of deobfuscation, it ultimately needs to supply the scripting engine with plain, unobfuscated code.

When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content.

The Windows AMSI interface is open. Any application can call it and any registered Antimalware engine can process the content submitted to it. While we've been talking about this in the context of scripting engines, it doesn't need to stop there. Imagine communication apps that scan instant messages for viruses before ever showing them to you or games that validate plugins before installing them.

There are plenty of more opportunities – this is just a start.

 

AMSI in action

Now, let's take a look at AMSI in action from an XOR encoding sample downloaded from the internet.

Sample script encoded in Base64

Figure 8: Sample script encoded in Base64.

To make things more interesting, we'll enter it manually at the command line where there is no file to monitor.

When we ran it, Windows Defender was able to detect the AMSI test sample in this complicated scenario, while only using the bog standard AMSI test sample signature

Figure 9: When we ran it, Windows Defender was able to detect the AMSI test sample in this complicated scenario, while only using the bog standard AMSI test sample signature.

 

What does this mean for you?

If you are a Windows user, the good news is that the benefits of the Antimalware Scan Interface automatically occur with Windows 10.

Malicious software that uses obfuscation and evasion techniques on Windows' built-in scripting hosts will automatically be inspected at a much deeper level than ever before, providing additional levels of protection.

If you're an Application developer, consider having your application call the Windows AMSI interface if you want some extra scanning and analysis of potentially malicious content.

If you are an antivirus software vendor, consider implementing support for the AMSI interface. When you do, your engine will have much deeper insight into the data that applications (including Windows’ built-in scripting hosts) consider potentially malicious.

 

Lee Holmes

Principal Software Engineer

Windows 10 to offer application developers new malware defenses

June 9th, 2015 No comments

Application developers can now actively participate in malware defense – in a new way to help protect customers from dynamic script-based malware and non-traditional avenues of cyberattack.

Microsoft is making that possible through the Antimalware Scan Interface (AMSI) – a generic interface standard that allows applications and services to integrate with any antimalware product present on a machine. AMSI is currently available through the Windows 10 Technical Preview, and will be fully available when Windows 10 debuts this summer. 

 

How does AMSI help?

To demonstrate the problem we're trying to address, let's look at the traditional cat-and-mouse game that plays out in the malware ecosystem.

We'll use PowerShell as an example, while leveraging the techniques and processes we'll go through apply to all dynamic languages: VBScript, Perl, Python, Ruby, and more.

An example of a malicious PowerShell script

Figure 1: An example of a malicious PowerShell script

While this script simply writes a message to the screen, malware is typically more nefarious. A developer can write a signature to detect this one easily – for example, searching for the string: "Write-Host 'pwnd!'" in any file that the user opens.

So perfect – we've detected our first malware.

After being caught by our first signature, though, malware authors will respond. They respond by creating dynamic scripts.

An example of a dynamic script

Figure 2: An example of a dynamic script.

In this scenario, malware authors create a string representing the PowerShell script to run. But they use a simple string concatenation technique to break our earlier signature. If you ever view the source of an ad-laden web page, you'll see many instances of this technique being used to avoid ad-blocking software.

Finally, they pass this concatenated string to the Invoke-Expression cmdlet – PowerShell's mechanism to evaluate scripts that are composed or created at runtime.

In response, antimalware software starts to do basic language emulation. For example, if we see two strings being concatenated, we emulate the concatenation of those two strings and then run our signatures on the result. Unfortunately, this is a fairly fragile approach, as languages tend to have a lot of ways to represent and concatenate strings.

So after being caught by this signature, malware authors will move to something more complicated – for example, encoding script content in Base64.

An example of a script content in Base64

Figure 3: An example of a script content in Base64.

Being cunning and resourceful, most antimalware engines implements Base64 decoding emulation, as well. So, we're ahead for a time since we also implement Base64 decoding emulation.

In response, malware authors move to algorithmic obfuscation – such as a simple XOR encoding mechanism in the scripts they run.

An example of an algorithmic obfuscation script

Figure 4: An example of an algorithmic obfuscation script.

At this point, we're generally past what antivirus engines will emulate or detect, so we won't necessarily detect what this script is actually doing. However, we can start to write signatures against the obfuscation and encoding techniques. In fact, this is what accounts for the vast majority of signatures for script-based malware.

But what if the obfuscator is so trivial that it looks like many well-behaved scripts? A signature for it would generate an unacceptable number of false positives.

Sample 'stager' script, too benign to detect on its own

Figure 5: Sample 'stager' script, too benign to detect on its own

In this example, we are downloading a web page and invoking some content from it.

The equivalent in Visual Basic script

Figure 6: The equivalent in Visual Basic script.

What makes things worse in both of these examples is that the antivirus engine inspects files being opened by the user. If the malicious content lives only in memory, the attack can potentially go undetected.

 

It's not all doom and gloom! AMSI on the case

The crux of the issue is that scripting engines can run code that was generated at runtime. This is where the new Antimalware Scan Interface comes in.

AMSI architecture

Figure 7: AMSI architecture

While the malicious script might go through several passes of deobfuscation, it ultimately needs to supply the scripting engine with plain, unobfuscated code.

When it gets to this point, the application can now call the new Windows AMSI APIs to request a scan of this unprotected content.

The Windows AMSI interface is open. Any application can call it and any registered Antimalware engine can process the content submitted to it. While we've been talking about this in the context of scripting engines, it doesn't need to stop there. Imagine communication apps that scan instant messages for viruses before ever showing them to you or games that validate plugins before installing them.

There are plenty of more opportunities – this is just a start.

 

AMSI in action

Now, let's take a look at AMSI in action from an XOR encoding sample downloaded from the internet.

Sample script encoded in Base64

Figure 8: Sample script encoded in Base64.

To make things more interesting, we'll enter it manually at the command line where there is no file to monitor.

When we ran it, Windows Defender was able to detect the AMSI test sample in this complicated scenario, while only using the bog standard AMSI test sample signature

Figure 9: When we ran it, Windows Defender was able to detect the AMSI test sample in this complicated scenario, while only using the bog standard AMSI test sample signature.

 

What does this mean for you?

If you are a Windows user, the good news is that the benefits of the Antimalware Scan Interface automatically occur with Windows 10.

Malicious software that uses obfuscation and evasion techniques on Windows' built-in scripting hosts will automatically be inspected at a much deeper level than ever before, providing additional levels of protection.

If you're an Application developer, consider having your application call the Windows AMSI interface if you want some extra scanning and analysis of potentially malicious content.

If you are an antivirus software vendor, consider implementing support for the AMSI interface. When you do, your engine will have much deeper insight into the data that applications (including Windows’ built-in scripting hosts) consider potentially malicious.

 

Lee Holmes

Principal Software Engineer

Our commitment to Microsoft antimalware

October 9th, 2013 No comments

We are fully committed to protecting our consumer and business customers from malware. Our strong solutions provide the comprehensive defense needed against malicious code and attacks. Our support of antimalware partners helps in building a strong and diverse ecosystem to fight malware.

Over the past year, we’ve continued to make investments in our protection technologies:

  • We’ve created new methods to identify emerging threats earlier and defend against them faster. Although around 80 percent of the malware our customers encounter are known or proactively blocked threats, new threats emerge every day. We’ve developed early warning telemetry and faster signature delivery systems to respond to these threats.
  • We’ve focused our resources on activities that directly contribute to customer protection. We exist to serve and protect our customers, so our research and response efforts focus on real threats that affect customers. Today millions of customers have voluntarily opted to let their computers share telemetry data with us on encountered threats, helping us identify and prioritize new malware files. If you are interested in learning more about our approach, I encourage you to read my previous blog and check out this paper which details our outcomes. Our public monthly report shows our trends and the progress we’re seeing.
  • We share our telemetry and samples with the industry to collectively make all of us stronger against our true adversaries – the malware writers. Our commitment to collaboration and sharing programs for antivirus (AV) partners and AV testers is stronger than ever. Through these programs, we encourage the ecosystem to address real world threats that impact all customers.

The end result is that, over the past year, our investments have increased the protection quality we deliver to our customers. As of the middle of 2013, we’ve increased our protection quality – that means less incorrect detections and less misses – by a significant rate since we first started measuring these metrics in the last quarter of 2011.

We are proud of the protection capabilities we provide for well over 150 million computers worldwide with our real-time antimalware products. We believe in Microsoft antimalware products and strongly recommend them to our customers, to our friends, and to our families.

Dennis Batchelder
Partner Group Program Manager
Microsoft Malware Protection Center

Our commitment to Microsoft antimalware

October 9th, 2013 No comments

We are fully committed to protecting our consumer and business customers from malware. Our strong solutions provide the comprehensive defense needed against malicious code and attacks. Our support of antimalware partners helps in building a strong and diverse ecosystem to fight malware.

Over the past year, we’ve continued to make investments in our protection technologies:

  • We’ve created new methods to identify emerging threats earlier and defend against them faster. Although around 80 percent of the malware our customers encounter are known or proactively blocked threats, new threats emerge every day. We’ve developed early warning telemetry and faster signature delivery systems to respond to these threats.
  • We’ve focused our resources on activities that directly contribute to customer protection. We exist to serve and protect our customers, so our research and response efforts focus on real threats that affect customers. Today millions of customers have voluntarily opted to let their computers share telemetry data with us on encountered threats, helping us identify and prioritize new malware files. If you are interested in learning more about our approach, I encourage you to read my previous blog and check out this paper which details our outcomes. Our public monthly report shows our trends and the progress we’re seeing.
  • We share our telemetry and samples with the industry to collectively make all of us stronger against our true adversaries – the malware writers. Our commitment to collaboration and sharing programs for antivirus (AV) partners and AV testers is stronger than ever. Through these programs, we encourage the ecosystem to address real world threats that impact all customers.

The end result is that, over the past year, our investments have increased the protection quality we deliver to our customers. As of the middle of 2013, we’ve increased our protection quality – that means less incorrect detections and less misses – by a significant rate since we first started measuring these metrics in the last quarter of 2011.

We are proud of the protection capabilities we provide for well over 150 million computers worldwide with our real-time antimalware products. We believe in Microsoft antimalware products and strongly recommend them to our customers, to our friends, and to our families.

Dennis Batchelder
Partner Group Program Manager
Microsoft Malware Protection Center

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 FOR FOREFRONT SECURITY FOR OFFICE COMMUNICATIONS SERVER

December 15th, 2010 No comments

On behalf of the Security team at Microsoft, I am please to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Security for Office Communications Server.

 

On December 15th, Microsoft shipped Hotfix Rollup 2 for Forefront Security for Office Communications Server (FSOCS) to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: http://support.microsoft.com/kb/2482040  

 

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this Hotfix Rollup.

 

Regards,

Robert McCarthy

CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 FOR FOREFRONT SECURITY FOR OFFICE COMMUNICATIONS SERVER

December 15th, 2010 No comments

On behalf of the Security team at Microsoft, I am please to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Security for Office Communications Server.

 

On December 15th, Microsoft shipped Hotfix Rollup 2 for Forefront Security for Office Communications Server (FSOCS) to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: http://support.microsoft.com/kb/2482040  

 

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this Hotfix Rollup.

 

Regards,

Robert McCarthy

CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 FOR FOREFRONT SECURITY FOR OFFICE COMMUNICATIONS SERVER

December 15th, 2010 Comments off

On behalf of the Security team at Microsoft, I am please to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Security for Office Communications Server.

 

On December 15th, Microsoft shipped Hotfix Rollup 2 for Forefront Security for Office Communications Server (FSOCS) to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: http://support.microsoft.com/kb/2482040  

 

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this Hotfix Rollup.

 

Regards,

Robert McCarthy

CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 FOR FOREFRONT SECURITY FOR OFFICE COMMUNICATIONS SERVER

December 15th, 2010 No comments

On behalf of the Security team at Microsoft, I am please to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Security for Office Communications Server.

 

On December 15th, Microsoft shipped Hotfix Rollup 2 for Forefront Security for Office Communications Server (FSOCS) to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: http://support.microsoft.com/kb/2482040  

 

As the installer runs, server service restarts may be necessary, so please plan accordingly when applying this Hotfix Rollup.

 

Regards,

Robert McCarthy

CSS Microsoft Security

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 Comments off

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

Please let us know about how you use email security solutions in your workplace

December 6th, 2010 No comments

Hello everyone,

The Microsoft Forefront team is currently conducting a survey and would like to hear your opinions about email security, especially how you use email security solutions in your organization. We would appreciate it if you would take the time to respond to this survey.  This information will help us improve Forefront Protection for Exchange.

Please consider taking a few minutes at this time to complete the survey. This survey should take about 10 -15 minutes to complete.

 

To participate, please click here.

 

Carolyn Liu
Senior Program Manager, Forefront Server Protection

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 No comments

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security

RELEASE ANNOUNCEMENT FOR HOTFIX ROLLUP 2 for FOREFRONT PROTECTION FOR EXCHANGE

November 29th, 2010 Comments off

On behalf of the Security team at Microsoft, I am pleased to announce the release of Hotfix Rollup 2 for Microsoft’s Forefront Protection 2010 for Exchange.

 

On November 30th Microsoft shipped Hotfix Rollup 2 for Forefront Protection 2010 for Exchange to provide a series of product enhancements and new features.

 

For a complete list of the new features and enhancements included in this rollup, along with directions for download, please see the following Knowledge Base article: .http://support.microsoft.com/kb/2420647.

 

As the installer runs, server service restarts may be necessary so please plan accordingly when applying this Hotfix Rollup. 

 

Regards,

Robert McCarthy
CSS Microsoft Security