Archive

Archive for the ‘Windows’ Category

Windows Defender Antivirus can now run in a sandbox

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox. With this new development, Windows Defender Antivirus becomes the first complete antivirus solution to have this capability and continues to lead the industry in raising the bar for security.

Putting Windows Defender Antivirus in a restrictive process execution environment is a direct result of feedback that we received from the security industry and the research community. It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing.

While it was a tall order, we knew it was the right investment and the next step in our innovation journey. It is available to Windows Insiders today. We encourage researchers and partners to try and examine this feature and give us feedback, so we can fine-tune performance, functionality, and security before we make it broadly available.

Why sandbox? Why now?

From the beginning, we designed and built Windows Defender Antivirus to be resistant to attacks. In order to inspect the whole system for malicious content and artifacts, it runs with high privileges. This makes it a candidate for attacks.

Security researchers both inside and outside of Microsofthave previously identified ways that an attacker can take advantage of vulnerabilities in Windows Defender Antiviruss content parsers that could enable arbitrary code execution. While we havent seen attacks in-the-wild actively targeting Windows Defender Antivirus, we take these reports seriously. We immediately fixed potential problems and ramped up our own research and testing to uncover and resolve other possible issues.

At the same time, we continued hardening Windows 10 in general against attacks. Hardware-based isolation, network protection, controlled folder access, exploit protection, and other technologies reduce the attack surface and increase attacker costs. Notably, escalation of privilege from a sandbox is so much more difficult on the latest versions of Windows 10. Furthermore, the integration of Windows Defender Antivirus and other Windows security technologies into Windows Defender ATPs unified endpoint security platform allows signal-sharing and orchestration of threat detection and remediation across components.

Running Windows Defender Antivirus in a sandbox ensures that in the unlikely event of a compromise, malicious actions are limited to the isolated environment, protecting the rest of the system from harm. This is part of Microsofts continued investment to stay ahead of attackers through security innovations. Windows Defender Antivirus and the rest of the Windows Defender ATP stack now integrate with other security components of Microsoft 365 to form Microsoft Threat Protection. Its more important than ever to elevate security across the board, so this new enhancement in Windows Defender Antivirus couldnt come at a better time.

Implementing a sandbox for Windows Defender Antivirus

Modern antimalware products are required to inspect many inputs, for example, files on disk, streams of data in memory, and behavioral events in real time. Many of these capabilities require full access to the resources in question. The first major sandboxing effort was related to layering Windows Defender Antiviruss inspection capabilities into the components that absolutely must run with full privileges and the components that can be sandboxed. The goal for the sandboxed components was to ensure that they encompassed the highest risk functionality like scanning untrusted input, expanding containers, and so on. At the same time, we had to minimize the number of interactions between the two layers in order to avoid a substantial performance cost.

The ability to gradually deploy this feature was another important design goal. Because we would be enabling this on a wide range of hardware and software configurations, we aimed to have the ability at runtime to decide if and when the sandboxing is enabled. This means that the entire content scanning logic can work both in-proc and out-of-proc, and it cant make any assumptions about running with high privileges.

Performance is often the main concern raised around sandboxing, especially given that antimalware products are in many critical paths like synchronously inspecting file operations and processing and aggregating or matching large numbers of runtime events. To ensure that performance doesnt degrade, we had to minimize the number of interactions between the sandbox and the privileged process, and at the same time, only perform these interactions in key moments where their cost would not be significant, for example, when IO is being performed.

Windows Defender Antivirus makes an orchestrated effort to avoid unnecessary IO, for example, minimizing the amount of data read for every inspected file is paramount in maintaining good performance, especially on older hardware (rotational disk, remote resources). Thus, it was crucial to maintain a model where the sandbox can request data for inspection as needed, instead of passing the entire content. An important note: passing handles to the sandbox (to avoid the cost of passing the actual content) isnt an option because there are many scenarios, such as real-time inspection, AMSI, etc., where theres no sharable handle that can be used by the sandbox without granting significant privileges, which decreases the security.

Resource usage is also another problem that required significant investments: both the privileged process and the sandbox process needed to have access to signatures and other detection and remediation metadata. To avoid duplication and preserve strong security guarantees, i.e., avoid unsafe ways to share state or introducing significant runtime cost of passing data/content between the processes, we used a model where most protection data is hosted in memory-mapped files that are read-only at runtime. This means protection data can be hosted into multiple processes without any overhead.

Another significant concern around sandboxing is related to the inter-process communication mechanism to avoid potential problems like deadlocks and priority inversions. The communication should not introduce any potential bottlenecks, either by throttling the caller or by limiting the number of concurrent requests that can be processed. Moreover, the sandbox process shouldn’t trigger inspection operations by itself. All inspections should happen without triggering additional scans. This requires fully controlling the capabilities of the sandbox and ensuring that no unexpected operations can be triggered. Low-privilege AppContainers are the perfect way to implement strong guarantees because the capabilities-based model will allow fine-grained control on specifying what the sandbox process can do.

Lastly, a significant challenge from the security perspective is related to content remediation or disinfection. Given the sensitive nature of the action (it attempts to restore a binary to the original pre-infection content), we needed to ensure this happens with high privileges in order to mitigate cases in which the content process (sandbox) could be compromised and disinfection could be used to modify the detected binary in unexpected ways.

Once the sandboxing is enabled, customers will see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe.

The content processes, which run with low privileges, also aggressively leverage all available mitigation policies to reduce the attack surface. They enable and prevent runtime changes for modern exploit mitigation techniques such as Data Execution Prevention (DEP), Address space layout randomization (ASLR), and Control Flow Guard (CFG). They also disable Win32K system calls and all extensibility points, as well as enforce that only signed and trusted code is loaded. More mitigation policies will be introduced in the future, alongside other techniques that aim to reduce even further the risk of compromise, such as multiple sandbox processes with random assignment, more aggressive recycling of sandbox processes without a predictable schedule, runtime analysis of the sandbox behavior, and others.

How to enable sandboxing for Windows Defender Antivirus today

We’re in the process of gradually enabling this capability for Windows insiders and continuously analyzing feedback to refine the implementation.

Users can also force the sandboxing implementation to be enabled by setting a machine-wide environment variable (setx /M MP_FORCE_USE_SANDBOX 1) and restarting the machine. This is currently supported on Windows 10, version 1703 or later.

Looking ahead: Broader availability and continuous innovation

To implement sandboxing for Windows Defender Antivirus, we took a lot of inputs from the feedback, suggestions, and research from our peers in the industry. From the beginning, we saw this undertaking as the security industry and the research community coming together to elevate security. We now call on researchers to follow through, as we did, and give us feedback on the implementation.

Windows Defender Antivirus is on a path of continuous innovation. Our next-gen antivirus solution, which is powered by artificial intelligence and machine learning and delivered in real-time via the cloud, is affirmed by independent testers, adoption in the enterprise, and customers protected every day from malware campaigns big and small. Were excited to roll out this latest enhancement to the rest of our customers.

And we are committed to continue innovating. Were already working on new anti-tampering defenses for Windows Defender Antivirus. This will further harden our antivirus solution against adversaries. Youll hear about these new efforts soon. Windows Defender Antivirus and the rest of the Windows Defender Advanced Threat Protection will continue to advance and keep on leading the industry in raising the bar for security.

 

 

Mady Marinescu
Windows Defender Engineering team
with Eric Avena
Content Experience team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post Windows Defender Antivirus can now run in a sandbox appeared first on Microsoft Secure.

Attack inception: Compromised supply chain within a supply chain poses new risks

A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the apps legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.

The plot twist: The app vendors systems were unaffected. The compromise was traceable instead to a second software vendor that hosted additional packages used by the app during installation. This turned out be an interesting and unique case of an attack involving “the supply chain of the supply chain”.

The attackers monetized the campaign using cryptocurrency miners going as far as using two variants, for good measure adding to an expanding list of malware attacks that install coin miners.

We estimate based on evidence from Windows Defender ATP that the compromise was active between January and March 2018 but was very limited in nature. Windows Defender ATP detected suspicious activity on a handful of targeted computers; Automated investigation automatically resolved the attack on these machines.

While the impact is limited, the attack highlighted two threat trends: (1) the escalating frequency of attacks that use software supply chains as threat vector, and (2) the increasing use of cryptocurrency miners as primary means for monetizing malware campaigns.

This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources. This is evidence that software supply chains are becoming a risky territory and a point-of-entry preferred even by common cybercriminals.

Hunting down the software supply chain compromise

As with most software supply chain compromises, this new attack was carried out silently. It was one of numerous attacks detected and automatically remediated by Windows Defender ATP on a typical day.

While customers were immediately protected, our threat hunting team began an in-depth investigation when similar infection patterns started emerging across different sets of machines: Antivirus capabilities in Windows Defender ATP was detecting and blocking a coin mining process masquerading as pagefile.sys, which was being launched by a service named xbox-service.exe. Windows Defender ATP’s alert timeline showed that xbox-service.exe was installed by an installer package that was automatically downloaded from a suspicious remote server.

Figure 1. Windows Defender ATP alert for the coin miner used in this incident

A machine compromised with coin miner malware is relatively easy to remediate. However, investigating and finding the root cause of the coin miner infection without an advanced endpoint detection and response (EDR) solution like Windows Defender ATP is challenging; tracing the infection requires a rich timeline of events. In this case, Advanced hunting capabilities in Windows Defender ATP can answer three basic questions:

  • What created xbox-service.exe and pagefile.sys files on the host?
  • Why is xbox-service.exe being launched as a service with high privileges?
  • What network and process activities were seen just before xbox-service.exe was launched?

Answering these questions is painless with Windows Defender ATP. Looking at the timeline of multiple machines, our threat hunting team was able to confirm that an offending installer package (MSI) was downloaded and written onto devices through a certain PDF editor app (an alternative app to Adobe Acrobat Reader).

The malicious MSI file was installed silently as part of a set of font packages; it was mixed in with other legitimate MSI files downloaded by the app during installation. All the MSI files were clean and digitally signed by the same legitimate company except for the one malicious file. Clearly, something in the download and installation chain was subverted at the source, an indication of software supply chain attack.

Figure 2. Windows Defender ATP answers who, when, what (xbox-service.exe created right after MSI installation)

As observed in previous supply chain incidents, hiding malicious code inside an installer or updater program gives attackers the immediate benefit of having full elevated privileges (SYSTEM) on a machine. This gives malicious code the permissions to make system changes like copying files to the system folder, adding a service, and running coin mining code.

Confident with the results of our investigation, we reported findings to the vendor distributing the PDF editor app. They were unaware of the issue and immediately started investigating on their end.

Working with the app vendor, we discovered that the vendor itself was not compromised. Instead, the app vendor itself was the victim of a supply chain attack traceable to their dependency on a second software vendor that was responsible for creating and distributing the additional font packages used by the app. The app vendor promptly notified their partner vendor, who was able to identify and remediate the issue and quickly interrupted the attack.

Multi-tier software supply chain attack

The goal of the attackers was to install a cryptocurrency miner on victim machines. They used the PDF editor app to download and deliver the malicious payload. To compromise the software distribution chain, however, they targeted one of the app vendors software partners, which provided and hosted additional font packages downloaded during the apps installation.

Figure 3. Diagram of the software distribution infrastructure of the two vendors involved in this software supply chain attack

This software supply chain attack shows how cybercriminals are increasingly using methods typically associated with sophisticated cyberattacks. The attack required a certain level of reconnaissance: the attackers had to understand how the normal installation worked. They eventually found an unspecified weakness in the interactions between the app vendor and partner vendor that created an opportunity.

The attackers figured out a way to hijack the installation chain of the MSI font packages by exploiting the weakness they found in the infrastructure. Thus, even if the app vendor was not compromised and was completely unaware of the situation, the app became the unexpected carrier of the malicious payload because the attackers were able to redirect downloads.

At a high level, heres an explanation of the multi-tier attack:

  1. Attackers recreated the software partners infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
  2. The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
  3. Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
  4. As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers replica server instead of the software partners server.

While the attack was active, when the app reached out to the software partners server during installation, it was redirected to download the malicious MSI font package from the attackers replica server. Thus, users who downloaded and installed the app also eventually installed the coin miner malware. After, when the device restarts, the malicious MSI file is replaced with the original legitimate one, so victims may not immediately realize the compromise happened. Additionally, the update process was not compromised, so the app could properly update itself.

Windows Defender ATP customers were immediately alerted of the suspicious installation activity carried out by the malicious MSI installer and by the coin miner binary, and the threat was automatically remediated.

Figure 4. Windows Defender ATP alert process tree for download and installation of MSI font packages: all legitimate, except for one

Since the compromise involved a second-tier software partner vendor, the attack could potentially expand to customers of other app vendors that share the same software partner. Based on PDF application names hardcoded by the attackers in the poisoned MSI file, we have identified at least six additional app vendors that may be at risk of being redirected to download installation packages from the attackers server. While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind.

Another coin miner malware campaign

The poisoned MSI file contained malicious code in a single DLL file that added a service designed to run a coin mining process. The said malware, detected as Trojan:Win64/CoinMiner, hid behind the name xbox-service.exe. When run, this malware consumed affected machines computing resources to mine Monero coins.

Figure 5. Malicious DLL payload extracted from the MSI installer

Another interesting aspect of the DLL payload is that during the malware installation stage, it tries to modify the Windows hosts file so that the infected machine cant communicate with the update servers of certain PDF apps and security software. This is an attempt to prevent remote cleaning and remediation of affected machines.

Figure 6. Preventing further download of updates from certain PDF app vendors

Inside the DLL, we also found some traces of an alternative form of coin mining: browser scripts. Its unclear if this code was the attackers potential secondary plan or simply a work in progress to add one more way to maximize coin mining opportunities. The DLL contained strings and code that may be used to launch a browser to connect to the popular Coinhive library to mine Monero coins.

Figure 7. Browser-based coin mining script

Software supply chain attacks: A growing industry problem

In early 2017, we discovered operation WilySupply, an attack that compromised a text editors software updater to install a backdoor on targeted organizations in the financial and IT sectors. Several weeks later, another supply chain attack made headlines by initiating a global ransomware outbreak. We confirmed speculations that the update process for a tax accounting software popular in Ukraine was the initial infection vector for the Petya ransomware. Later that same year, a backdoored version of CCleaner, a popular freeware tool, was delivered from a compromised infrastructure. Then, in early 2018, we uncovered and stopped a Dofoil outbreak that poisoned a popular signed peer-to-peer application to distribute a coin miner.

These are just some of many similar cases of supply chain attacks observed in 2017 and 2018. We predict, as many other security researchers do, that this worrisome upward trend will continue.

Figure 8. Software supply chain attacks trends (source: RSA Conference 2018 presentation “The Unexpected Attack Vector: Software Updaters“)

The growing prevalence of supply chain attacks may be partly attributed to hardened modern platforms like Windows 10 and the disappearance of traditional infection vectors like browser exploits. Attackers are constantly looking for the weakest link; with zero-day exploits becoming too expensive to buy or create (exploit kits are at their historically lowest point), attackers search for cheaper alternative entry points like software supply chains compromise. Benefiting from unsafe code practices, unsecure protocols, or unprotected server infrastructure of software vendors to facilitate these attacks.

The benefit for attackers is clear: Supply chains can offer a big base of potential victims and can result in big returns. Its been observed targeting a wide range of software and impacting organizations in different sectors. Its an industry-wide problem that requires attention from multiple stakeholders – software developers and vendors who write the code, system admins who manage software installations, and the information security community who find these attacks and create solutions to protect against them, among others.

For further reading, including a list of notable supply chain attacks, check out our RSA Conference 2018 presentation on the topic of software supply chain attack trends: The Unexpected Attack Vector: Software Updaters.

Recommendations for software vendors and developers

Software vendors and developers need to ensure they produce secure as well as useful software and services. To do that, we recommend:

  • Maintain a highly secure build and update infrastructure.

    • Immediately apply security patches for OS and software.
    • Implement mandatory integrity controls to ensure only trusted tools run.
    • Require multi-factor authentication for admins.

  • Build secure software updaters as part of the software development lifecycle.

    • Require SSL for update channels and implement certificate pinning.
    • Sign everything, including configuration files, scripts, XML files, and packages.
    • Check for digital signatures, and dont let the software updater accept generic input and commands.

  • Develop an incident response process for supply chain attacks.

    • Disclose supply chain incidents and notify customers with accurate and timely information.

Defending corporate networks against supply chain attacks

Software supply chain attacks raise new challenges in security given that they take advantage of common everyday tasks like software installation and update. Given the increasing prevalence of these types of attacks, organizations should investigate the following security solutions:

  • Adopt a walled garden ecosystem for devices, especially for critical systems.Windows 10 in S mode is designed to allow only apps installed from the Microsoft Store, ensuring Microsoft-verified security
  • Deploy strong code integrity policies.Application control can be used to restrict the applications that users are allowed to run. It also restricts the code that runs in the system core (kernel) and can block unsigned scripts and other forms of untrusted code for customers who cant fully adopt Windows 10 in S mode.
  • Use endpoint detection and response (EDR) solutions.Endpoint detection and response capabilities in Windows Defender ATP can automatically detect and remediate suspicious activities and other post-breach actions, so even when entry vector is stealthy like for software supply chain, Windows Defender ATP can help to detect and contain such incidents sooner.

In supply chain attacks, the actual compromise happens outside the network, but organizations can detect and block malware that arrive through this method. The built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. For example, as demonstrated in this investigation, antivirus capabilities detected the coin mining payload. The detection was surfaced on Windows Defender ATP, where automated investigation resolved the attack, protecting customers. The rich alert timeline and advanced hunting capabilities in Windows Defender ATP showed the extent of the software supply chain attack. Through this unified platform, Windows Defender ATP delivers attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, and advanced hunting.

 

 

Elia Florio
with Lior Ben Porat
Windows Defender ATP Research team

 

 

Indicators of compromise (IOCs)

Malicious MSI font packages:
– a69a40e9f57f029c056d817fe5ce2b3a1099235ecbb0bcc33207c9cff5e8ffd0
– ace295558f5b7f48f40e3f21a97186eb6bea39669abcfa72d617aa355fa5941c
– 23c5e9fd621c7999727ce09fd152a2773bc350848aedba9c930f4ae2342e7d09
– 69570c69086e335f4b4b013216aab7729a9bad42a6ce3baecf2a872d18d23038

Malicious DLLs embedded in MSI font packages:
– b306264d6fc9ee22f3027fa287b5186cf34e7fb590d678ee05d1d0cff337ccbf

Coin miner malware:
– fcf64fc09fae0b0e1c01945176fce222be216844ede0e477b4053c9456ff023e (xbox-service.exe)
– 1d596d441e5046c87f2797e47aaa1b6e1ac0eabb63e119f7ffb32695c20c952b (pagefile.sys)

Software supply chain download server:
– hxxp://vps11240[.]hyperhost[.]name/escape/[some_font_package].msi (IP: 91[.]235 [.]129 [.]133)

Command-and-control/coin mining:
– hxxp://data28[.]somee [.]com/data32[.]zip
– hxxp://carma666[.]byethost12 [.]com/32[.]html

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

March-April 2018 test results: More insights into industry AV tests

In a previous post, in the spirit of our commitment to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions, we shared insights and context into the results of AV-TESTs January-February 2018 test cycle. We released a transparency report to help our customers and the broader security community to stay informed and understand independent test results better.

In the continued spirit of these principles, wed like to share Windows Defender AVs scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.

Download the complete transparency report on March-April 2018 AV-TEST results

 

Below is a summary of the transparency report:

Protection: Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate). With the latest results, Windows Defender AV has achieved 100% on 9 of the 12 most recent tests (combined “Real World” and “Prevalent malware”).
Usability (false positives):Windows Defender AV maintained its previous score of 5.5/6.0. Based on telemetry, most samples that Windows Defender AV incorrectly classified as malware (false positive) had very low prevalence and are not commonly used in business context. This means that it is unlikely for these false positives to affect enterprise customers.
Performance: Windows Defender AV maintained its previous score of 5.5/6.0 and continued to outperform the industry in most areas. These results reflect the investments we made in optimizing Windows Defender AV performance for high-frequency actions.

 

The report aims to help customers evaluate the extent to which test results are reflective of the quality of protection in the real world. At the same time, insights from the report continue to drive further improvements in the intelligent security services that Microsoft provides for customers.

Windows Defender AV and the rest of the built-in security technologies in Windows Defender Advanced Threat Protection (Windows Defender ATP) work together to create a unified endpoint security platform. In real customer environments, this unified security platform provides intelligent protection, detection, investigation, and response capabilities that are not currently reflected in independent tests. We tested the two malware samples that Windows Defender AV missed in the March-April 2018 test and proved that for both missed samples, at least three other components of Windows Defender ATP would detect or block the malware in a true attack scenario. You can find these details and more in the transparency report.

Download the complete transparency report on March-April 2018 AV-TEST results

 

The Windows Defender ATP security platform incorporates attack surface reduction, next-generation protection, endpoint detection and response, and advanced hunting capabilities. To see these capabilities for yourself, sign up for a 90-day trial of Windows Defender ATP, or enable Preview features on existing tenants.

 

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Machine learning vs. social engineering

Machine learning is a key driver in the constant evolution of security technologies at Microsoft. Machine learning allows Microsoft 365 to scale next-gen protection capabilities and enhance cloud-based, real-time blocking of new and unknown threats. Just in the last few months, machine learning has helped us to protect hundreds of thousands of customers against ransomware, banking Trojan, and coin miner malware outbreaks.

But how does machine learning stack up against social engineering attacks?

Social engineering gives cybercriminals a way to get into systems and slip through defenses. Security investments, including the integration of advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security into Microsoft 365, have significantly raised the cost of attacks. The hardening of Windows 10 and Windows 10 in S mode, the advancement of browser security in Microsoft Edge, and the integrated stack of endpoint protection platform (EPP) and endpoint detection and response (EDR) capabilities in Windows Defender Advanced Threat Protection (Windows Defender ATP) further raise the bar in security. Attackers intent on overcoming these defenses to compromise devices are increasingly reliant on social engineering, banking on the susceptibility of users to open the gate to their devices.

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents, typically in combination with social engineering lures. Every month, Windows Defender AV detects non-PE threats on over 10 million machines. These threats may be delivered as email attachments, through drive-by web downloads, removable drives, browser exploits, etc. The most common non-PE threat file types are JavaScript and VBScript.

Figure 1. Ten most prevalent non-PE threat file types encountered by Windows Defender AV

Non-PE threats are typically used as intermediary downloaders designed to deliver more dangerous executable malware payloads. Due to their flexibility, non-PE files are also used in various stages of the attack chain, including lateral movement and establishing fileless persistence. Machine learning allows us to scale protection against these threats in real-time, often protecting the first victim (patient zero).

Catching social engineering campaigns big and small

In mid-May, a small-scale, targeted spam campaign started distributing spear phishing emails that spoofed a landscaping business in Calgary, Canada. The attack was observed targeting less than 100 machines, mostly located in Canada. The spear phishing emails asked target victims to review an attached PDF document.

When opened, the PDF document presents itself as a secure document that requires action a very common social engineering technique used in enterprise phishing attacks. To view the supposed secure document, the target victim is instructed to click a link within the PDF, which opens a malicious website with a sign-in screen that asks for enterprise credentials.

Phished credentials can then be used for further attacks, including CEO fraud, additional spam campaigns, or remote access to the network for data theft or ransomware. Our machine learning blocked the PDF file as malware (Trojan:Script/Cloxer.A!cl) from the get-go, helping prevent the attack from succeeding.

Figure 2. Phishing email campaign with PDF attachment

Beyond targeted credential phishing attacks, we commonly see large-scale malware campaigns that use emails with archive attachments containing malicious VBScript or JavaScript files. These emails typically masquerade as an outstanding invoice, package delivery, or parking ticket, and instruct targets of the attack to refer to the attachment for more details. If the target opens the archive and runs the script, the malware typically downloads and runs further threats like ransomware or coin miners.

Figure 3. Typical social engineering email campaign with an archive attachment containing a malicious script

Malware campaigns like these, whether limited and targeted or large-scale and random, occur frequently. Attackers go to great lengths to avoid detection by heavily obfuscating code and modifying their attack code for each spam wave. Traditional methods of manually writing signatures identifying patterns in malware cannot effectively stop these attacks. The power of machine learning is that it is scalable and can be powerful enough to detect noisy, massive campaigns, but also specific enough to detect targeted attacks with very few signals. This flexibility means that we can stop a wide range of modern attacks automatically at the onset.

Machine learning models zero in on non-executable file types

To fight social engineering attacks, we build and train specialized machine learning models that are designed for specific file types.

Building high-quality specialized models requires good features for describing each file. For each file type, the full contents of hundreds of thousands of files are analyzed using large-scale distributed computing. Using machine learning, the best features that describe the content of each file type are selected. These features are deployed to the Windows Defender AV client to assist in describing the content of each file to machine learning models.

In addition to these ML-learned features, the models leverage expert researcher-created features and other useful file metadata to describe content. Because these ML models are trained for specific file types, they can zone in on the metadata of these file types.

Figure 4. Specialized file type-specific client ML models are paired with heavier cloud ML models to classify and protect against malicious script files in real-time

When the Windows Defender AV client encounters an unknown file, lightweight local ML models search for suspicious characteristics in the files features. Metadata for suspicious files are sent to the cloud protection service, where an array of bigger ML classifiers evaluate the file in real-time.

In both the client and the cloud, specialized file-type ML classifiers add to generic ML models to create multiple layers of classifiers that detect a wide range of malicious behavior. In the backend, deep-learning neural network models identify malicious scripts based on their full file content and behavior during detonation in a controlled sandbox. If a file is determined malicious, it is not allowed to run, preventing infection at the onset.

File type-specific ML classifiers are part of metadata-based ML models in the Windows Defender AV cloud protection service, which can make a verdict on suspicious files within a fraction of a second.

Figure 5. Layered machine learning models in Windows Defender ATP

File type-specific ML classifiers are also leveraged by ensemble models that learn and combine results from the whole array of cloud classifiers. This produces a comprehensive cloud-based machine learning stack that can protect against script-based attacks, including zero-day malware and highly targeted attacks. For example, the targeted phishing attack in mid-May was caught by a specialized PDF client-side machine learning model, as well as several cloud-based machine learning models, protecting customers in real-time.

Microsoft 365 threat protection powered by artificial intelligence and data sharing

Social engineering attacks that use non-portable executable (PE) threats are pervasive in todays threat landscape; the impact of combating these threats through machine learning is far-reaching.

Windows Defender AV combines local machine learning models, behavior-based detection algorithms, generics, and heuristics with a detonation system and powerful ML models in the cloud to provide real-time protection against polymorphic malware. Expert input from researchers, advanced technologies like Antimalware Scan Interface (AMSI), and rich intelligence from the Microsoft Intelligent Security Graph continue to enhance next-generation endpoint protection platform (EPP) capabilities in Windows Defender Advanced Threat Protection.

In addition to antivirus, components of Windows Defender ATPs interconnected security technologies defend against the multiple elements of social engineering attacks. Windows Defender SmartScreen in Microsoft Edge (also now available as a Google Chrome extension) blocks access to malicious URLs, such as those found in social engineering emails and documents. Network protection blocks malicious network communications, including those made by malicious scripts to download payloads. Attack surface reduction rules in Windows Defender Exploit Guard block Office-, script-, and email-based threats used in social engineering attacks. On the other hand, Windows Defender Application Control can block the installation of untrusted applications, including malware payloads of intermediary downloaders. These security solutions protect Windows 10 and Windows 10 in S mode from social engineering attacks.

Further, Windows Defender ATP endpoint detection and response (EDR) uses the power of machine learning and AMSI to unearth script-based attacks that live off the land. Windows Defender ATP allows security operations teams to detect and mitigate breaches and cyberattacks using advanced analytics and a rich detection library. With the April 2018 Update, automated investigation and advance hunting capabilities further enhance Windows Defender ATP. Sign up for a free trial.

Machine learning also powers Office 365 Advanced Threat Protection to detect non-PE attachments in social engineering spam campaigns that distribute malware or steal user credentials. This enhances the Office 365 ATP comprehensive and multi-layered solution to protect mailboxes, files, online storage, and applications against threats.

These and other technologies power Microsoft 365 threat protection to defend the modern workplace. In Windows 10 April 2018 Update, we enhanced signal sharing across advanced threat protection services in Windows, Office 365, and Enterprise Mobility + Security through the Microsoft Intelligent Security Graph. This integration enables these technologies to automatically update protection and detection and orchestrate remediation across Microsoft 365.

 

Gregory Ellison and Geoff McDonald
Windows Defender Research

 

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Adding transparency and context into industry AV test results

 

Corporate Vice President Brad Anderson recently shared his insights on how Windows Defender Advanced Threat Protection (Windows Defender ATP) evolved to achieve important quality milestones. Our Windows Defender ATP team is committed to delivering industry-leading protection, customer choice, and transparency on the quality of our solutions. In the continued spirit of these principles, we want to share the results of the January-February 2018 test conducted by independent antivirus tester AV-TEST and provide a transparency report that augments the test findings with contextual information to help our customers make informed decisions about Windows Defender ATP adoption.

Download the complete transparency report on January-February 2018 test results

 

At a high-level, the transparency report shows:

Protection: Windows Defender Antivirus (Windows Defender AV) achieved a perfect score in Protection, maintaining consistently high scores in this category.
Usability (false positives): Windows Defender AV achieved an improved Usability score of 5.5/6.0. Per our telemetry, samples that Windows Defender AV incorrectly classified (false positive) had very low prevalence and are not commonly used in business context.
Performance: Windows Defender AV improved this cycle, achieving a 5.5/6.0 Performance score and outperforming the industry in almost all areas. These results reflect the investments we put in optimizing Windows Defender AV performance for high-frequency actions (e.g., application run).

 

While independent tests can help assess a security solutions capabilities and protections, it is important to understand that antivirus tests are only one part of a complete quality assessment. To truly understand the protection quality of an endpoint protection platform (EPP) and endpoint detection and response (EDR) solution like Windows Defender ATP, its entire set of capabilities must be evaluated.

For instance, while Windows Defender ATPs antivirus capability achieved a perfect overall Protection score in the January-February 2018 tests and only missed two out of thousands of samples tested, it performed even better than the results suggest. The Windows Defender Security Intelligence team tested the two missed samples against the entire Windows Defender ATP stack to assess these samples ability to infect machines in real-world enterprise environments. The team was able to confirm that the two missed samples were detected and mitigated by other components of the Windows Defender ATP stack.

 

As threats become more sophisticated, Microsoft and other security platform vendors continue evolving their product capabilities to detect threats across different attack stages. We hope to see independent testers evolve their methodologies as well. Our customers need greater transparency and optics into what an end-to-end solution can accomplish in terms of total preventive protection, including the quality of individual components like antivirus. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on end-to-end security stack testing.

Meanwhile, we continue to focus on improving our next-generation antivirus solution while at the same time delivering new innovative capabilities like attack surface reduction and hardware-based isolation, just to name a few. In the Windows 10 April 2018 Update, you can experience these new and improved capabilities in Windows Defender ATP, which provides a complete endpoint protection platform (EPP) and endpoint detection and response (EDR) solution. To see these capabilities for yourself sign up for a 90-day trial of Windows Defender ATP today, or enable Preview features on existing tenants.

 

 

Zaid Arafeh

Senior Program Manager, Windows Defender Research team

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Hunting down Dofoil with Windows Defender ATP

Dofoil is a sophisticated threat that attempted to install coin miner malware on hundreds of thousands of computers in March, 2018. In previous blog posts we detailed how behavior monitoring and machine learning in Windows Defender AV protected customers from a massive Dofoil outbreak that we traced back to a software update poisoning campaign several weeks prior. Notably, customers of Windows 10 S, a special Windows 10 configuration that provides streamlined Microsoft-verified security, were not affected by the Dofoil outbreak.

In this blog post, we will expound on Dofoils anti-debugging and anti-analysis tactics, and demonstrate how the rich detection libraries of Windows Defender Advanced Threat Protection and Windows Defender Exploit Guard can help during investigation.

We found that Dofoil was designed to be elusive to analysis. It checks its environment and stops running in virtual machine environments. It also checks for various analysis tools and kills them right away. This can make malware analysis and assessment challenging.

The following diagram shows the multi-stage malware execution process, which includes checks for traits of analysis environments during some stages.

Figure 1. Dofoil multi-stage shellcode and payload execution flow

The table below describes the purpose of each stage. The first five stages have at least one or two different techniques that can deter dynamic or static malware analysis.

STAGES DESCRIPTION
1. Obfuscated wrapper code Anti-heuristics

Anti-emulation

2. Bootstrap module Performs self-process hollowing to load the next module
3. Anti-debugging module Performs anti-debugging operation
4. Trojan downloader module Performs system environment checks

Performs anti-VM operation

Injects itself to explorer.exe through process hollowing

5. Trojan downloader module in explorer.exe Contacts C&C server to download trojan and run it using process hollowing technique
6. Payload downloader module in explorer.exe Contacts C&C server to download the main payload
7. Trojan module Steals credentials from various application settings and sends stolen into to the C&C server over HTTP channel
8. CoinMiner.D Mines digital currencies

Table 1. Dofoil’s multi-stage modules

Initial stages

The first three stages (i.e., obfuscated wrapper code, bootstrap module, anti-debugging module) use the following techniques to avoid analysis and identification.

ANTI-ANALYSIS TECHNIQUES DESCRIPTION
Benign code insertion Inserts a huge benign code block to confuse heuristics and manual inspection
Anti-emulation Enumerates an arbitrary registry key (HKEY_CLASSES_ROOT\Interface\{3050F557-98B5-11CF-BB82-00AA00BDCE0B}) and compares the data with an expected value (DispHTMLCurrentStyle) to check if the malware runs inside an emulator
Self-process hollowing Uses the process hollowing technique on the current process, making analysis extra difficult due to the altered code mapping
Debugger checks Checks for debuggers, and modifies code to crash. This can add additional layer of confusion to researchers, who are bound to investigate the cause of the crashes. It checks for the PEB.BeingDebugged and PEB.NtGlobalFlag fields in the PEB structure. For example, PEB.BeingDebugged is set to 1 and PEB.NtGlobalFlag is set to FLG_HEAP_ENABLE_TAIL_CHECK|FLG_HEAP_ENABLE_FREE_CHECK| FLG_HEAP_VALIDATE_PARAMETERS when a debugger is attached to the process.

Table 2. Anti-analysis techniques

The first stage contains some benign-looking code before the actual malicious code. This can give the executable a harmless appearance. It can also make the emulation of the code difficult because emulating various API calls that are not present in many malware codes can be challenging.

The first-stage code also performs a registry key enumeration to make sure it has the expected value. When all checks are passed, it decodes the second-stage shellcode and runs it on the allocated memory. This shellcode un-maps the original main modules memory, and then decodes the third-stage shellcode into that memory this is known as a self-process hollowing technique.

Figure 2. Self-modification based on PEB.BeingDebugged value

Windows Defender ATPs process tree can help with investigation by exposing these anti-debugging techniques.

Figure 3. Windows Defender ATP process tree showing anti-debugging techniques

Trojan downloader module

The trojan downloader module performs various environment checks, including virtual environment and analysis tool checks, before downloading the payload.

ANTI-ANALYSIS TECHNIQUES DESCRIPTION
Check module name Checks if the main executable name contains the string “sample”
Check volume serial Checks if current volume serial number is 0xCD1A40 or 0x70144646
Check modules Checks the presence of DLLs related to debuggers
Check disk-related registry keys Checks the value of the registry key HKLM\System\CurrentControlSet\Services\Disk\Enum against well-known disk name patterns for virtual machines (qemu, virtual, vmware, xen, ffffcce24)
Process check Checks running processes and kills those with processes names associated with analysis tools (procexp.exe, procexp64.exe, procmon.exe, procmon64.exe, tcpview.exe, wireshark.exe, processhacker.exe, ollydbg.exe, idaq.exe, x32dbg.exe)
Windows class name check Checks the current Windows class names and exits when some well-known names are found (Autoruns, PROCEXPL, PROCMON_WINDOW_CLASS, TCPViewClass, ProcessHacker, OllyDbg, WinDbgFrameClass)

Table 3. Anti-analysis techniqueof Dofoil’s trojan downloader module

The list of target process names and Windows class names exist in custom checksum form. The checksum algorithm looks like the following:

Figure 4. Shift and XOR custom checksum algorithm

The purpose of this checksum is to prevent malware researchers from quickly figuring out what analysis tools it detects, making analysis more time-consuming.

STRING CHECKSUM
Autoruns 0x0E5C1C5D
PROCEXPL 0x1D421B41
PROCMON_WINDOW_CLASS 0x4B0C105A
TCPViewClass 0x1D4F5C43
ProcessHacker 0x571A415E
OllyDbg 0x4108161D
WinDbgFrameClass 0x054E1905
procexp.exe 0x19195C02
procexp64.exe 0x1C0E041D
procmon.exe 0x06185D0B
procmon64.exe 0x1D07120A
tcpview.exe 0x060B5118
wireshark.exe 0x550E1E0D
processhacker.exe 0x51565C47
ollydbg.exe 0x04114C14
x32dbg.exe 0x5F4E5C04
idaq.exe 0x14585A12

Table 4. String checksum table used for process names and Windows class names

Process hollowing

Dofoil heavily uses the process hollowing technique. Its main target for process hollowing is explorer.exe. The Dofoil shellcode launches a new instance of explorer.exe, allocates shellcode in heap region, and then modifies the entry point code to jump into the shellcode. This way, the malware avoids using CreateRemoteThread API, but can still achieve code injection.

Figure 5. Modification of explorer.exe entry point code

Windows Defender ATP can detect the process hollowing behavior with advanced memory signals. The following process tree shows that the malware injects itself into explorer.exe using the process hollowing technique.

Figure 6. Windows Defender ATP alert process tree showing the first process hollowing

When the shellcode downloads another layer of payload, it spawns another explorer.exe to inject the payload into using process hollowing. Windows Defender ATP can save analysis time on these cases by pinpointing the malicious actions, eliminating the need for guessing what these newly spawned Windows system processes are doing.

Figure 7. Windows Defender ATP alert process tree showing the second process hollowing

The process hollowing behavior can be detected through Exploit protection in Windows Defender Exploit Guard. This can be done by enabling the Export Address Filter (EAF) mitigation against explorer.exe. The detection happens when the shellcode goes through the export addresses of the modules to find the export address of the LoadLibraryA and GetProcAddress functions.

Figure 8. Export Address Filter (EAF) event exposed in Event viewer

Windows Defender Exploit Guard events are also exposed in the Windows Defender ATP portal:

Figure 9. Windows Defender ATP view of the Windows Defender Exploit Guard event

Adding Windows Defender Exploit Guard EAF audit/block policy to common system processes like explorer.exe, cmd.exe, or verclsid.exe can be useful in finding and blocking process hollowing or process injection techniques commonly used by malware. This policy can impact third-party apps that may behave like shellcode, so we recommend testing Windows Defender Exploit Guard with audit mode enabled before enforcement.

Command-and-control (C&C) and NameCoin domains

Dofoils C&C connection is very cautious. The trojan code first tries to connect to well-known web pages and verifies that the malware has proper and real Internet connection, not simulated as in test environments. After it makes sure it has a real Internet connection, the malware makes HTTP connections to the actual C&C servers.

Figure 10. Access to known servers to confirm Internet connectivity

The malware uses NameCoin domain name servers. NameCoin is a decentralized name server system that provides extra privacy backed by blockchain technology. Except for the fact that the DNS client needs to use specific sets of NameCoin DNS servers, the overall operation is very similar to a normal DNS query. Because NameCoin uses blockchain technology, you can query the history of the domain name changes through blocks.

Figure 11. Malicious hostname DNS entry changes over time (https://namecha.in/name/d/vrubl)

Windows Defender ATP can provide visibility into the malwares network activities. The following alert process tree shows the malwares .bit domain resolution activity and, after that, the connections to the resolved C&C servers. You can also view other activities from the executable, for example, its connections to other servers using SMTP ports.

Figure 12. Windows Defender ATP alert process tree showing C&C server connection through NameCoin server name resolution

The Windows Defender ATP advanced hunting feature, which is currently in preview, can be used to hunt down more malware samples that possibly abuse NameCoin servers. For example, the following query will let you view recent connections observed in the network. This can lead to extra insights on other threats that use the same NameCoin servers.

Figure 13. Advanced hunting for other threats using the same NameCoin servers

The purpose of using NameCoin is to prevent easy sinkholing of the domains. Because there are no central authorities on the NameCoin domain name records, it is not possible for the authorities to change the domain record. Also, malware abusing NameCoin servers use massive numbers of NameCoin DNS servers to make full shutdown of those servers very difficult.

Conclusion

Dofoil is a very evasive malware. It has various system environment checks and tests Internet connectivity to make sure it runs on real machines, not in analysis environments or virtual machines. This can make the analysis time-consuming and can mislead malware analysis systems.

In attacks like the Dofoil outbreak, Windows Defender Advanced Threat Protection (Windows Defender ATP) can help network defenders analyze the timeline from the victim machine and get rich information on process execution flow, C&C connections, and process hollowing activities. Windows Defender ATP can be used as an analysis platform with fine-tuned visibility into system activities when set up in a lab environment. This can save time and resource during malware investigation.

In addition, Windows Defender Exploit Guard can be useful in finding malicious shellcodes that traverse export address tables. Windows Defender Exploit Guard can be an excellent tool for finding and blocking malware and exploit activities.

Windows Defender Exploit Guard events are surfaced in the Windows Defender ATP portal, which integrates protections from other Microsoft solutions, including Windows Defender AV and Windows Defender Application Guard. This integrated security management experience makes Windows Defender ATP a comprehensive solution for detecting and responding to a wide range of malicious activities across the network.

Windows 10 S, a special configuration of Windows 10, locks down devices against Dofoil and other attacks by working exclusively with apps from the Microsoft Store and using Microsoft Edge as the default browser. This streamlined, Microsoft-verified platform seals common malware entry points.

To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

 

 

Matt Oh, Stefan Sellmer, Jonathan Bar Or, Mark Wodrich
Windows Defender ATP Research

 

 

Indicators of compromise (IoCs)

TrojanDownloader:Win32/Dofoil.AB:

d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d

eaa63f6b500afedcaeb8d5b18a08fd6c7d95695ea7961834b974e2a653a42212

cded7aedca6b54a6d4273153864a25ccad35cba5cafeaec828a6ad5670a5973a

Trojan:Win32/Dofoil.AB:

070243ad7fb4b3c241741e564039c80ca65bfdf15daa4add70d5c5a3ed79cd5c

5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299C

28ce9763a808c4a7509e9bf92d9ca80212a241dfa1aecd82caedf1f101eac692

5d7875abbbf104f665a0ee909c372e1319c5157dfc171e64ac2bc8b71766537f

Trojan:Win32/CoinMiner.D

2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f12

C&C URLs:

hxxp://levashov.bit/15022018/

hxxp://vrubl.bit/15022018/

C&C server:

vinik.bit

Related .bit domains (updated in same block as C&C server):

henkel.bit

makron.bit

makronwin.bit

NameCoin servers used by Dofoil:

139.59.208.246

130.255.73.90

31.3.135.232

52.174.55.168

185.121.177.177

185.121.177.53

62.113.203.55

144.76.133.38

169.239.202.202

5.135.183.146

142.0.68.13

103.253.12.18

62.112.8.85

69.164.196.21

107.150.40.234

162.211.64.20

217.12.210.54

89.18.27.34

193.183.98.154

51.255.167.0

91.121.155.13

87.98.175.85

185.97.7.7

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

 

Why Windows Defender Antivirus is the most deployed in the enterprise

Statistics about the success and sophistication of malware can be daunting. The following figure is no different: Approximately 96% of all malware is polymorphic meaning that it is only experienced by a single user and device before it is replaced with yet another malware variant. This is because in most cases malware is caught nearly as fast as its created, so malware creators continually evolve to try and stay ahead. Data like this hammer home how important it is to have security solutions in place that are as agile and innovative as the attacks.

The type of security solution needed has a complex job: It must protect users from hundreds of thousands of new threats every day and then it must learn and grow to stay ahead of the next wave of attacks. The solution cannot just react to the latest threats; it must be able to predict and prevent malware infections.

Over the last year, weve talked about how were investing in new innovations to address this challenging threat landscape, what weve delivered, and how it will change the dynamics. Today, I want to share the results of our new antivirus capabilities in Windows Defender Advanced Threat Protection (ATP) which are genuinely incredible because they will directly benefit the work you are doing.

Currently, our antivirus capabilities on Windows 10 are repeatedly earning top scores on independent tests, often outperforming the competition. This performance is the result of a complete redesign of our security solution.

Whats more, this same technology is available for our Windows 7 customers as well, so that they can remain secure during their transition to Windows 10.

It started back in 2015

Weve been working to make our antivirus capabilities increasingly more effective, and in 2015 our results in two major independent tests (AV-Comparatives and AV-TEST) began to improve dramatically. As you can see in the chart below, beginning in March 2015 our scores on AV-TEST began to rise rapidly, and, over the course of the next five months, we moved from scores averaging 85% on their Prevalence Test to (or near) 100%. Since then, weve maintained those types of scores consistently. Our scores on AV-Comparatives experienced a very similar spike, trajectory, and results.

In December 2017, we reached another milestone on AV-TEST, where we achieved a perfect score across both the Prevalence and Real-World based tests. Previously we had only scored a perfect 100% on one of the two tests for a given month. The following chart from the AV-TEST site shows our scores from November and December 2017 on Windows 7. These same scores are also applicable to Windows 10, which shares the same technology (and more).

For AV-Comparatives, we recently achieved another important quality milestone: For five consecutive months we detected all malware samples. Our previous best was four consecutive months. The AV-Comparatives chart below shows our February 2018 results where we scored a perfect 100% block rate.

While independent antivirus tests are one indicator of a security solutions capabilities and protections, its important to understand that this is only one part of a complete quality assessment.

For example, in the case of Windows Defender ATP (which integrates our antivirus capabilities and the whole Windows security stack), our customers have a much larger set of protection features none of which are factored into the tests. These features provide additional layers of protection that help prevent malware from getting onto devices in the first place. These features include the following:

If organizations like AV-Comparatives and AV-TEST performed complete security stack tests (i.e., testing against the complete endpoint protection solution) the results would often tell a very different story. For example, in November, we scored a 98.9% based on a single file miss on the Real-World test. The good news, however, is that we would have scored 100% if either Windows Defender Application Guard or Application Control was enabled.

How did we achieve these results?

The short answer is that we completely redesigned our antivirus solutions for both Windows 7 and Windows 10 from the ground up.

To do this, we moved away from using a static signature-based engine that couldnt scale due to its dependence on constant input from researchers. Weve now moved to a model that uses predictive technologies, machine learning, applied science, and artificial intelligence to detect and stop malware at first sight. We described the use of these technologies in our recent posts on Emotet and BadRabbit, as well as the recent Dofoil outbreak. These are the types of approaches that can be very successful against the ongoing avalanche of malware threats.

Because of these changes, our antivirus solution can now block malware using local and cloud-based machine learning models, combined with behavior, heuristic, and generic-based detections on the client. We can block nearly all of it at first sight and in milliseconds!

This is incredible.

Weve also designed our antivirus solution to work in both online and offline scenarios. When connected to the cloud, its fed real-time intelligence from the Intelligent Security Graph. For offline scenarios, the latest dynamic intelligence from the Graph is provisioned to the endpoint regularly throughout the day.

Weve also built our solution to defend against the new wave of fileless attacks, like Petya and WannaCry. To read more about how we protect against these attacks, check out the blog post Now you see me: Exposing fileless malware.

What this means to you

Each of these milestones is great, but the thing that makes us the most excited here at Microsoft is very simple: Customer adoption.

Right now, we are seeing big growth in enterprise environments our across all of our platforms:

  • 18% of Windows 7 and Windows 8 devices are using our antivirus solution
  • Over 50% of Windows 10 devices are using our antivirus solution

These are awesome numbers and proof that customers trust Windows security. What we are seeing is that as organizations are moving to Windows 10 they are also moving to our antivirus as their preferred solution. With our antivirus solution being used on more than 50% percent of the Windows 10 PCs deployed in commercial organizations, it is now the most commonly used antivirus solution in commercial organizations on that platform. This usage is in commercial customers of all sizes from small and medium-sized businesses to the largest enterprise organizations.

Over the past couple of months Ive shared this data with multiple customers, and often Im asked why weve seen such a positive increase. The answer is simple:

  1. Our antivirus capabilities are a fantastic solution! The test results above really speak for themselves. With five months of top scores that beat some of our biggest competitors, you can be confident that our solution can protect you from the most advanced threats.
  2. Our solution is both easier and operationally cheaper to maintain than others. Most enterprise customers use Config Manager for PC management of Windows 7 and Windows 10 security features, including antivirus. With Windows 10, the antivirus capabilities are built directly into the operating system and theres nothing to deploy. Windows 7 didnt include antivirus capabilities by default, but it can be deployed and configured in Config Manager. Now organizations do not have to maintain two infrastructures one for PC management and another for antivirus. Several years ago, our Microsoft IT department retired the separate global infrastructure that was used to manage Microsofts antivirus solution and now you can too! With our solution theres less to maintain and secure.
  3. Our solution enables IT to be more agile. On Windows 10 theres no agent security is built into the platform. When a new update of Windows 10 is released, you dont need to wait for a 3rd party to certify and support it; instead, you have full support and compatibility on day one. This means that new releases of Windows and all the latest security technologies can be deployed faster. This allows you to get current, stay current, and be more secure.
  4. Our solution offers a better user experience. Its designed to work behind the scenes in a way that is unobtrusive to end users and minimizes power consumption. This means longer battery life and everyone wants more battery life!

While weve made excellent progress with our antivirus solution, Im even more excited about the protection and management capabilities we will deliver to our customers in the near future. In the meantime, one of the best ways to evaluate our antivirus capabilities is when you run it with Windows Defender ATP. With Windows Defender ATP, the power of the Windows security stack provides preventative protection, detects attacks and zero-day exploits, and gives you centralized management for your end-to-end security lifecycle.

Sign up to try Windows Defender ATP for yourself!

 

Sharing research and discoveries at PWN2OWN

The annual PWN2OWN exploit contest at the CanSecWest conference in Vancouver, British Columbia, Canada, brings together some of the top security talent from across the globe in a friendly competition. For the participants, these events are a platform to demonstrate world-class skills and vie for significant cash prizes. For companies like Microsoft, where we have a large number of teams focused on security, contests like this provide an additional avenue for external input from researchers. It is this community collaboration that led us to partner with Trend Micro/ZDI to sponsor this years contest.

Microsoft regularly leverages input from the community using programs such as bug bounties and the BlueHat prize in a relentless pursuit to improve the security of our products and expand our understanding of the latest threats.

Exploit contests are great opportunities as it allows Microsoft engineers to exchange ideas face-to-face with the community. This includes intricate details such as attack approaches, techniques used, and opportunities for improvement against similar attacks. While bug bounty programs focus on vulnerabilities, contests like PWN2OWN focus on exploit chains which typically are only seen in real attacks. The opportunity to understand exploits without impact to customers is invaluable. Microsoft has used this to drive security innovations into the platform and in products like Microsoft Edge. Microsoft sponsored several competition targets running the latest Windows Insider preview builds for on Microsoft Surface devices to help direct the community to gain insight into some of our most important areas. None of the competition targets running the latest Windows insider previewer were successfully exploited by contestants.

To demonstrate the effectiveness of this partnership, Microsoft provided an overview of some of the mitigations influenced by offensive security research community in a recent blackhat presentation.

These innovations include:

  • Windows Defender Application Guard which uses virtualization security to protect against kernel-based sandbox attacks
  • Control Flow Guard (CFG) and Microsoft Edges JIT and code integrity protection, which mitigates many of the common techniques leveraged in past competitions
  • Microsoft Edges improved sandbox, which reduces previous attack surface by 90%

We believe this engagement with researchers has resulted in durable, real-world protection for customers. As an example, Microsoft Edge has still not been impacted by a zero-day exploit in the wild. In addition, this years PWN2OWN entries were not able to escape the Windows Defender Application Guard isolation protection.

Engaging with the research community and creating platforms for transparent information sharing across the wider defender community is a key part of Microsofts strategy to keep customers safe. We will continue to push for deeper collaboration through future events and programs.


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Categories: cybersecurity, Windows, Windows 10 Tags:

How artificial intelligence stopped an Emotet outbreak

February 14th, 2018 No comments

At 12:46 a.m. local time on February 3, a Windows 7 Pro customer in North Carolina became the first would-be victim of a new malware attack campaign for Trojan:Win32/Emotet. In the next 30 minutes, the campaign tried to attack over a thousand potential victims, all of whom were instantly and automatically protected by Windows Defender AV.

How did Windows Defender AV uncover the newly launched attack and block it at the outset? Through layered machine learning, including use of both client-side and cloud machine learning (ML) models. Every day, artificial intelligence enables Windows Defender AV to stop countless malware outbreaks in their tracks. In this blog post, well take a detailed look at how the combination of client and cloud ML models detects new outbreaks.

Figure 1. Layered detected model in Windows Defender AV

Client machine learning models

The first layer of machine learning protection is an array of lightweight ML models built right into the Windows Defender AV client that runs locally on your computer. Many of these models are specialized for file types commonly abused by malware authors, including, JavaScript, Visual Basic Script, and Office macro. Some models target behavior detection, while other models are aimed at detecting portable executable (PE) files (.exe and .dll).

In the case of the Emotet outbreak on February 3, Windows Defender AV caught the attack using one of the PE gradient boosted tree ensemble models. This model classifies files based on a featurization of the assembly opcode sequence as the file is emulated, allowing the model to look at the files behavior as it was simulated to run.

Figure 2. A client ML model classified the Emotet outbreak as malicious based on emulated execution opcode machine learning model.

The tree ensemble was trained using LightGBM, a Microsoft open-source framework used for high-performance gradient boosting.

Figure 3a. Visualization of the LightBGM-trained client ML model that successfully classified Emotet’s emulation behavior as malicious. A set of 20 decision trees are combined in this model to classify whether the files emulated behavior sequence is malicious or not.

Figure 3b. A more detailed look at the first decision tree in the model. Each decision is based on the value of a different feature. Green triangles indicate weighted-clean decision result; red triangles indicate weighted malware decision result for the tree.

When the client-based machine learning model predicts a high probability of maliciousness, a rich set of feature vectors is then prepared to describe the content. These feature vectors include:

  • Behavior during emulation, such as API calls and executed code
  • Similarity fuzzy hashes
  • Vectors of content descriptive flags optimized for use in ML models
  • Researcher-driven attributes, such as packer technology used for obfuscation
  • File name
  • File size
  • Entropy level
  • File attributes, such as number of sections
  • Partial file hashes of the static and emulated content

This set of features form a signal sent to the Windows Defender AV cloud protection service, which runs a wide array of more complex models in real-time to instantly classify the signal as malicious or benign.

Real-time cloud machine learning models

Windows Defender AVs cloud-based real-time classifiers are powerful and complex ML models that use a lot of memory, disk space, and computational resources. They also incorporate global file information and Microsoft reputation as part of the Microsoft Intelligent Security Graph (ISG) to classify a signal. Relying on the cloud for these complex models has several benefits. First, it doesnt use your own computers precious resources. Second, the cloud allows us to take into consideration the global information and reputation information from ISG to make a better decision. Third, cloud-based models are harder for cybercriminals to evade. Attackers can take a local client and test our models without our knowledge all day long. To test our cloud-based defenses, however, attackers have to talk to our cloud service, which will allow us to react to them.

The cloud protection service is queried by Windows Defender AV clients billions of times every day to classify signals, resulting in millions of malware blocks per day, and translating to protection for hundreds of millions of customers. Today, the Windows Defender AV cloud protection service has around 30 powerful models that run in parallel. Some of these models incorporate millions of features each; most are updated daily to adapt to the quickly changing threat landscape. All together, these classifiers provide an array of classifications that provide valuable information about the content being scanned on your computer.

Classifications from cloud ML models are combined with ensemble ML classifiers, reputation-based rules, allow-list rules, and data in ISG to come up with a final decision on the signal. The cloud protection service then replies to the Windows Defender client with a decision on whether the signal is malicious or not all in a fraction of a second.

Figure 4. Windows Defender AV cloud protection service workflow.

In the Emotet outbreak, one of our cloud ML servers in North America received the most queries from customers; corresponding to where the outbreak began. At least nine real-time cloud-based ML classifiers correctly identified the file as malware. The cloud protection service replied to signals instructing the Windows Defender AV client to block the attack using two of our ML-based threat names, Trojan:Win32/Fuerboos.C!cl and Trojan:Win32/Fuery.A!cl.

This automated process protected customers from the Emotet outbreak in real-time. But Windows Defender AVs artificial intelligence didnt stop there.

Deep learning on the full file content

Automatic sample submission, a Windows Defender AV feature, sent a copy of the malware file to our backend systems less than a minute after the very first encounter. Deep learning ML models immediately analyzed the file based on the full file content and behavior observed during detonation. Not surprisingly, deep neural network models identified the file as a variant of Trojan:Win32/Emotet, a family of banking Trojans.

While the ML classifiers ensured that the malware was blocked at first sight, deep learning models helped associate the threat with the correct malware family. Customers who were protected from the attack can use this information to understand the impact the malware might have had if it were not stopped.

Additionally, deep learning models provide another layer of protection: in relatively rare cases where real-time classifiers are not able to come to a conclusive decision about a file, deep learning models can do so within minutes. For example, during the Bad Rabbit ransomware outbreak, Windows Defender AV protected customers from the new ransomware just 14 minutes after the very first encounter.

Intelligent real-time protection against modern threats

Machine learning and AI are at the forefront of the next-gen real-time protection delivered by Windows Defender AV. These technologies, backed by unparalleled optics into the threat landscape provided by ISG as well as world-class Windows Defender experts and researchers, allow Microsoft security products to quickly evolve and scale to defend against the full range of attack scenarios.

Cloud-delivered protection is enabled in Windows Defender AV by default. To check that its running, go to Windows Settings > Update & Security > Windows Defender. Click Open Windows Defender Security Center, then navigate to Virus & threat protection > Virus &threat protection settings, and make sure that Cloud-delivered protection and Automatic sample submission are both turned On.

In enterprise environments, the Windows Defender AV cloud protection service can be managed using Group Policy, System Center Configuration Manager, PowerShell cmdlets, Windows Management Instruction (WMI), Microsoft Intune, or via the Windows Defender Security Center app.

The intelligent real-time defense in Windows Defender AV is part of the next-gen security technologies in Windows 10 that protect against a wide spectrum of threats. Of particular note, Windows 10 S is not affected by this type of malware attack. Threats like Emotet wont run on Windows 10 S because it exclusively runs apps from the Microsoft Store. Learn more about Windows 10 S. To know about all the security technologies available in Windows 10, read Microsoft 365 security and management features available in Windows 10 Fall Creators Update.

 

Geoff McDonald, Windows Defender Research
with Randy Treit and Allan Sepillo

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

Security Advisory 3046015 released

March 5th, 2015 No comments

Today, we released Security Advisory 3046015 to provide guidance to customers in response to the SSL/TLS issue referred to by researchers as “FREAK” (Factoring attack on RSA-EXPORT Keys).

Our investigation continues and we’ll take the necessary steps to protect our customers.

MSRC Team

Security Advisory 3046015 released

March 5th, 2015 No comments

Today, we released Security Advisory 3046015 to provide guidance to customers in response to the SSL/TLS issue referred to by researchers as “FREAK” (Factoring attack on RSA-EXPORT Keys).

Our investigation continues and we’ll take the necessary steps to protect our customers.

MSRC Team

Security Bulletin MS14-068 released

November 20th, 2014 No comments

Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows.

We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

Security Bulletin MS14-068 released

November 20th, 2014 No comments

Today, we released an out-of-band security update to address a vulnerability in Kerberos which could allow Elevation of Privilege. This update is for all supported versions of Windows Server and includes a defense-in-depth update for all supported versions of Windows.

We strongly encourage customers to apply this update as soon as possible by following the directions in Security Bulletin MS14-068.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

Out-of-band release for Security Bulletin MS14-068

November 18th, 2014 No comments

On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows.

We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.

More information about this bulletin can be found at Microsoft’s Bulletin Summary page.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

Out-of-band release for Security Bulletin MS14-068

November 18th, 2014 No comments

On Tuesday, November 18, 2014, at approximately 10 a.m. PST, we will release an out-of-band security update to address a vulnerability in Windows.

We strongly encourage customers to apply this update as soon as possible, following the directions in the security bulletin.

More information about this bulletin can be found at Microsoft’s Advance Notification Service page.

Tracey Pretorius, Director
Response Communications

Categories: OOB, Security Bulletin, Windows Tags:

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

November 2014 Updates

November 11th, 2014 No comments

Today, as part of Update Tuesday, we released 14 security updates – four rated Critical, nine rated Important, and two rated Moderate, to address 33 Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows, Internet Explorer (IE), Office, .NET Framework, Internet Information Services (IIS), Remote Desktop Protocol (RDP), Active Directory Federation Services (ADFS), Input Method Editor (IME) (Japanese), and Kernel Mode Driver (KMD).

We encourage you to apply all of these updates, but for those who need to prioritize deployment planning, we recommend focusing on the Critical updates first. For additional insight on deployment priority, review the Security Research and Defense blog “Assessing risk for the November 2014 security updates.”

For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one security advisory this month:

In related security news, through Microsoft Update, we are expanding best-in-class encryption protections to older, supported versions of Windows and Windows Server. To learn more, visit the Microsoft Cyber Trust blog.

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

Tracey Pretorius, Director
Response Communications

Security Advisory 3010060 released

October 21st, 2014 No comments

Today, we released Security Advisory 3010060 to provide additional protections regarding limited, targeted attacks directed at Microsoft Windows customers. A cyberattacker could cause remote code execution if someone is tricked into opening a maliciously-crafted PowerPoint document that contains an infected Object Linking and Embedding (OLE) file.

As part of this Security Advisory, we have included an easy, one-click Fix it solution to address the known cyberattack. Please review the "Suggested Actions" section of the Security Advisory for additional guidance. Applying the Fix it does not require a reboot. We suggest customers apply this Fix it to help protect their systems.

The Enhanced Mitigation Experience Toolkit (EMET) also helps to defend against this cyberattack when configured to work with Microsoft Office software. The necessary configuration steps for EMET, are provided in the "Suggested Actions" section of the Security Advisory.

We also encourage you to follow the "Protect Your Computer" guidance by enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. In addition, we recommend that individuals avoid clicking suspicious links, or opening email messages from unfamiliar senders. More information can be found at www.microsoft.com/protect.

We continue to work on a security update to address this cyberattack. We're monitoring the threat landscape very closely and will continue to take appropriate action to help protect our global customers.

Tracey Pretorius
Director, Response Communications