Windows Defender Antivirus uses a layered approach to protection: tiers of advanced automation and machine learning models evaluate files in order to reach a verdict on suspected malware. While Windows Defender AV detects a vast majority of new malware files at first sight, we always strive to further close the gap between malware release and detection.

In a previous blog post, we looked at a real-world case study showing how Windows Defender Antivirus cloud protection service leverages next-gen security technologies to save “patient zero” from new malware threats in real-time. In that case study, a new Spora ransomware variant was analyzed and blocked within seconds using a deep neural network (DNN) machine learning classifier in the cloud. In this blog post well look at how additional automated analysis and machine learning models can further protect customers within minutes in rare cases where initial classification is inconclusive.

Layered machine learning models

In Windows Defender AVs layered approach to defense, if the first layer doesnt detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.

For example, the vast majority of scanned objects are evaluated by the local Windows Defender client machine learning models, behavior-based detection algorithms, generic and heuristic classifications, and more. This helps ensure that users get the best possible performance. In rare cases where local intelligence cant reach a definitive verdict, Windows Defender AV will use the cloud for deeper analysis.

Figure 1. Layered detection model

For a more detailed look at our approach to protection, see The evolution of malware prevention.

Detonation-based machine learning classification

We use a variety of machine learning models that use different algorithms to predict whether a certain file is malware. Some of these algorithms are binary classifiers that give a strict clean-or-malware verdict (0 or 1), while others are multi-class classifiers that provide a probability for each classification (malware, clean, potentially unwanted application, etc). Each machine learning model is trained against a set of different features (often thousands, sometimes hundreds of thousands) to learn to distinguish between different kinds of programs.

For the fastest classifiers in our layered stack, the features may include static attributes of the file combined with events (for example, API calls or behaviors) seen while the scanning engine emulates the file using dynamic translation. If the results from these models are inconclusive, well take an even more in-depth look at what the malware does by actually executing it in a sandbox and observing its run-time behavior. This is known as dynamic analysis, or detonation, and happens automatically whenever we receive a new suspected malware sample.

The activities seen in the sandbox machine (for example, registry changes, file creation/deletion, process injection, network connections, and so forth) are recorded and provided as features to our ML models. These models can then combine both the static features obtained from scanning the file with the dynamic features observed during detonation to arrive at an even stronger prediction.

Figure 2. Detonation-based machine learning classification

Ransom:Win32/Tibbar.A Protection in 14 minutes

On October 24, 2017, in the wake of recent ransomware outbreaks such as Wannacry and NotPetya, news broke of a new threat spreading, primarily in Ukraine and Russia: Ransom:Win32/Tibbar.A (popularly known as Bad Rabbit).

This threat is a good example of how detonation-based machine learning came into play to protect Windows Defender AV customers. First though, lets look at what happened to patient zero.

At 11:17 a.m. local time on October 24, a user running Windows Defender AV in St. Petersburg, Russia was tricked into downloading a file named FlashUtil.exe from a malicious website. Instead of a Flash update, the program was really the just-released Tibbar ransomware.

Windows Defender AV scanned the file and determined that it was suspicious. A query was sent to the cloud protection service, where several metadata-based machine learning models found the file suspicious, but not with a high enough probability to block. The cloud protection service requested that Windows Defender AV client to lock the file, upload it for processing, and wait for a decision.

Within a few seconds the file was processed, and sample-analysis-based ML models returned their conclusions. In this case, a multi-class deep neural network (DNN) machine learning classifier correctly classified the Tibbar sample as malware, but with only an 81.6% probability score. In order to avoid false positives, cloud protection service is configured by default to require at least 90% probability to block the malware (these thresholds are continually evaluated and fine-tuned to find the right balance between blocking malware while avoiding the blocking of legitimate programs). In this case, the ransomware was allowed to run.

Figure 3. Ransom:Win32/Tibbar.A ransom note

Detonation chamber

In the meantime, while patient zero and eight other unfortunate victims (in Ukraine, Russia, Israel, and Bulgaria) contemplated whether to pay the ransom, the sample was detonated and details of the system changes made by the ransomware were recorded.

Figure 4. Sample detonation events used by the machine learning model

As soon as the detonation results were available, a multi-class deep neural network (DNN) classifier that used both static and dynamic features evaluated the results and classified the sample as malware with 90.7% confidence, high enough for the cloud to start blocking.

When a tenth Windows Defender AV customer in the Ukraine was tricked into downloading the ransomware at 11:31 a.m. local time, 14 minutes after the first encounter, cloud protection service used the detonation-based malware classification to immediately block the file and protect the customer.

At this point the cloud protection service had “learned” that this file was malware. It now only required metadata from the client with the hash of the file to issue blocking decisions and protect customers. As the attack gained momentum and began to spread, Windows Defender AV customers with cloud protection enabled were protected. Later, a more specific detection was released to identify the malware as Ransom:Win32/Tibbar.A.

Closing the gap

While we feel good about Windows Defender AV’s layered approach to protection, digging deeper and deeper with automation and machine learning in order to finally reach a verdict on suspected malware, we are continually seeking to close the gap even further between malware release and protection. The cases where we cannot block at first sight are increasingly rare, but there is so much to be done. As our machine learning models are continuously updated and retrained, we are able to make better predictions over time. Yet malware authors will not rest, and the ever-changing threat landscape requires continuous investment in new and better technologies to detect new threats, but also to effectively differentiate the good from the bad.

What about systems that do get infected while detonation and classification are underway? One area that we’re actively investing in is advanced remediation techniques that will let us reach back out to those systems in an organization that were vulnerable and, if possible, get them back to a healthy state.

If you are organization that is willing to accept a higher false positive risk in exchange for stronger protection, you can configure the cloud protection level to tell the Windows Defender AV cloud protection service to take a more aggressive stance towards suspicious files, such as blocking at lower machine learning probability thresholds. In the Tibbar example above, for example, a configuration like this could have protected patient zero using the initial 81% confidence score, and not wait for the higher confidence (detonation-based) result that came later. You can also configure the cloud extended timeout to give the cloud protection service more time to evaluate a first-seen threat.

As another layer of real-time protection against ransomware, enable Controlled folder access, which is one of the features of the new Windows Defender Exploit Guard. Controlled folder access protects files from tampering by locking folders so that ransomware and other unauthorized apps cant access them.

For enterprises, Windows Defender Exploit Guards other features (Attack Surface Reduction, Exploit protection, and Network protection) further protect networks from advanced attacks. Windows Defender Advanced Threat Protection can also alert security operations personnel about malware activities in the network so that personnel can promptly investigate and respond to attacks.

For users running Windows 10 S, malware like Tibbar simply wont run. Windows 10 S provides advanced levels of security by exclusively running apps from the Microsoft Store. Threats such as Tibbar are non-issues for Windows 10 S users. Learn more about Windows 10 S.

New machine learning and AI techniques, in combination with both static and dynamic analysis, gives Windows Defender AV the ability to block more and more malware threats at first sight and, if that fails, learn as quickly as possible that something is bad and start blocking it. Using a layered approach, with different ML models at each layer, gives us the ability to target a wide variety of threats quickly while maintaining low false positive rates. As we gather more data about a potential threat, we can provide predictions with higher and higher confidence and take action accordingly. It is an exciting time to be in the fray.

 

Randy Treit

Senior Security Researcher, Windows Defender Research

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Today, with help from Microsoft security researchers, law enforcement agencies around the globe, in cooperation with Microsoft Digital Crimes Unit (DCU), announced the disruption of Gamarue, a widely distributed malware that has been used in networks of infected computers collectively called the Andromeda botnet.

The disruption is the culmination of a journey that started in December 2015, when the Microsoft Windows Defender research team and DCU activated a Coordinated Malware Eradication (CME) campaign for Gamarue. In partnership with internet security firm ESET, we performed in-depth research into the Gamarue malware and its infrastructure.

Our analysis of more than 44,000 malware samples uncovered Gamarues sprawling infrastructure. We provided detailed information about that infrastructure to law enforcement agencies around the world, including:

• 1,214 domains and IP addresses of the botnets command and control servers
• 464 distinct botnets
• More than 80 associated malware families

The coordinated global operation resulted in the takedown of the botnets servers, disrupting one of the largest malware operations in the world. Since 2011, Gamarue has been distributing a plethora of other threats, including:

• Petya and Cerber ransomware
• Kasidet malware (also known as Neutrino bot), which is used for DDoS attacks
• Lethic, a spam bot
• Info-stealing malware Ursnif, Carberp, and Fareit, among others

A global malware operation

For the past six years, Gamarue has been a very active malware operation that, until the takedown, showed no signs of slowing down. Windows Defender telemetry in the last six months shows Gamarues global prevalence.

Figure 1. Gamarues global prevalence from May to November 2017

While the threat is global, the list of top 10 countries with Gamarue encounters is dominated by Asian countries.

Figure 2. Top 10 countries with the most Gamarue encounters from May to November 2017

In the last six months, Gamarue was detected or blocked on approximately 1,095,457 machines every month on average.

Figure 3. Machines, IPs, and unique file encounters for Gamarue from May to November 2017; data does not include LNK detections

The Gamarue bot

Gamarue is known in the underground cybercrime market as Andromeda bot. A bot is a program that allows an attacker to take control of an infected machine. Like many other bots, Gamarue is advertised as a crime kit that hackers can purchase.

The Gamarue crime kit includes the following components:

• Bot-builder, which builds the malware binary that infects computers
• Command-and-control application, which is a PHP-based dashboard application that allows hackers to manage and control the bots
• Documentation on how to create a Gamarue botnet

A botnet is a network of infected machines that communicate with command-and-control (C&C) servers, which are computer servers used by the hacker to control infected machines.

The evolution of the Gamarue bot has been the subject of many thorough analyses by security researchers. At the time of takedown, there were five known active Gamarue versions: 2.06, 2.07, 2.08, 2.09, and 2.10. The latest and the most active is version 2.10.

Gamarue is modular, which means that its functionality can be extended by plugins that are either included in the crime kit or available for separate purchase. The Gamarue plugins include:

• Keylogger ($150) Used for logging keystrokes and mouse activity in order to steal user names and passwords, financial information, etc
• Rootkit (included in crime kit) Injects rootkit codes into all processes running on a victim computer to give Gamarue persistence
• Socks4/5 (included in crime kit) Turns victim computer into a proxy server for serving malware or malicious instructions to other computers on the internet
• Formgrabber ($250) Captures any data submitted through web browsers (Chrome, Firefox, and Internet Explorer)
• Teamviewer ($250) Enables attacker to remotely control the victim machine, spy on the desktop, perform file transfer, among other functions
• Spreader Adds capability to spread Gamarue malware itself via removable drives (for example, portable hard drives or flash drives connected via a USB port); it also uses Domain Name Generation (DGA) for the servers where it downloads updates

Gamarue attack kill-chain

Over the years, various attack vectors have been used to distribute Gamarue. These include:

• Removable drives
• Social media (such as Facebook) messages with malicious links to websites that host Gamarue
• Drive-by downloads/exploit kits
• Spam emails with malicious links
• Trojan downloaders

Once Gamarue has infected a machine, it contacts the C&C server, making the machine part of the botnet. Through the C&C server, the hacker can control Gamarue-infected machines, steal information, or issue commands to download additional malware modules.

Figure 4. Gamarues attack kill-chain

Gamarues main goal is to distribute other prevalent malware families. During the CME campaign, we saw at least 80 different malware families distributed by Gamarue. Some of these malware families include:

• Petya (ransomware)
• Cerber (ransomware)
• Troldesh (ransomware)
• Ursnif (info-stealing and banking trojan)
• Carberp (info-stealing and banking trojan)
• Fareit (info-stealing and DDoS malware)
• Kasidet (worm and DDoS malware)
• Lethic (spam bot)
• Cutwail (spam bot)
• Neurevt (click-fraud malware)
• Ursnif (click-fraud malware)
• Fynloski (backdoor)

The installation of other malware broadens the scale of what hackers can do with the network of infected machines.

Command-and-control communication

When the Gamarue malware triggers the infected machine to contact the C&C server, it provides information like the hard disks volume serial number (used as the bot ID for the computer), the Gamarue build ID, the operating system of the infected machine, the local IP address, an indication whether the signed in user has administrative rights, and keyboard language setting for the infected machine. This information is sent to the C&C server via HTTP using the JSON format:

Figure 5. Information sent by Gamarue to C&C server

The information about keyboard language setting is very interesting, because the machine will not be further infected if the keyboard language corresponds to the following countries:

• Belarus
• Russia
• Ukraine
• Kazahkstan

Before sending to the C&C server, this information is encrypted with RC4 algorithm using a key hardcoded in the Gamarue malware body.

Figure 6. Encrypted C&C communication

Once the C&C server receives the message, it sends a command that is pre-assigned by the hacker in the control dashboard.

Figure 7. Sample control dashboard used by attackers to communicate to Gamarue bots

The command can be any of the following:

• Download EXE (i.e., additional executable malware files)
• Download DLL (i.e., additional malware; removed in version 2.09 and later)
• Install plugin
• Update bot (i.e., update the bot malware)
• Delete DLLs (removed in version 2.09 and later)
• Delete plugins
• Kill bot

The last three commands can be used to remove evidence of Gamarue presence in machines.

The reply from the C&C server is also encrypted with RC4 algorithm using the same key used to encrypt the message from the infected machine.

Figure 8. Encrypted reply from C&C server

When decrypted, the reply contains the following information:

• Time interval in minutes time to wait for when to ask the C2 server for the next command
• Task ID – used by the hacker to track if there was an error performing the task
• Command one of the command mentioned above
• Download URL – from which a plugin/updated binary/other malware can be downloaded depending on the command.

Figure 9. Decrypted reply from C&C server

Anti-sandbox techniques

Gamarue employs anti-AV techniques to make analysis and detection difficult. Prior to infecting a machine, Gamarue checks a list hashes of the processes running on a potential victims machine. If it finds a process that may be associated with malware analysis tools, such as virtual machines or sandbox tools, Gamarue does not infect the machine. In older versions, a fake payload is manifested when running in a virtual machine.

Figure 10. Gamarue checks if any of the running processes are associated with malware analysis tools

Stealth mechanisms

Gamarue uses cross-process injection techniques to stay under the radar. It injects its code into the following legitimate processes:

• msiexec.exe (Gamarue versions 2.07 to 2.10)
• wuauclt.exe, wupgrade.exe, svchost.exe (version 2.06)

It can also use a rootkit plugin to hide the Gamarue file and its autostart registry entry.

Gamarue employs a stealthy technique to store and load its plugins as well. The plugins are stored fileless, either saved in the registry or in an alternate data stream of the Gamarue file.

OS tampering

Gamarue attempts to tamper with the operating systems of infected computers by disabling Firewall, Windows Update, and User Account Control functions. These functionalities cannot be re-enabled until the Gamarue infection has been removed from the infected machine. This OS tampering behavior does not work on Windows 10

Figure 11. Disabled Firewall and Windows Update

Monetization

There are several ways hackers earn using Gamarue. Since Gamarues main purpose is to distribute other malware, hackers earn using pay-per-install scheme. Using its plugins, Gamarue can also steal user information; stolen information can be sold to other hackers in cybercriminal underground markets. Access to Gamarue-infected machines can also be sold, rented, leased, or swapped by one criminal group to another.

Remediation

To help prevent a Gamarue infection, as well as other malware and unwanted software, take these precautions:

• Be cautious when opening emails or social media messages from unknown users.
• Be wary about downloading software from websites other than the program developers.

More importantly, ensure you have the right security solutions that can protect your machine from Gamarue and other threats. Windows Defender Antivirus detects and removes the Gamarue malware. With advanced machine learning models, as well as generic and heuristic techniques, Windows Defender AV detects new as well as never-before-seen malware in real-time via the cloud protection service. Alternatively, standalone tools, such as Microsoft Safety Scanner and the Malicious Software Removal Tool (MSRT), can also detect and remove Gamarue.

Microsoft Edge can block Gamarue infections from the web, such as those from malicious links in social media messages and drive-by downloads or exploit kits. Microsoft Edge is a secure browser that opens pages within low privilege app containers and uses reputation-based blocking of malicious downloads.

In enterprise environments, additional layers of protection are available. Windows Defender Advanced Threat Protection can help security operations personnel to detect Gamarue activities, including cross-process injection techniques, in the network so they can investigate and respond to attacks. Windows Defender ATPs enhanced behavioral and machine learning detection libraries flag malicious behavior across the malware infection process, from delivery and installation, to persistence mechanisms, and command-and-control communication.

Microsoft Exchange Online Protection (EOP) can block Gamarue infections from email uses built-in anti-spam filtering capabilities that help protect Office 365 customers. Office 365 Advanced Threat Protection helps secure mailboxes against email attacks by blocking emails with unsafe attachments, malicious links, and linked-to files leveraging time-of-click protection.

Windows Defender Exploit Guard can block malicious documents (such as those that distribute Gamarue) and scripts. The Attack Surface Reduction (ASR) feature in Windows Defender Exploit Guard uses a set of built-in intelligence that can block malicious behaviors observed in malicious documents. ASR rules can also be turned on to block malicious attachments from being run or launched from Microsoft Outlook or webmail (such as Gmail, Hotmail, or Yahoo).

Microsoft is also continuing the collaborative effort to help clean Gamarue-infected computers by providing a one-time package with samples (through the Virus Information Alliance) to help organizations protect their customers.

 

 

Microsoft Digital Crimes Unit and Windows Defender Research team

 

 

Get more info on the Gamarue (Andromeda) takedown from the following sources:

• Europol: Andromeda botnet dismantled in international cyber operation
• ESET: ESET unites with Microsoft and law enforcement agencies to disrupt Gamarue botnets

 

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Scripts are becoming the weapon of choice of sophisticated activity groups responsible for targeted attacks as well as malware authors who indiscriminately deploy commodity threats.

Scripting engines such as JavaScript, VBScript, and PowerShell offer tremendous benefits to attackers. They run through legitimate processes and are perfect tools for living off the landstaying away from the disk and using common tools to run code directly in memory. Often part of the operating system, scripting engines can evaluate and execute content from the internet on-the-fly. Furthermore, integration with popular apps make them effective vehicles for delivering malicious implants through social engineering as evidenced by the increasing use of scripts in spam campaigns.

Malicious scripts are not only used as delivery mechanisms. We see them in various stages of the kill chain, including during lateral movement and while establishing persistence. During these latter stages, the scripting engine of choice is clearly PowerShellthe de facto scripting standard for administrative tasks on Windowswith the ability to invoke system APIs and access a variety of system classes and objects.

While the availability of powerful scripting engines makes scripts convenient tools, the dynamic nature of scripts allows attackers to easily evade analysis and detection by antimalware and similar endpoint protection products. Scripts are easily obfuscated and can be loaded on-demand from a remote site or a key in the registry, posing detection challenges that are far from trivial.

Windows 10 provides optics into script behavior through Antimalware Scan Interface (AMSI), a generic, open interface that enables Windows Defender Antivirus to look at script contents the same way script interpreters doin a form that is both unencrypted and unobfuscated. In Windows 10 Fall Creators Update, with knowledge from years analyzing script-based malware, weve added deep behavioral instrumentation to the Windows script interpreter itself, enabling it to capture system interactions originating from scripts. AMSI makes this detailed interaction information available to registered AMSI providers, such as Windows Defender Antivirus, enabling these providers to perform further inspection and vetting of runtime script execution content.

This unparalleled visibility into script behavior is capitalized further through other Windows 10 Fall Creators Update enhancements in both Windows Defender Antivirus and Windows Defender Advanced Threat Protection (Windows Defender ATP). Both solutions make use of powerful machine learning algorithms that process the improved optics, with Windows Defender Antivirus delivering enhanced blocking of malicious scripts pre-breach and Windows Defender ATP providing effective behavior-based alerting for malicious post-breach script activity.

In this blog, we explore how Windows Defender ATP, in particular, makes use of AMSI inspection data to surface complex and evasive script-based attacks. We look at advanced attacks perpetrated by the highly skilled KRYPTON activity group and explore how commodity malware like Kovter abuses PowerShell to leave little to no trace of malicious activity on disk. From there, we look at how Windows Defender ATP machine learning systems make use of enhanced insight about script characteristics and behaviors to deliver vastly improved detection capabilities.

KRYPTON: Highlighting the resilience of script-based attacks

Traditional approaches for detecting potential breaches are quite file-centric. Incident responders often triage autostart entries, sorting out suspicious files by prevalence or unusual name-folder combinations. With modern attacks moving closer towards being completely fileless, it is crucial to have additional sensors at relevant choke points.

Apart from not having files on disk, modern script-based attacks often store encrypted malicious content separately from the decryption key. In addition, the final key often undergoes multiple processes before it is used to decode the actual payload, making it is impossible to make a determination based on a single file without tracking the actual invocation of the script. Even a perfect script emulator would fail this task.

For example, the activity group KRYPTON has been observed hijacking or creating scheduled tasksthey often target system tasks found in exclusion lists of popular forensic tools like Autoruns for Windows. KRYPTON stores the unique decryption key within the parameters of the scheduled task, leaving the actual payload content encrypted.

To illustrate KRYPTON attacks, we look at a tainted Microsoft Word document identified by John Lambert and the Office 365 Advanced Threat Protection team.

Figure 1. KRYPTON lure document

To live off the land, KRYPTON doesnt drop or carry over any traditional malicious binaries that typically trigger antimalware alerts. Instead, the lure document contains macros and uses the Windows Scripting Host (wscript.exe) to execute a JavaScript payload. This script payload executes only with the right RC4 decryption key, which is, as expected, stored as an argument in a scheduled task. Because it can only be triggered with the correct key introduced in the right order, the script payload is resilient against automated sandbox detonations and even manual inspection.

Figure 2. KRYPTON script execution chain through wscript.exe

Exposing actual script behavior with AMSI

AMSI overcomes KRYPTONs evasion mechanisms by capturing JavaScript API calls after they have been decrypted and ready to be executed by the script interpreter. The screenshot below shows part of the exposed content from the KRYPTON attack as captured by AMSI.

Figure 3. Part of the KRYPTON script payload captured by AMSI and sent to the cloud for analysis

By checking the captured script behavior against indicators of attack (IoAs) built up by human experts as well as machine learning algorithms, Windows Defender ATP effortlessly flags the KRYPTON scripts as malicious. At the same time, Windows Defender ATP provides meaningful contextual information, including how the script is triggered by a malicious Word document.

Figure 4. Windows Defender ATP machine learning detection of KRYPTON script captured by AMSI

PowerShell use by Kovter and other commodity malware

Not only advanced activity groups like KRYPTON are shifting from binary executables to evasive scripts. In the commodity space, Kovter malware uses several processes to eventually execute its malicious payload. This payload resides in a PowerShell script decoded by a JavaScript (executed by wscript.exe) and passed to powershell.exe as an environment variable.

Figure 5. Windows Defender ATP machine learning alert for the execution of the Kovter script-based payload

By looking at the PowerShell payload content captured by AMSI, experienced analysts can easily spot similarities to PowerSploit, a publicly available set of penetration testing modules. While such attack techniques involve file-based components, they remain extremely hard to detect using traditional methods because malicious activities occur only in memory. Such behavior, however, is effortlessly detected by Windows Defender ATP using machine learning that combines detailed AMSI signals with signals generated by PowerShell activity in general.

Figure 6. Part of the Kovter script payload captured by AMSI and sent to the cloud for analysis

Fresh machine learning insight with AMSI

While AMSI provides rich information from captured script content, the highly variant nature of malicious scripts continues to make them challenging targets for detection. To efficiently extract and identify new traits differentiating malicious scripts from benign ones, Windows Defender ATP employs advanced machine learning methods.

As outlined in our previous blog, we employ a supervised machine learning classifier to identify breach activity. We build training sets based on malicious behaviors observed in the wild and normal activities on typical machines, augmenting that with data from controlled detonations of malicious artifacts. The diagram below conceptually shows how we capture malicious behaviors in the form of process trees.

Figure 7. Process tree augmented by instrumentation for AMSI data

As shown in the process tree, the kill chain begins with a malicious document that causes Microsoft Word (winword.exe) to launch PowerShell (powershell.exe). In turn, PowerShell executes a heavily obfuscated script that drops and executes the malware fhjUQ72.tmp, which then obtains persistence by adding a run key to the registry. From the process tree, our machine learning systems can extract a variety of features to build expert classifiers for areas like registry modification and file creation, which are then converted into numeric scores that are used to decide whether to raise alerts.

With the instrumentation of AMSI signals added as part of the Windows 10 Fall Creators Update (version 1709), Windows Defender ATP machine learning algorithms can now make use of insight into the unobfuscated script content while continually referencing machine state changes associated with process activity. Weve also built a variety of script-based models that inspect the nature of executed scripts, such as the count of obfuscation layers, entropy, obfuscation features, ngrams, and specific API invocations, to name a few.

As AMSI peels off the obfuscation layers, Windows Defender ATP benefits from growing visibility and insight into API calls, variable names, and patterns in the general structure of malicious scripts. And while AMSI data helps improve human expert knowledge and their ability to train learning systems, our deep neural networks automatically learn features that are often hidden from human analysts.

Figure 8. Machine learning detections of JavaScript and PowerShell scripts

While these new script-based machine learning models augment our expert classifiers, we also correlate new results with other behavioral information. For example, Windows Defender ATP correlates the detection of suspicious script contents from AMSI with other proximate behaviors, such as network connections. This contextual information is provided to SecOps personnel, helping them respond to incidents efficiently.

Figure 9. Machine learning combines VBScript content from AMSI and tracked network activity

Detection of AMSI bypass attempts

With AMSI providing powerful insight into malicious script activity, attacks are more likely to incorporate AMSI bypass mechanisms that we group into three categories:

• Bypasses that are part of the script content and can be inspected and alerted on
• Tampering with the AMSI sensor infrastructure, which might involve the replacement of system files or manipulation of the load order of relevant DLLs
• Patching of AMSI instrumentation in memory

The Windows Defender ATP research team proactively develops anti-tampering mechanisms for all our sensors. We have devised heuristic alerts for possible manipulation of our optics, designing these alerts so that they are triggered in the cloud before the bypass can suppress them.

During actual attacks involving CVE-2017-8759, Windows Defender ATP not only detected malicious post-exploitation scripting activity but also detected attempts to bypass AMSI using code similar to one identified by Matt Graeber.

Figure 10. Windows Defender ATP alert based on AMSI bypass pattern

AMSI itself captured the following bypass code for analysis in the Windows Defender ATP cloud.

Figure 11. AMSI bypass code sent to the cloud for analysis

Conclusion: Windows Defender ATP machine learning and AMSI provide revolutionary defense against highly evasive script-based attacks

Provided as an open interface on Windows 10, Antimalware Scan Interface delivers powerful optics into malicious activity hidden in encrypted and obfuscated scripts that are oftentimes never written to disk. Such evasive use of scripts is becoming commonplace and is being employed by both highly skilled activity groups and authors of commodity malware.

AMSI captures malicious script behavior by looking at script content as it is interpreted, without having to check physical files or being hindered by obfuscation, encryption, or polymorphism. At the endpoint, AMSI benefits local scanners, providing the necessary optics so that even obfuscated and encrypted scripts can be inspected for malicious content. Windows Defender Antivirus, specifically, utilizes AMSI to dynamically inspect and block scripts responsible for dropping all kinds of malicious payloads, including ransomware and banking trojans.

With Windows 10 Fall Creators Update (1709), newly added script runtime instrumentation provides unparalleled visibility into script behaviors despite obfuscation. Windows Defender Antivirus uses this treasure trove of behavioral information about malicious scripts to deliver pre-breach protection at runtime. To deliver post-breach defense, Windows Defender ATP uses advanced machine learning systems to draw deeper insight from this data.

Apart from looking at specific activities and patterns of activities, new machine learning algorithms in Windows Defender ATP look at script obfuscation layers, API invocation patterns, and other features that can be used to efficiently identify malicious scripts heuristically. Windows Defender ATP also correlates script-based indicators with other proximate activities, so it can deliver even richer contextual information about suspected breaches.

To benefit from the new script runtime instrumentation and other powerful security enhancements like Windows Defender Exploit Guard, customers are encourage to install Windows 10 Fall Creators Update.

Read the The Total Economic Impact of Microsoft Windows Defender Advanced Threat Protection from Forrester to understand the significant cost savings and business benefits enabled by Windows Defender ATP. To directly experience how Windows Defender ATP can help your enterprise detect, investigate, and respond to advance attacks, sign up for a free trial.

 

Stefan Sellmer, Windows Defender ATP Research

with

Shay Kels, Windows Defender ATP Research

Karthik Selvaraj, Windows Defender Research

 

Additional readings

• Defend against PowerShell attacks, by Lee Holmes and the PowerShell team
• Windows Defender ATP machine learning: Detecting new and unusual breach activity

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

On November 10, 2017, a vulnerability called #AVGater was discovered affecting some antivirus products. The vulnerability requires a non-administrator-level account to perform a restore of a quarantined file.

Windows Defender Antivirus and other Microsoft antimalware products, including System Center Endpoint Protection (SCEP) and Microsoft Security Essentials (MSE), are not affected by this vulnerability.

This vulnerability can be exploited to restore files that have been detected and quarantined by an antivirus product. To exploit this, malicious applications, including those launched by user-level accounts without administrator privileges, create an NTFS junction from the %System% folder to folder where the quarantined file is located. This NTFS junction can trigger the antivirus product to attempt to restore the file into the %System% folder.

This is a relatively old attack vector. By design, Microsoft antimalware products, including Windows Defender Antivirus, have never been affected by this vulnerability because it does not permit applications launched by user-level accounts to restore files from quarantine. This is part of the built-in protections against this and other known user-account permissions vulnerabilities.

Read more about Windows Defender Antivirus and the rest of our Windows Defender protection products at the following links:

• Windows Defender Antivirus documentation
• Windows Defender Advanced Threat Protection documentation (you can also sign up for a free trial)
• Windows Defender Exploit Guard documentation
• Windows Threat Protection

 

*Edited 11/17/2017 to include other Microsoft antimalware products

 

---

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

 

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

1. Fully uninstall the non-Microsoft security software that came with your computer.
2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
2. In the Search box, type Windows Defender.
3. Tap or click the Windows Defender icon.
4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
5. Tap or click Save Changes.

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

1. Fully uninstall the non-Microsoft security software that came with your computer.
2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
2. In the Search box, type Windows Defender.
3. Tap or click the Windows Defender icon.
4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
5. Tap or click Save Changes.

Phil asks:

I’m new to Windows 8.1. Now that my free security software has expired, how do I go about making Windows Defender my choice security method?

Windows Defender is included with Windows 8 and Windows 8.1 and helps protect your PC against malware (malicious software). Many new computers come with free subscriptions to antivirus software and other security programs from companies other than Microsoft. If the subscription runs out and you don’t want to pay for it, you need to:

1. Fully uninstall the non-Microsoft security software that came with your computer.
2. Make sure Windows Defender is turned on.

To uninstall the security software that came with your computer, check the software’s Help file.

Make sure Windows Defender is turned on in Windows 8

1. Swipe in from the right edge of the screen and tap Search (or if you’re using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search).
2. In the Search box, type Windows Defender.
3. Tap or click the Windows Defender icon.
4. Go to Settings, and make sure that Turn on real-time protection (recommended) is selected.
5. Tap or click Save Changes.

Carole asks:

Is it OK to run Windows Defender with Norton or McAfee antivirus protection?

No. You should never run more than one antivirus program at the same time. The two programs could slow down your computer, and they might even identify each other as a virus, which could lead to file corruption or other conflicts and errors that make your antivirus protection less effective—or not effective at all.

We recommend that you use the antivirus protection that’s included in your version of Windows. Windows 8 includes antivirus and antispyware protection called Windows Defender. If you use Windows 7 or Windows Vista, you can download Microsoft Security Essentials at no cost.

For more information, see How to boost your malware defense and protect your PC.

Microsoft recently took legal action against a group of cybercriminals suspected of spreading malicious software to millions of unsuspecting computer users.

These social media–savvy cybercriminals have not only spread the malware themselves, but they’ve also promoted their malicious tools across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes.

For more information on the legal action, see Microsoft takes on global cybercrime epidemic in tenth malware disruption.

To help protect yourself against cybercrime

• Keep your operating system and other software updated.
• Use antivirus software (and keep it updated).
• Don’t open suspicious email messages, links, or attachments.

Get more guidance at How to boost your malware defense and protect your PC.

Support ended for Windows XP last week. That means technical assistance for Windows XP is no longer available.

To stay protected, you can upgrade your current computer or buy a new one. Windows 8.1 Update runs on a wider variety of devices, so you’ll have more to choose from, including budget-friendly laptops and tablets.

Windows 8 security and safety features

Windows Update installs important updates as they become available. Windows 8 turns on automatic updating as part of the initial setup process. Keep in mind that Windows Update won’t add any applications to your computer without asking for your permission. Get more answers to your Windows Update questions.

Help keep your family safer. With Windows 8, you can monitor your children’s Internet use, choose which games or apps they can access, and block or allow access to certain websites. Keep track of your kids online.

Antivirus protection is now included for your PC. Windows Defender, which is built in to Windows 8, replaces Microsoft Security Essentials. It runs in the background and notifies you when you need to take specific action.

Learn about other ways to keep your PC safer from viruses with Windows 8

Buying a new PC? Save $100 when you buy any Surface Pro 2 or select PCs over $599

Microsoft releases security updates on the second Tuesday of every month.

• Learn how to get security updates automatically
• For IT Pros: Microsoft Security Bulletin Summary for April 2014

Support for Windows XP has ended

Microsoft has provided support for Windows XP for the past 12 years. But the time has come for us, along with our hardware and software partners, to invest our resources toward supporting more recent technologies so that we can continue to deliver great new experiences.

As a result, technical assistance for Windows XP will no longer be available, including automatic updates that help protect your PC. Microsoft will also stop providing Microsoft Security Essentials for download on Windows XP on this date. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to help protect your PC.)

More information

• Learn about cyber threats that can affect computers that are still running Windows XP.
• Get more information about upgrading to Windows 8.
• Buying a new PC? Save $100 when you buy any Surface Pro 2 or select PCs over $599.

Microsoft releases security updates on the second Tuesday of every month.

Skip the details and check for the latest updates.

This bulletin announces the release of security updates for Windows, Microsoft Word, and other programs.

• Learn how to get security updates automatically
• For IT Pros: Microsoft Security Bulletin Summary for March 2014

To get more information about security updates and other privacy and security issues delivered to your email inbox, sign up for our newsletter.

What is a botnet?

Botnets are networks of compromised computers that criminals use to commit fraud, such as:

• Secretly spreading malware
• Stealing personal information
• Hijacking Internet search results to take you to websites that are potentially dangerous

How do I know if my computer is part of a botnet?

Your computer might be part of a botnet if it crashes or stops responding often or you experience other malware symptoms. You might also be directed to this page:

 

How can I clean my computer if I’ve been infected?

Botnets infect your computer with malware. To clean your computer, run the Microsoft Safety Scanner, and then run a scan with your antivirus software.

Get more guidance on how to remove malware

How can I help keep my computer out of botnets?

Make sure your computer has antivirus software, such as Windows Defender or Microsoft Security Essentials, and keep it updated.

To learn more about botnets, see How to better protect your PC from botnets and malware.

If your computer is running Windows 8

If your computer is running Windows 8, you already have antivirus software. Windows 8 includes Windows Defender, which helps protect you from viruses, spyware, and other malicious software.

If Windows Defender is turned off and you don’t have another antivirus program installed (or your other antivirus program is not working), you will see a warning in the notification area on your taskbar.

If your computer is running Windows 7

Windows 7 includes spyware protection, but to protect against viruses you can download Microsoft Security Essentials for free.

To find out if you already have antivirus software:

1. Open Action Center by clicking the Start button , clicking Control Panel, and then, under System and Security, clicking Review your computer’s status.
2. Click the arrow button  next to Security to expand the section.

If Windows can detect your antivirus software, it’s listed under Virus protection.

Windows doesn’t detect all antivirus software, and some antivirus software doesn’t report its status to Windows. If your antivirus software isn’t displayed in Action Center and you’re not sure how to find it, try any of the following:

• Type the name of the software or the publisher in the Search box on the Start menu.
• Look for your antivirus program’s icon in the notification area of the taskbar.

If your computer is running Windows Vista

Windows Vista does not include virus protection. To protect against viruses, you can download Microsoft Security Essentials for free.

The status of your antivirus software is typically displayed in Windows Security Center.

1. Open Security Center by clicking the Start button , clicking Control Panel, clicking Security, and then clicking Security Center.
2. Click Malware protection.

If Windows can detect your antivirus software, it will be listed under Virus protection.

Windows does not detect all antivirus software, and some antivirus software doesn’t report its status to Windows. If your antivirus software is not displayed in Windows Security Center and you’re not sure how to find it, try any of the following:

• Look for the antivirus software in the list of programs on the Start menu.
• Type the name of the software or the publisher in the Search box on the Start menu.
• Look for the icon in the notification area of the taskbar.

If your computer is running Windows XP

Click the security icon on the taskbar, or click Start, select Control Panel, and then double-click Security Center.

On April 8, 2014, Microsoft will end support for Windows XP. This means that after April 8, there will be no new security updates available through automatic updating for computers that are still running Windows XP.

Also on this date, Microsoft will stop providing Microsoft Security Essentials for download on Windows XP. (If you already have Microsoft Security Essentials installed, you will continue to receive antimalware signature updates for a limited time, but this does not mean that your PC will be secure because Microsoft will no longer provide security updates to protect it.)

For more information, see Support is ending soon.

Get more information about upgrading to Windows 7 and Windows 8.

I don’t know what operating system my computer is running

Find out what operating system your computer is running

 

 

A reader asks:

If I have Windows Defender, do I need to buy anything else to protect my computer?

If your computer is running the Windows 8 operating system, Windows Defender will help protect you from viruses, spyware, and other malicious software. You don’t need to buy anything else. 

If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender removes spyware, but to protect yourself from viruses, you’ll need to download antivirus software. You can purchase it from a third party, or you can download Microsoft Security Essentials for free.

More ways to protect against viruses and other malware

Run newer software. Advanced security technologies in modern operating systems are specifically designed to make it more difficult, more complex, more expensive, and therefore, less appealing to cybercriminals to exploit vulnerabilities.

Regularly install updates for all your software. Update your antivirus and antispyware programs, browsers (like Windows Internet Explorer), operating systems (like Windows), and word processing and other programs. Learn how to turn on automatic updating.

Make sure your firewall is turned on. A firewall will also help protect against viruses and hackers. Find out if your version of Windows has a built-in firewall.

For more information, see How to remove and avoid computer viruses.

It’s a new year, which means it’s time to resolve to create healthier habits in our daily lives. But we don’t have to stop at just improving our body, mind, and spirit. It’s also a good idea to resolve to keep our PCs, laptops, smartphones, and social networking sites healthy this year.

1. Keep your software up to date. You can help protect against viruses, fraud, and more by keeping your operating system, antivirus software, antispyware software, web browser, and other software updated. Microsoft releases security updates on the second Tuesday of every month. Learn how to get security updates automatically.

2. Create strong passwords, keep them secret, and change them regularly. This is particularly important for those passwords that safeguard your computer, important accounts (like email or Facebook), and sensitive information, like financial and health data. Get more information about creating strong passwords and protecting them.

3. Use antivirus software. If your computer is running Windows 8, you can use the built-in Windows Defender to help you detect and get rid of spyware and other malware. If your computer is running Windows 7, Windows Vista, or Windows XP, Windows Defender removes spyware.

4. Check and adjust your privacy settings. You can participate in the online world and keep your information private. Learn more about how to manage your privacy settings in Windows, Internet Explorer, your Microsoft account, Windows Phone, and more. 

 

If you’re travelling this holiday season and you plan to be online, here are a few ways to protect yourself and your family:

• Before you go, make sure all your software (and especially your antivirus software) is up to date. Learn how to get security updates automatically.
• Be careful with vacation details that you post on your social networking sites and out-of-office emails. Get more guidance for email and social networking.
• Don’t advertise the fact that you’re going to be away from your house for long periods of time. Also, be wary of using location services on your mobile devices that track your location. If you use a Windows Phone, see Location and my privacy FAQ              .
• Make sure your kids know the basics of online safety. If you’ve recently bought them a new mobile device, see our new Digital Gift-Giving Checklist.

Get more mobile and wireless tips.

Each fall when kids go “back to school,” parents and caregivers prepare their kids for homework, school programs, sports, even “trick-or-treating.” It’s also important that families have the same preparedness when using technology. We should encourage all children to enjoy the goodies the Internet provides, while helping them avoid the spookier things that can happen online. 

This collection of treats can help your little monsters avoid some of the digital “tricks” that can occur, supporting the notion that being safer online is sweeter for everyone!

Defend their devices & information from online creepers:

• Strengthen your devices’ defenses by installing antivirus and antispyware programs from trusted sources, updating software and apps regularly, leaving your firewall on at all times, and using flash drives cautiously.
• Avoid being tricked into downloading scareware and malware. Be cautious about opening attachments and links, download software from trusted websites, and close pop-ups carefully.
• Safeguard sensitive personal information by saving financial activity for a more secure home network; use GPS features wisely and public Wi-Fi safely, and look for signs that a webpage is secure and legitimate.
• Create strong passwords and phrases, keep them secret, and avoid using the same one on all sites.

Help your goblins learn to use social networks safely:

• Follow the age-usage guidelines set by social networking sites.
• Work with kids to use Settings or Options in online services to manage who can see their profile or tagged photos, how people can search for them and make comments, and how to block people.
• Ask kids to think about who they accept as friends and to reassess periodically.  
• Empower kids to promote a positive image online, and be respectful with the comments and images they post.

Say “boo!” to online bullying:

• Stay curious in kids’ lives online by asking them to show you their interests, what games they play, what they post and with whom they are talking online; lead with your own example; watch for signs of online cruelty, and ask kids to report any type of online drama.
• Encourage empathy. Suggest kids put themselves in another’s shoes. With your support, they can stand up for someone being bullied online.
• Promote compassion in the community by advocating for school trainings and kindness campaigns.

Participate in our #SaferIsSweeter Twitter contest for the chance to win a Surface RT!  Read the official rules for details. 

• Follow us on Twitter and tweet to us the answers to seven daily questions about online safety & security.
  • You may answer each question at any time as long as you answer all of them by the end the day on October 31, 2013.
  • Your tweets entries must include the hashtag #SaferIsSweeter, corresponding question number (Q1, Q2, Q3, Q4, Q5, Q6, or Q7) so it is clear which you are answering, and be relevant to the discussion topic. 

If you’re a regular reader of this blog, then you’ve probably already taken steps to help protect your PC. You have antivirus software that you trust and you keep it updated automatically. You’ve activated your firewall. You regularly install security updates. You know not to respond to suspicious emails or to click links with promises that seem too good to be true.

Today we’d like to tell you about an advanced tool that complements your existing defenses, making it even more difficult for malicious hackers and cybercriminals to get into your computer. If you feel comfortable performing more advanced computer tasks, consider downloading the free Enhanced Mitigation Experience Toolkit (EMET).

EMET is a free tool available for Windows 8, Windows 7, Windows Vista, and Windows XP. EMET works by taking advantage of security technologies that already exist on your PC, but might not be used by all of your programs. EMET helps protect your computer from new or undiscovered threats until they can be addressed through formal security updates. Katie Couric, a journalist and a talk show host, recently hosted a segment called Protect Your Computers from Hackers and recommended that families install and use EMET.

Download EMET now

Once installed, EMET works quietly in the background without interrupting your computer use. Like any security tool, EMET doesn’t guarantee that you’ll never have any problems, but it does make it much harder for an attacker to succeed.

Already using EMET? Get support or join the EMET forum.

Windows Defender and Microsoft Security Essentials (antivirus software from Microsoft) can detect and remove most malware. If you’re running antivirus software and you’re still having trouble removing malware, follow these steps:

1. Make sure you have automatic updating turned on. This feature ensures that you have the latest security improvements from Microsoft installed on your computer. If you’re using other antivirus software, make sure that it is up to date with the latest malware definitions.
2. Manually update your security software, reboot your computer, and run a full scan.
3. Check our malware encyclopedia for known issues with the malware and any additional cleaning instructions.

For more information about how to troubleshoot this problem, see My security software detects this malware but won’t remove it.