Windows Defender halted 'massive' malware campaign this week, Microsoft says

Windows Defender helped to prevent "massive" coin mining malware outbreak from spreading earlier this week. According to Microsoft, the campaign attempted to infect nearly 500,000 computers throughout a 12-hour period, beginning just before noon on March 6.

The trojans, identified by Microsoft as variants of Dofoil (or Smoke loader), attempted to deliver a payload of cryptocurrency coin mining components. The majority of attacks, 73 percent, were detected in Russia, but significant activity was also detected in Turkey and Ukraine.

According to Microsoft, its machine learning models enabled it to begin blocking the threats within milliseconds of being flagged by Windows Defender.

  • Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
  • Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
  • Within minutes, an anomaly detection alert notified us about a new potential outbreak.
  • After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.

It's unclear if this attack would have reached the scale of 2017's massive WannaCry attack, but this is an interesting example of Microsoft's work with Windows Defender Advanced Threat Protection (ATP) in action.

Microsoft says that Windows 10, Windows 8.1, and Windows 7 machines running Windows Defender or Microsoft Security Essentials are protected from the outbreak.