Microsoft Detects Massive Dofoil Attack

[UPDATE] Mid-day Tuesday (PST), Microsoft’s Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. The signatureless machine learning capabilities of Defender detected anomalous behavior, and within minutes had protected Windows 10, 8.1 and 7 users from the outbreak. 

Over the next 12 hours, more than 400,000 instances of this malware were recorded — 73% of them in Russia, 18% in Turkey, and 4% in Ukraine.

Microsoft describes how the Dofoil downloader works, and how it was detected. Noticeably, it does not explain how the computers were compromised in the first place. The malware performs process hollowing, which involves spawning a new instance of a legitimate process — in this case, explorer.exe — and replacing the good code with malware. The hollowed explorer.exe then spins a second instance which drops and runs coin mining malware masquerading as the legitimate binary, wuauclt.exe.

Defender detected the issue, writes Microsoft, since, “Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.”

The downloader communicates with a C&C server, vinik.bit, inside the Namecoin distributed framework. Doctor Web researchers described Namecoin as, “a system of alternative root DNS servers based on Bitcoin technology.” Namecoin describes itself as a key/value pair registration and transfer system based on Bitcoin technology. “Bitcoin frees money — Namecoin frees DNS, identities, and other technologies.”

Fittingly, what Dofoil downloads is a cryptominer that supports NiceHash; allowing it to mine different cryptocurrencies. “The samples we analyzed mined Electroneum coins,” writes Microsoft.

Electroneum is an interesting choice when most malware miners seem to go for Bitcoin and increasingly Monero. The criminals will always, however, go after maximum profit from minimum effort. On Monday this week, one day before the Dofoil outbreak, Jason Evangelho wrote in Forbes, “I’m enthusiastic about Electroneum and I’ve been diverting my mining rigs from Nicehash or Ethereum to this one because I believe it will explode in popularity by the end of 2018.” This may be precisely the same reasoning as the criminals.

Natural price growth in any currency will likely be boosted by the number of operational miners. In a report titled Monero Mining Malware (PDF) published today, NTT researchers suggest that there is a symbiotic relationship between legal and malware-driven mining, with both processes driving the increase in value. 

The decision to used Dofoil to drop Electroneum mining malware may be jointly driven by the apparent potential growth in the currency bolstered by a massive campaign trying to infect nearly half a million PCs specifically to drive up the value.

“As demonstrated,” writes Microsoft, “Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network.”

This is true as far as it goes; but not everyone believes it goes far enough. All such reports are fundamentally marketing documents and will inevitably portray the company concerned in the best light possible. “The way I read it,” comments ESET Senior Research Fellow David Harley, “Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.”

F-Secure security advisor Sean Sullivan agrees that many anti-malware products would have had a similar success in stopping the campaign. “Other antivirus products would also block this campaign,” he told SecurityWeek. “Some of the details may differ, but the result would be similar.”

Luis Corrons, technical director at PandaLabs, is more reserved. “If you read [the report] carefully, you see they have no clue on how the threat compromised those computers,” he told SecurityWeek. “So, we are talking about an ‘outbreak’ (their own words) infecting thousands of computers protected by Microsoft.”

Corrons’ concern is that relying solely on behavioral patterns will only detect the malware after it has already infected the computer. This is true in this case since the downloaded malware, disguised as wuauclt.exe was detected because it was in the wrong location. “After being compromised they were able to detect it — which is great, but it would have been better if they could have stopped the infection in the first place. The problem is,” he continued, “that if they really have no idea of how the attack compromised those computers, the same attack could work against all Microsoft AV users leaving them just with the hope that their ‘great’ machine learning technology is able to detect it (once they have been infected).”

This last is an interesting comment, since reliance on machine learning algorithms can only be as effective as the algorithms and the data from which they learn. Almost two years ago there was a huge argument between the original anti-virus industry and the evolving ‘next-gen’ machine learning endpoint protection systems — with the former accusing the latter of frequently ‘stealing’ their malware intelligence via VirusTotal.

One of the figures in the Microsoft report depicts the ‘alert process tree’ used to determine the presence of the malware. Noticeably, this includes a VirusTotal hash with the comment, “VirusTotal detection ratio 38/67.” Since more than half of the anti-malware engines supported by VirusTotal already classify the file as malware, it is a fair assumption that it really is malware. 

A cynic might then wonder just how much of the ‘Big Data Analytics’ underpinning Defender’s machine learning algorithms actually depends upon the opinions of other anti-malware researchers as displayed by VirusTotal.

[UPDATE 03/09/18] Microsoft has clarified that the report illustration labeled “Windows Defender ATP alert process tree…” is not part Defender’s decision process, but a graphic generated after the event for the benefit of sysadmins. The referral to VirusTotal, showing that 38 anti-malware engines detected the file as malicious, was not made until 11 hours after Defender also concluded it was malware. 

Microsoft has also promised to share details of the campaign’s distribution methodology ‘soon’, saying “we have seen correlation with certain file sharing and internet download programs.”

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft 

Related: “Illusion Gap” Attack Bypasses Windows Defender 

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags: