Now Reading
How Microsoft’s Antivirus Stopped Dofoil, The Coin Mining Malware Using Behavioral Monitoring And ML

How Microsoft’s Antivirus Stopped Dofoil, The Coin Mining Malware Using Behavioral Monitoring And ML

Abhishek Sharma


Since the advent of digital technology, crime in the online space has taken various forms, from cyberbullying to exploiting security flaws for monetary gains by ‘black hat’ hackers. Cyber security experts estimate that the costs incurred due to these crimes will rise up to $6 trillion annually by 2021.

Notably, the number of malicious code,software or tools present on the online space are also very large and exist in many types – virus, spam, malware, spyware, phishing software – the list goes on, and will continue because the vulnerabilities are innate in the Internet architecture. The possibilities are harrowing with recent ones being ransomware such as Petya, WannaCry and coin mining software entering the cryptocurrency domain. In this article, we explore how the latest attack called Dofoil, a malicious bitcoin mining software was detected and subdued by Microsoft’s antivirus, anti-malware product Windows Defender using behavioral monitoring and bits of machine learning (ML).

The Dofoil Disruption – What is it?

Dofoil, also known as Smoke Loader among cybersecurity experts, is a software application which downloads other malicious software (or called malware) onto the host computer systems and servers. It mainly infects them through spams and exploit kits, that detect vulnerabilities and security loopholes and intrudes without the host knowing it. The attackers usually use command-and-control servers (C2 servers) on the affected systems to maintain communications amongst themselves.

Although developed quite earlier, Dofoil was almost undetectable until recent reports of Microsoft and Malwarebytes addressed the problem and eliminated the threat.

How Microsoft’s Windows Defender smoked Dofoil

Windows Defender, the standalone antivirus product by Microsoft detected and protected users from Dofoil attack that occured on March 6, 2018.The cryptocoin mining attack was mostly concentrated in Russia and spread to regions around it, such as Ukraine and Turkey. Windows Defender initially detected the spread through its behavioral monitoring service, relaying the emergency signals to its cloud protection services.

After getting alerted by Windows Defender’s behavioral signals, the metadata-based ML models in the cloud instantly blocked the threats and then proceeded to categorise the malicious software through their services’ sample-based and detonation-based ML models. This is to reinforce protection and bring out more information from those threats. Later on, the response team classified the string of threats under one name – Dofoil.

Layers of ML models in Windows Defender (Courtesy : Microsoft)


Since Bitcoin and other similar cryptocurrencies are on the rise, malware creators are targeting users of these currencies, especially with the coin mining components. Coin mining scripts are passed through emails and fake tech support sites claiming to be genuine. The Dofoil threat used these methods to harvest cryptocurrencies (mainly Bitcoin). Thanks to Windows Defender and the Microsoft, the threat was halted from spreading to more systems.

Dofoil used a technique called process hollowing to covertly replace a system process or instance running in the background, with a malware. For example, the instance here was the path c:\windows\syswow64\explorer.exe. The explorer.exe was now disguised as a malware. This corrupt instance bring up another malicious coin mining malware and acts as a Windows Binary file – wuaclt.exe. This is where Windows Defender detects suspicious activity since wuaclt.exe is acting elsewhere, other than the actual system location. The antivirus software blocked network activity immediately once the threat was identified.

Windows Defender recognises suspicious activity


In the above process, Dofoil corners only Bitcoin mining. Similarly, it also employs a unique code for NiceHash, a cloud-cryptocurrency platforms which offer hashing with regard to different cryptocurrencies. In addition to this, Dofoil remains active in the background and will even modify the registry folder of Windows OS, if not stopped in the initial stages.

See Also
cybersecurity jobs recession

Machine Learning in Windows Defender

Earlier, we saw that the antivirus software took a layered-structure approach to ML models. Microsoft in their research has quoted that –

In Windows Defender AV’s layered approach to defense, if the first layer doesn’t detect a threat, we move on to the next level of inspection. As we move down the layers, the amount of time required increases. However, we catch the vast majority of malware at the first (fastest) protection layers and only need to move on to a more sophisticated (but slower) level of inspection for rarer/more advanced threats.”

This means that the ML models won’t compromise on the performance of the system while working aggressively to hinder security threats. This way the problem of threats get resolved in minutes, if not in a few hours.

Conclusion :

The world of computer technology and Internet has witnessed more setbacks than ever in the recent years. With cybercrime and threats in the digital space on the rise, cybersecurity needs to brace itself with advancements in parallel to counter cybercrime on a disastrous scale.


What Do You Think?

If you loved this story, do join our Telegram Community.

Also, you can write for us and be one of the 500+ experts who have contributed stories at AIM. Share your nominations here.

Copyright Analytics India Magazine Pvt Ltd

Scroll To Top