Windows Defender thwarts major malware attack directed mostly at Russian users

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.


I tried an LTE laptop for a month, and I wasn’t really convinced

LTE laptops offer up plenty of benefits and are becoming more common. After spending one month with one in my daily life in New York City, I really wondered if it is something that consumers really need in their lives.

If you've lost a software key, these handy tools can find it for you

Missing product keys getting you down? We've chosen some of the best software license and product key finders in existence, so you can locate and document your precious keys on your Windows or MacOS machine.

Our favorite Windows apps will help you get the most out of your new PC

Not sure what apps you should be downloading for your newfangled Windows device? Here are the best Windows apps, whether you need something to speed up your machine or access your Netflix queue. Check out our categories and favorite picks.

Windows 10 notifications driving you crazy? Here's how to get them under control

Are the notifications on Windows 10 annoying you? Here's our guide on how to turn off notifications in Windows, and how to manage alerts so that the important stuff still gets through.

3DMark’s Port Royal lets you benchmark ray tracing on Nvidia’s RTX cards

UL is adding another benchmarking utility to its popular 3DMark suite to help gamers measure their graphics card's ray tracing performance. You'll soon be able to measure how Nvidia's RTX 2070, 2080, and 2080 Ti stack up.

Snatch Apple’s 2017 15-inch MacBook Pro for up to $1,200 off at B&H

The latest deal at B&H is offering up 2017 15-inch Apple MacBook Pros, in space gray and silver, with Intel Core i7 quad-core CPUs, 16GB of RAM, and AMD Radeon Pro 560 GPUs with up to 2TB of SSD storage.

Microsoft’s Chromium Edge browser may be adding your Chrome extensions

Fans sticking to Google Chrome because due to its vast extension library might be able to switch over to Microsoft's latest iteration of Edge, as a project manager confirms that the company has its eyes on Chrome extensions.

Apple Mac users should take a bite out of these awesome games

Contrary to popular belief, there exists a bevy of popular A-list games compatible for Mac computers. Take a look at our picks for the best Mac games available for Apple fans.
Emerging Tech

An A.I. cracks the internet’s squiggly letter bot test in 0.5 seconds

How do you prove that you’re a human when communicating on the internet? The answer used to be by solving a CAPTCHA puzzle. But maybe not for too much longer. Here is the reason why.

Qualcomm’s dual-screen PC concept looks like two connected Surface Go tablets

In Qualcomm's video teaser, we got a glimpse of the company's vision for how a dual-screen ARM PC should work. The internet reacted to Qualcomm's video, calling the device in question merely a mashup of two Surface Go tablets.

Check out the best Green Monday deals for those last-minute gifts

Black Friday and Cyber Monday have come and gone, but that doesn't mean you've missed your chance of finding a great deal. We're talking about Green Monday, of course, and it falls on December 10.

Hololens 2 could give the Always Connected PC a new, ‘aggressive’ form

Microsoft is said to be leaning on Qualcomm to power its Hololens 2 headset. Instead of Intel CPUs, the next Hololens could use a Snapdragon 850 processor, allowing it to benefit from the always-connected features.

Chrome’s dark mode may cast its shadow over Macs by early 2019

By early 2019 Google may release a version of Chrome for Mac users that offers a Dark Mode feature to match MacOS Mojave's recent darkening.

These laptop bags will keep your notebook secure wherever you go

Choosing the right laptop bag is no easy feat -- after all, no one likes to second-guess themselves. Here are some of the best laptop bags on the market, from backpacks to sleeves, so you can get it right the first time around.