Microsoft has teamed up with Intel in an attempt to block cryptomining malware that is draining your CPU by integrating Intel Threat Detection Technology (TDT) with Microsoft Defender for Endpoint, the formerly known cloud-based security service for pros. under the name of Microsoft Defender Advanced Threat Protection.
By exploiting vulnerabilities like the recent Microsoft Exchange Server flaws, cybercriminals can harness a large amount of computing power to mine cryptocurrency at the expense of others. Add to this the skyrocketing prices of bitcoin, monero, ethereum, and dogecoin, attackers have a vested interest in attacking powerful corporate servers.
Microsoft and Intel’s new security feature targets malware that operates at the processor level, under the operating system, where traditional antiviruses do. It builds on a previous partnership with Intel to deal with the rise of malware in memory.
Monitor execution of malware code at runtime
Intel TDT applies machine learning to low-level hardware telemetry coming directly from the processor performance monitoring unit (PMU) to detect the ‘fingerprint’ of malicious code execution at the runtime with minimal overhead, ”Microsoft explains in a blog post. “TDT leverages a rich set of performance profiling events available in Intel SoCs (systems on a chip) to monitor and detect malware at its end point of execution (the CPU). “
The TDT system on Windows works with machines equipped with Intel Core 6e generation and Intel vPro platform.
The feature analyzes PMU telemetry data from the CPU, as coin miners aim to earn cryptocurrency rewards by solving mathematical equations that are part of the blockchain, which underlies cryptocurrency. All of this requires CPU resources.
This technology could come in handy because it can monitor the execution of malware code at runtime, even when the malware is hidden in a virtualized guest.
“No product or component can be absolutely safe”
“Cryptocurrency miners make heavy use of repeated mathematical operations and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached,” Microsoft explains. “The signal is processed by a machine learning layer that can recognize the fingerprint generated by the specific activity of coin mining. Since the signal comes exclusively from CPU usage, caused by the runtime characteristics of malware, it is unaffected by common antimalware evasion techniques, such as binary obfuscation or payloads. only in memory. “
Microsoft adds that it is also improving the detection capabilities of side channel attacks and ransomware.
Intel added an interesting note to its announcement about the collaboration between TDT and Microsoft: “No product or component can be absolutely safe.”
“A real inflection point for the security industry”
Still, Michael Nordquist, senior director of strategic planning and architecture at Intel’s Business Client Group, says it’s “a real inflection point for the security industry.” and for customers using Windows 10.
“Customers who choose Intel vPro with Intel’s proprietary hardware shield now have full stack visibility to detect threats right out of the box, with no need for IT configuration,” he explains.
Frank Dickson, vice president of security and trust programs at analytics firm IDC, adds that “the goal is clearly to enable the Intel-based systems of today and tomorrow to be fundamentally more secure. and have lower malware infection rates than systems based on AMD, Apple and other ARM processors ”.