Microsoft and Intel Team Up to Make it Hard for Crypto Miner Crooks

reading time Reading Time: 5 minutes

It’s been a while since we had an entry talking about the much-buzzed about topic of cryptocurrency, and it’s not like we’ll never have some new fold on the page with the stuff given how much uncertainty there still is about whether cryptocurrencies are ever going to assume the central role in globally unregulated currency that some people still adamantly insist they will. Given how much actual crypto mining is going on out there and the lengths people are going to in order to get in on the action suggests there’s still plenty of belief out there.

Whether or not cryptocurrencies will be a legit option for paying for SaaS on PaaS products is something that might be of interest to a Canadian web hosting provider, and that definitely applies to us here at 4GoodHosting. Some say the real questions if Bitcoin are any cryptocurrency can ever be generated to the type of volume that would be needed to make it a legitimately exchanged currency. But like was said, the effort is definitely there to ‘obtain’ whatever there is to get out there, and the fact that there’s a criminal element in crypto mining furthers that fact even more.

A tool is always needed, and for these crypto miner crooks their implement of-choice is crypto-jacking malware. It’s like hijacking but it’s not planes being intercepted, it’s cryptocurrency.

But the good news is that tech giants are fighting back and making it so that it’s much more difficult to hijack someone’s else cryptocurrency who’s been mining it legitimately.

Super Defender

To get right down to it, what Microsoft is doing is integrating Intel Threat Detection Technology into Microsoft Defender for Endpoint, and this revamped security product will help protect businesses from crypto-jacking malware. Up until now these crypto miners use only a small fraction of power depending on the device, so they often don’t end up on the radar of security teams.

It’s only more recently that larger sums have been lost to crypto jackers who’ve found ways to do what they do much more effectively and greater reach that it’s become more of a priority for everyone, even though crypto mining can be difficult to detect. Much of that has been due to slow or sluggish machines with bloated software and also because of inferior threat detection and automated upgrades being performed on them.

But again, this has changed and the rise of crypto jacking and the extent it’s taken a bite out of people or organizations has made it so that decision-makers aren’t ignoring it any more. Add the fact that not finding ways to threat crypto jackers means the cryptocurrency mined at these organizations is then used to fund criminal gangs or whoever else that wants ill-gained funds for whatever it is they’re aiming to do.

Better Performance

What these two have done extremely well is executing security tasks but keeping it all in-house within a hardware module. There are major performance advantages to this, and especially with having an identification process that is based on resource utilization that is made MUCH faster than it would be with software-based approaches.

There is also no need to deploy software that might be filled with bugs or potentially come with vulnerabilities. Intel has added a very valuable component with the CPU layer, making it more difficult for crypto jackers to hide their activities. Software solutions would be much more likely to lose the scent, if you know what we mean.

It can identify abnormal behavior that might otherwise be overlooked as normal activity by the malware.

Catching Coin Thieves at the CPU

Intel TDT applies machine learning to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU). What this does is put more of a brighter searchlight on the system to more likely identify the malware code execution and its ‘fingerprint’ at runtime. This is when it’s going to be most on display and ready to be caught by Defender.

Typical obfuscation techniques will make no difference here, and that will also be true even when malware hides within virtualized guests and or doesn’t intrusive techniques like code injection or performing complex hypervisor introspection.

In addition, some machine learning is offloaded to Intel's integrated graphics processing unit (GPU). And in response to how coin miners make heavy use of repeated mathematical operations – when this activity is recorded by the PMU a signal is triggered when a certain usage threshold point is reached.

The entirety of these machine learning capabilities make it so that the footprint generated by the specific coin mining activity can be identified and recognized. Defender is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads.

No-Agent Malware Detection

These TDT integrated solution can also expose coin miners using unprotected virtual machines or other containers as spots to hide in. By stopping the virtual machine itself or reporting virtual machine abuse, attacks are prevented AND resources are saved.

This no-agent malware detection means the asset from can be protected from the attacker without having to be in the same OS.

All of these advances are important, because criminal crypto miners are getting better all the time and so security measures that limit their effectiveness need to be improving in step too. One thing that is for sure is as cryptocurrency values continue to rise, crypto-jacking becomes much more attractive to a whole lot of people.

You may also like: