Microsoft says Windows Defender saved half a million PCs from crypto-mining malware

Crypto-mining criminal

According to Microsoft, Windows 10's built-in antivirus software, Windows Defender, protected a malware epidemic that struck almost 500,000 PCs this week.

Just before midday on March 6, Windows Defender blocked 80,000 suspected attacks by a new group of trojans. They had never been seen before and weren't yet in Microsoft's threat database, but were identified based on their behaviour, which matched patterns commonly seen in malware. Within the next 12 hours, Defender recorded and thwarted another 400,000 instances.

The trojans were new variants of Dofoil (also known as Smoke Loader) – a type of malware that installs other software on the victim's device. Dofoil has been menacing PC users in various forms since 2011, but the payload keeps changing to keep with the times. This time, it was a cryptocurrency mining program that would hijack the host's hardware.

How Dofoil spreads

According to McAfee, Dofoil trojans usually arrive in email attachments – often embedded as macros in Microsoft Word documents. There are other routes though; in January, criminals targeted users in Germany looking for a patch for the Spectre and Meltdown bugs by creating a fake information page that appeared to be hosted by the German Federal Office for Information Security. The site appeared to offer a download link for the latest patch, but actually installed a variant of Dofoil.

Antivirus is essential and there are browser extensions that block webpages from loading cryptocurrency mining software, but the best way to protect yourself is caution – don't open attachments in unexpected emails and always check URLs before clicking.

The sheer scale of this attack makes it unusual, but Windows Defender isn't the only antivirus software to use behavioral analysis (also known as zero-hour protection) – it's something you'll find in all the security suites in our roundup of the best antivirus software.