Now Windows 10 can spot cryptojacking malware using up your CPU power

Microsoft Defender for Endpoint can now block cryptocurrency miners using data from Intel CPUs.
Written by Liam Tung, Contributing Writer

Microsoft has teamed up with Intel in a bid to block CPU-draining cryptomining malware by putting Intel Threat Detection Technology (TDT) inside Microsoft Defender for Endpoint, the cloud-based enterprise security service formerly known as Microsoft Defender Advanced Threat Protection.

By exploiting vulnerabilities like Microsoft's recent Exchange Server flaws, opportunistic cybercriminals can leech plenty of computing power to mine cryptocurrency at another's expense. Add to that skyrocketing prices for Bitcoin, Monero, Ethereum and Dogecoin, and attackers have a big incentive to hit powerful enterprise servers.  

The new Microsoft and Intel security feature targets malware that operates at the CPU level, below the operating system where traditional antivirus works. It builds on a previous partnership with Intel to address the rise of in-memory malware.  

SEE: Windows 10 Start menu hacks (TechRepublic Premium)

"Intel TDT applies machine learning to low-level hardware telemetry sourced directly from the CPU performance monitoring unit (PMU) to detect the malware code execution "fingerprint" at runtime with minimal overhead," Microsoft explains in a blogpost

"TDT leverages a rich set of performance profiling events available in Intel SoCs (system-on-a-chip) to monitor and detect malware at their final execution point (the CPU)."  

The TDT on Windows system works with machines equipped with Intel Core 6th Gen and the Intel vPro platform.  

The feature analyses the CPU's PMU telemetry data because coin miners aim to achieve rewards in cryptocurrency by solving mathematical equations that form part of the blockchain, which underpins the cryptocurrency. All this requires CPU resources.

It could be a handy technology because it can monitor for malware code execution at runtime even when the malware is hidden in a virtualized guest.  

"Coin miners make heavy use of repeated mathematical operations and this activity is recorded by the PMU, which triggers a signal when a certain usage threshold is reached," Microsoft explains. 

"The signal is processed by a layer of machine learning which can recognize the footprint generated by the specific activity of coin mining. Since the signal comes exclusively from the utilization of the CPU, caused by execution characteristics of malware, it is unaffected by common antimalware evasion techniques such as binary obfuscation or memory-only payloads."

Microsoft adds that it also improves detection capabilities for side-channel attacks and ransomware. 

Intel added an interesting footnote to its announcement about the TDT collaboration with Microsoft: "No product or component can be absolutely secure."

SEE: Remote work makes cybersecurity a top worry for CEOs

Nonetheless, Michael Nordquist, senior director of strategic planning and architecture in Intel's Business Client Group said it was "a true inflection point for the security industry" and for customers using Windows 10. 

"Customers who choose Intel vPro with the exclusive Intel Hardware Shield now gain full-stack visibility to detect threats out of the box with no need for IT configuration," he said.  

Frank Dickson, program vice president of security and trust at analyst firm IDC, added: "Clearly the goal is to empower Intel-based systems of today and tomorrow to be fundamentally more secure and have lower malware infection rates than AMD, Apple and other ARM-based processor systems."

Editorial standards