deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Beth Levin
2018-08-14 10:16:23 -07:00
parent f454c85372
commit 79d514c324
8 changed files with 47 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/intelligence/coinminer-malware.md
View File

@ -12,7 +12,7 @@ ms.date: 08/01/2018
---
# Coin miners
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as crypto currencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.
Cybercriminals are always looking for new ways to make money. With the rise of digital currencies, also known as cryptocurrencies, criminals see a unique opportunity to infiltrate an organization and secretly mine for coins by reconfiguring malware.
## How coin miners work
@ -40,6 +40,8 @@ The exploit launches a cmdlet that executes a malicious PowerShell script (Troja
## How to protect against coin miners
**Enable PUA detection**: Some coin mining tools are not considered malware but are detected as potentially unwanted applications (PUA). Many applications detected as PUA can negatively impact machine performance and employee productivity. In enterprise environments, you can stop adware, torrent downloaders, and coin mining by enabling PUA detection.
Since coin miners is becoming a popular payload in many different kinds of attacks, see general tips on how to [prevent malware infection](prevent-malware-infection.md).
For more information on coin miners, see the blog post [Invisible resource thieves: The increasing threat of cryptocurrency miners](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/13/invisible-resource-thieves-the-increasing-threat-of-cryptocurrency-miners/).

13
windows/security/intelligence/exploits-malware.md
View File

@ -12,7 +12,7 @@ ms.date: 08/01/2018
---
# Exploits and exploit kits
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your PC. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
Exploits take advantage of vulnerabilities in software. A vulnerability is like a hole in your software that malware can use to get onto your device. Malware exploits these vulnerabilities to bypass your computer's security safeguards to infect your device.
## How exploits and exploit kits work
@ -22,21 +22,24 @@ Exploit kits are more comprehensive tools that contain a collection of exploits.
The most common method used by attackers to distribute exploits and exploit kits is through webpages, but exploits can also arrive in emails. Some websites unknowingly and unwillingly host malicious code and exploits in their ads.
The infographic below shows how an exploit kit might attempt to exploit a PC when a compromised webpage is visited.
The infographic below shows how an exploit kit might attempt to exploit a device when a compromised webpage is visited.
![example of how exploit kits work](./images/ExploitKit.png)
*Example of how exploit kits work*
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 (also called EternalBlue) to launch malware.
Several notable threats, including Wannacry, exploit the Server Message Block (SMB) vulnerability CVE-2017-0144 to launch malware.
Examples of exploit kits:
Prevalent exploit kits include:
- Angler / [Axpergle](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fAxpergle)
- [Neutrino](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=JS%2fNeutrino)
- [Nuclear](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Exploit:JS/Neclu)
To learn more about exploits, read this blog post on [taking apart a double zero-day sample discovered in joint hunt with ESET.](https://cloudblogs.microsoft.com/microsoftsecure/2018/07/02/taking-apart-a-double-zero-day-sample-discovered-in-joint-hunt-with-eset/)
## How we name exploits
We categorize exploits in our Malware encyclopedia by the "platform" they target. For example, Exploit:Java/CVE-2013-1489.A is an exploit that targets a vulnerability in Java.
@ -48,6 +51,6 @@ You can read more on the [CVE website](https://cve.mitre.org/).
## How to protect against exploits
The best prevention for exploits is to keep your organization's software up-to-date. Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.
The best prevention for exploits is to keep your organization's [software up to date](https://portal.msrc.microsoft.com/). Software vendors provide updates for many known vulnerabilities and making sure these updates are applied to all devices is an important step to prevent malware.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

4
windows/security/intelligence/index.md
View File

@ -10,7 +10,7 @@ ms.author: dansimp
author: dansimp
ms.date: 07/01/2018
---
# Understand malware
# Understanding malware & other threats
Malware is a term used to describe malicious applications and code that can cause damage and disrupt normal use of devices. Malware can allow unauthorized access, use system resources, steal passwords, lock you out of your computer and ask for ransom, and more.
@ -28,7 +28,7 @@ There are many types of malware, including:
- [Phishing](phishing.md)
- [Ransomware](ransomware-malware.md)
- [Rootkits](rootkits-malware.md)
- [Supply chain](supply-chain-malware.md)
- [Supply chain attacks](supply-chain-malware.md)
- [Tech support scams](support-scams.md)
- [Trojan Malware](trojans-malware.md)
- [Unwanted software](unwanted-software.md)

36
windows/security/intelligence/macro-malware.md
View File

@ -16,36 +16,28 @@ Macros are a powerful way to automate common tasks in Microsoft Office and can m
## How macro malware works
Macro malware hides in Microsoft Word or Microsoft Excel documents and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more. Examples of filenames include:
Macro malware hides in Microsoft Office files and are delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.
- case number.doc
- e-ticket_79010838.doc
- fax_msg896-599-5459.doc
- invoice_723961.doc
- legal_complaint.doc
- logmein_coupon.doc
- receipt_3458934.doc
Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened.
However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.
Macro malware was fairly common several years ago because macros ran automatically whenever a document was opened. However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince users to turn on macros so that their malware can run. They do this by showing fake warnings when a malicious document is opened.
We've seen macro malware download threats from the following families:
- [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
- [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
- [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
- [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
- [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
- [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
* [Ransom:MSIL/Swappa](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Ransom:MSIL/Swappa.A)
* [Ransom:Win32/Teerac](Ransom:Win32/Teerac)
* [TrojanDownloader:Win32/Chanitor](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Chanitor.A)
* [TrojanSpy:Win32/Ursnif](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif)
* [Win32/Fynloski](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Fynloski)
* [Worm:Win32/Gamarue](https://www.microsoft.com/wdsi/threats/malware-encyclopedia-description?Name=Win32/Gamarue)
## How to protect against macro malware
- Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
- [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents
* Make sure macros are disabled in your Microsoft Office applications. In enterprises, IT admins set the default setting for macros:
* [Enable or disable macros](https://support.office.com/article/Enable-or-disable-macros-in-Office-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12) in Office documents
- Dont open suspicious emails or suspicious attachments.
* Dont open suspicious emails or suspicious attachments.
- Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
* Delete any emails from unknown people or with suspicious content. Spam emails are the main way macro malware spreads.
* Enterprises can prevent macro malware from running executable content using [ASR rules](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction#enable-and-audit-attack-surface-reduction-rules)
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

3
windows/security/intelligence/malware-naming.md
View File

@ -10,7 +10,7 @@ ms.author: ellevin
author: levinec
ms.date: 08/01/2018
---
# Malware Names
# Malware names
We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
@ -166,6 +166,7 @@ Provides extra detail about the malware, including how it is used as part of a m
* .remnants: remnants of a virus
* .worm: worm component of that malware
* !bit: an internal category used to refer to some threats
* !cl: an internal category used to refer to some threats
* !dha: an internal category used to refer to some threats
* !pfn: an internal category used to refer to some threats
* !plock: an internal category used to refer to some threats

6
windows/security/intelligence/prevent-malware-infection.md
View File

@ -22,7 +22,7 @@ You can also browse the many [software and application solutions](https://review
To keep Microsoft software up to date, ensure that [automatic Microsoft Updates](https://support.microsoft.com/help/12373/windows-update-faq) are enabled. Also, upgrade to the latest version of Windows to benefit from a host of built-in security enhancements.
## Watch out for threats in links and attachments
## Be wary of links and attachments
Email and other messaging tools are a few of the most common ways your device can get infected. Attachments or links in messages can open malware directly or can stealthily trigger a download. Some emails will give instructions to allow macros or other executable content designed to make it easier for malware to infect your devices.
@ -30,7 +30,7 @@ Email and other messaging tools are a few of the most common ways your device ca
For more information, see [Phishing](phishing.md).
## Malicious or compromised websites
## Watch out for malicious or compromised websites
By visiting malicious or compromised sites, your PC can get infected with malware automatically or you can get tricked into downloading and installing malware. See [exploits and exploit kits](exploits-malware.md) as an example of how some of these sites can automatically install malware to visiting computers.
@ -44,7 +44,7 @@ To block malicious websites, use a modern web browser like [Microsoft Edge](http
If you encounter an unsafe site, click **More […] > Send feedback** on Microsoft Edge. You can also [report unsafe sites directly to Microsoft](https://www.microsoft.com/wdsi/support/report-unsafe-site).
### Stay away from pirated material
### Pirated material on compromised websites
Using pirated content is not only illegal, it can also expose your PC to malware. Sites that offer pirated software and media are also often used to distribute malware when the site is visited. Sometimes pirated software is bundled with malware and other unwanted software when downloaded, including intrusive browser plugins and adware.

13
windows/security/intelligence/ransomware-malware.md
View File

@ -20,9 +20,9 @@ The trend towards increasingly sophisticated malware behavior, highlighted by th
Most ransomware infections start with:
- Email messages with attachments that try to install ransomware.
* Email messages with attachments that try to install ransomware.
- Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
* Websites hosting [exploit kits](exploits-malware.md) that attempt to use vulnerabilities in web browsers and other software to install ransomware.
Once ransomware infects a device, it starts encrypting files, folders, entire hard drive partitions using encryption algorithms like RSA or RC4.
@ -44,17 +44,18 @@ Ransomware like **Cerber** and **Locky** search for and encrypt specific file ty
**Bad Rabbit** ransomware was discovered attempting to spread across networks using hardcoded usernames and passwords in brute force attacks.
## How to protect against ransomware
Organizations can be targeted specifically by attackers, or they can be caught in the wide net cast by cybercriminal operations. Large organizations are high value targets and attackers can demand bigger ransoms.
We recommend:
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
* Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
- Apply the latest updates to your operating systems and apps.
* Apply the latest updates to your operating systems and apps.
- Educate your employees so they can identify social engineering and spear-phishing attacks.
* Educate your employees so they can identify social engineering and spear-phishing attacks.
* [Controlled folder access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). It can stop ransomware from encrypting files and holding the files for ransom.
For more general tips, see [prevent malware infection](prevent-malware-infection.md).

13
windows/security/intelligence/rootkits-malware.md
View File

@ -24,13 +24,15 @@ Many modern malware families use rootkits to try and avoid detection and removal
* [Alureon](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fAlureon)
* [Sirefef](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
* [Cutwail](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
* [Datrahere](https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/Detrahere) (Zacinlo)
* [Rustock](http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fRustock)
* [Sinowal](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSinowal)
* [Cutwail](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fCutwail)
* [Sirefef](http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32%2fSirefef)
## How to protect against rootkits
@ -46,10 +48,11 @@ For more general tips, see [prevent malware infection](prevent-malware-infection
### What if I think I have a rootkit on my PC?
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your PC, and your antimalware software isnt detecting it, you might need an extra tool that lets you boot to a known trusted environment.
Microsoft security software includes a number of technologies designed specifically to remove rootkits. If you think you might have a rootkit on your device and your antimalware software isnt detecting it, you might need an extra tool that lets you boot to a known trusted environment.
In this case, use [Windows Defender Offline](http://windows.microsoft.com/windows/what-is-windows-defender-offline).
Windows Defender Offline is a standalone tool that has the latest anti-malware updates from Microsoft. Its designed to be used on PCs that aren't working correctly due to a possible malware infection.
[Windows Defender Offline](http://windows.microsoft.com/windows/what-is-windows-defender-offline) can be launched from Windows Security Center and has the latest anti-malware updates from Microsoft. Its designed to be used on PCs that aren't working correctly due to a possible malware infection.
[System Guard](https://cloudblogs.microsoft.com/microsoftsecure/2017/10/23/hardening-the-system-and-maintaining-integrity-with-windows-defender-system-guard/) provides in Windows 10 to protect against rootkits and threats that impact system integrity
### What if I cant remove a rootkit?