Tangling with malware adversaries: A few short war stories

Geoff McDonald

The anti-malware industry is a game of cat and mouse between the attackers who are constantly innovating new malware techniques and us security researchers who try to stop them. In this talk I'll present a few interesting short stories from my time at Windows Defender battling these attackers. First, I'll talk about the discovery of a botnet known as Sefnit that nearly took down the Tor network in 2013, and the subsequent investigations that accidentally led to an in-person meeting with one of the malware authors, and how this led to the demise of the botnet. Secondly, I'll talk about battling a stealthy click-fraud malware that was always one-step ahead of the AV detection signatures I was authoring to remove them from infected machines.

Windows 10 AMSI script behavior instrumentation with machine learning to block malicious attacks

New features were introduced in Windows 10 and O365 where the commonly-abused scripting engine components that execute PowerShell, JavaScript, Visual Basic Script, HTA files, and Office Macros are instrumented to create AMSI calls into security products and to produce event logs. This instrumentation contains dynamically-loaded script content, as well as behavior instrumentation logs of the scripts during execution. In this presentation, we will present an example use case of how we use the behavior instrumentation feature combined with machine learning in Windows Defender ATP to protect against attacks in real time by pairing lightweight client behavior models with heavier real-time cloud models. We'll also talk about how some of these AMSI events are logged for you to look at within your enterprise.

Speakers Bio: Geoff McDonald is a machine learning and anti-virus researcher at Windows Defender ATP, specializing in using machine-learning to protect our customers from malware. He has a passion for machine learning, reverse-engineering, programming tools for reverse-engineering and vulnerability fuzzing, and foosball. You can find some of his tools and hobby projects on his personal website or github at