The Inquirer-Home

Microsoft says a 'trio of threats' infected Windows users with malware in 2013

Updated Rotbrow, Brantall and Sefnit worked together to coordinate attacks
Thu May 08 2014, 13:12

MICROSOFT HAS REVEALED that a ‘trio of threats' worked together to infect Windows users with malware in the third and fourth quarters of 2013.

Detailed in the company's Security Intelligence Report (MSIR): Volume 16 from its Trustworthy Computing division, Microsoft said the three threats known as Rotbrow, Brantall and Sefnit worked together to coordinate malware attacks.

Initially distributed through peer-to-peer (P2P) filesharing networks and disguised as a legitimate program, Sefnit is a bot that allows a remote attacker to perform various activities.

Microsoft's report said that in the past, Sefnit has been bundled with other software and used to perform a number of tasks designed to make money for the attacker, including click fraud, Bitcoin mining and redirecting search results.

However, the click hijacking component was removed from newer versions of Sefnit in 2011, and was believed to no longer be very active in the wild. But in mid-2013, Microsoft researchers discovered a new version of Sefnit that used a different mechanism to commit click fraud.

"The new click fraud component is structured as a proxy service, allowing attackers to use a botnet of Sefnit-hosted proxies to relay HTTP traffic that issues illegitimate 'clicks' for online advertisements," the report said. "Because the new component operates in the background and involves no user interaction, new Sefnit variants that used the component managed to evade detection by anti-malware researchers for a time."

As a result, Sefnit became the third most commonly encountered malware family worldwide in the third quarter last year and the eighth most commonly encountered in the fourth quarter.

To work successfully, the Sefnit distribution that began in 2013 relies heavily on a pair of other malware families called Rotbrow and Brantall.

Rotbrow is a program that claims to protect the computer from browser add-ons, but actually installs more browser add-ons. It acts as an installer for various legitimate programs, installs itself as a service, and installs both the advertised legitimate program and additional bundled applications.

"Both families have been observed directly installing Sefnit," Microsoft explained. "Rotbrow presents itself as a browser add-on called 'Browser Protector' [which we] have been aware of since 2011, but it had never displayed malicious behaviour until its association with Sefnit in 2013."

Researchers discovered that some versions of the Browser Protector process, called Bitguard.exe, would drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time.

Throughout nine countries, including the US, UK and many in Europe, Rotbrow and Brantall were among the top 10 threats detected by computers, specifically in the fourth quarter of last year.

Microsoft said Sefnit was among the top 10 families detected in seven countries: the UK, US, Canada, Germany, France, Japan, and Italy.

Microsoft said it added detection signatures labelled "Rotbrow" to Microsoft real-time security products in December 2013 to help combat the spread of Sefnit for susceptible versions of Browser Protector.

Speaking to The INQUIRER, MMPC senior programme manager Holly Stewart said older versions of Brantall and Rotbrow that were seen to download malware are still present, although in much lower levels than in the fourth quarter of 2013.

"That said, the update functionality in these and most downloaders allow them to download other programs dynamically," Stewart said. "If download and bundler programs exhibit behaviour that meet our detection criteria in the future, the Microsoft Malware Protection Center will release protection to help keep customers safe from fraudulent activity."

Microsoft's MSIR also said that a malware family called Reveton was "the most commonly encountered ransomware" worldwide in the second half of 2013.

"Reveton displays behaviour that is typical of many ransomware families: it locks computers, displays a webpage that covers the entire desktop of the infected computer, and demands that the user pay a fine for the supposed possession of illicit material," the Redmond firm explained.

"The webpage that is displayed and the identity of the law enforcement agency that is allegedly responsible for it are often customized, based on the user's current location."

Overall, both the worldwide infection rate and encounter rate increased from the third quarter to the fourth quarter in 2013, "but the magnitudes of the two increases were radically different," Microsoft said.

"The rise in the encounter rate was in line with the trend seen in previous quarters, but the infection rate increased by a threefold increase, and the largest quarter-to-quarter infection rate increase ever measured by [Microsoft's] Malicious Software Removal Tool (MSRT)."

Microsoft also noted in the report that cyber criminals are increasingly using more "deceptive tactics" to circumvent the protections that the firm has built into its software over the past few years. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Existing User
Please fill in the field below to receive your profile link.
Sign-up for the INQBot weekly newsletter
Click here
INQ Poll

Microsoft Windows 10 poll

Which feature of Windows 10 are you most excited about?