Microsoft reveals 'trio of threats' that plagued Windows users in Q4

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
The Sefnit malware was often delivered through two deceptive programs that installed threats.

Saboteurs spreading Sefnit – malware typically used to further click fraud campaigns – often relied on two deceptive programs last year to accomplish their goals.

On Wednesday, Microsoft warned that the “trio of threats” heavily targeted Windows users around the globe, specifically in Q4 2013. The tech giant published the findings in its 152-page “Microsoft Security Intelligence Report (MSIR): Volume 16” (PDF).

Through its investigations, Microsoft found that Sefnit was distributed via software, detected by the firm as “Rotbrow” and “Brantall” – programs often thought to be “harmless,” the report said.

Rotbrow, for instance, is presented to users as a browser add-on called “Browser Protector” or “Browser Defender,” even though it sometimes installs legitimate programs, along with Sefnit. Similarly, Brantall, often installs advertised programs, with the addition of an unpleasant surprise. 

“Brantall acts as an installer for various legitimate programs, installs itself as a service in some cases, and installs both the advertised legitimate program and additional bundled applications,” the report said. “Both families [Rotbrow and Brantall] have been observed directly installing Sefnit.”

As part of their money-making schemes, miscreants used Sefnit last year to hijack victims' clicks, so users are redirected to advertisements. In addition to performing click fraud, the Sefnit bot also allows remote attackers to carry out other activities, like Bitcoin mining, Microsoft said.

Throughout nine countries, including the U.S., UK and Canada, Rotbrow and Brantall were among the top 10 threats detected by computers in Q4 of last year. Sefnit was among the top 10 families detected in seven countries: the United States, Germany, Japan, UK, France, Canada and Italy.

In the report, Microsoft defined a "threat” as any malware family or variant detected by the Microsoft Malware Protection Engine – even if the threat is not typically considered a family according to industry practices.

For example, many security vendors did not flag or remove Rotbrow, otherwise known as Browser Protector software, as it has existed since at least 2011 and hadn't initially caused concern.

“Microsoft has been aware of this program [Rotbrow] since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the report said.

Share this article:

Sign up to our newsletters

More in News

Latest Citadel trick allows RDP access after malware's removal

Latest Citadel trick allows RDP access after malware's ...

Trusteer, an IBM company, said the new Citadel configuration was detected this month.

Cryptoblocker variant emerges, encryption differs from CryptoLocker

Trend Micro has detected a variant of CryptoLocker in the wild that relies on the advanced encryption standard.

Jimmy John's sandwich chain investigating possible breach

Some financial institutions have indicated that credit cards recently used at Jimmy John's locations have been used to make fraudulent purchases.