Microsoft reveals 'trio of threats' that plagued Windows users in Q4

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
The Sefnit malware was often delivered through two deceptive programs that installed threats.

Saboteurs spreading Sefnit – malware typically used to further click fraud campaigns – often relied on two deceptive programs last year to accomplish their goals.

On Wednesday, Microsoft warned that the “trio of threats” heavily targeted Windows users around the globe, specifically in Q4 2013. The tech giant published the findings in its 152-page “Microsoft Security Intelligence Report (MSIR): Volume 16” (PDF).

Through its investigations, Microsoft found that Sefnit was distributed via software, detected by the firm as “Rotbrow” and “Brantall” – programs often thought to be “harmless,” the report said.

Rotbrow, for instance, is presented to users as a browser add-on called “Browser Protector” or “Browser Defender,” even though it sometimes installs legitimate programs, along with Sefnit. Similarly, Brantall, often installs advertised programs, with the addition of an unpleasant surprise. 

“Brantall acts as an installer for various legitimate programs, installs itself as a service in some cases, and installs both the advertised legitimate program and additional bundled applications,” the report said. “Both families [Rotbrow and Brantall] have been observed directly installing Sefnit.”

As part of their money-making schemes, miscreants used Sefnit last year to hijack victims' clicks, so users are redirected to advertisements. In addition to performing click fraud, the Sefnit bot also allows remote attackers to carry out other activities, like Bitcoin mining, Microsoft said.

Throughout nine countries, including the U.S., UK and Canada, Rotbrow and Brantall were among the top 10 threats detected by computers in Q4 of last year. Sefnit was among the top 10 families detected in seven countries: the United States, Germany, Japan, UK, France, Canada and Italy.

In the report, Microsoft defined a "threat” as any malware family or variant detected by the Microsoft Malware Protection Engine – even if the threat is not typically considered a family according to industry practices.

For example, many security vendors did not flag or remove Rotbrow, otherwise known as Browser Protector software, as it has existed since at least 2011 and hadn't initially caused concern.

“Microsoft has been aware of this program [Rotbrow] since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the report said.

Share this article:

Sign up to our newsletters

More in News

Report: UK police push for required mobile phone PWs

The Metropolitan Police have reportedly lobbied for two years to enact the standard.

JPMorgan Chase customers targeted in massive phishing campaign

JPMorgan Chase customers targeted in massive phishing campaign

Roughly 500,000 emails have been sent out so far as part of a massive multifaceted phishing campaign targeting customers of JPMorgan Chase.

Study: Organizations lack training, budget to thwart insider threats

Study: Organizations lack training, budget to thwart insider ...

Of the 355 IT and security professionals surveyed, a majority indicated that they were ill-equipped to thwart a possible insider threat.