Microsoft reveals 'trio of threats' that plagued Windows users in Q4

Share this article:
Microsoft warns of attacks leveraging Word zero-day, releases temp fix
The Sefnit malware was often delivered through two deceptive programs that installed threats.

Saboteurs spreading Sefnit – malware typically used to further click fraud campaigns – often relied on two deceptive programs last year to accomplish their goals.

On Wednesday, Microsoft warned that the “trio of threats” heavily targeted Windows users around the globe, specifically in Q4 2013. The tech giant published the findings in its 152-page “Microsoft Security Intelligence Report (MSIR): Volume 16” (PDF).

Through its investigations, Microsoft found that Sefnit was distributed via software, detected by the firm as “Rotbrow” and “Brantall” – programs often thought to be “harmless,” the report said.

Rotbrow, for instance, is presented to users as a browser add-on called “Browser Protector” or “Browser Defender,” even though it sometimes installs legitimate programs, along with Sefnit. Similarly, Brantall, often installs advertised programs, with the addition of an unpleasant surprise. 

“Brantall acts as an installer for various legitimate programs, installs itself as a service in some cases, and installs both the advertised legitimate program and additional bundled applications,” the report said. “Both families [Rotbrow and Brantall] have been observed directly installing Sefnit.”

As part of their money-making schemes, miscreants used Sefnit last year to hijack victims' clicks, so users are redirected to advertisements. In addition to performing click fraud, the Sefnit bot also allows remote attackers to carry out other activities, like Bitcoin mining, Microsoft said.

Throughout nine countries, including the U.S., UK and Canada, Rotbrow and Brantall were among the top 10 threats detected by computers in Q4 of last year. Sefnit was among the top 10 families detected in seven countries: the United States, Germany, Japan, UK, France, Canada and Italy.

In the report, Microsoft defined a "threat” as any malware family or variant detected by the Microsoft Malware Protection Engine – even if the threat is not typically considered a family according to industry practices.

For example, many security vendors did not flag or remove Rotbrow, otherwise known as Browser Protector software, as it has existed since at least 2011 and hadn't initially caused concern.

“Microsoft has been aware of this program [Rotbrow] since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the report said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.