Saboteurs spreading Sefnit – malware typically used to further click fraud campaigns – often relied on two deceptive programs last year to accomplish their goals.
On Wednesday, Microsoft warned that the “trio of threats” heavily targeted Windows users around the globe, specifically in Q4 2013. The tech giant published the findings in its 152-page “Microsoft Security Intelligence Report (MSIR): Volume 16” (PDF).
Rotbrow, for instance, is presented to users as a browser add-on called “Browser Protector” or “Browser Defender,” even though it sometimes installs legitimate programs, along with Sefnit. Similarly, Brantall, often installs advertised programs, with the addition of an unpleasant surprise.
“Brantall acts as an installer for various legitimate programs, installs itself as a service in some cases, and installs both the advertised legitimate program and additional bundled applications,” the report said. “Both families [Rotbrow and Brantall] have been observed directly installing Sefnit.”
As part of their money-making schemes, miscreants used Sefnit last year to hijack victims' clicks, so users are redirected to advertisements. In addition to performing click fraud, the Sefnit bot also allows remote attackers to carry out other activities, like Bitcoin mining, Microsoft said.
Throughout nine countries, including the U.S., UK and Canada, Rotbrow and Brantall were among the top 10 threats detected by computers in Q4 of last year. Sefnit was among the top 10 families detected in seven countries: the United States, Germany, Japan, UK, France, Canada and Italy.
In the report, Microsoft defined a "threat” as any malware family or variant detected by the Microsoft Malware Protection Engine – even if the threat is not typically considered a family according to industry practices.
For example, many security vendors did not flag or remove Rotbrow, otherwise known as Browser Protector software, as it has existed since at least 2011 and hadn't initially caused concern.
“Microsoft has been aware of this program [Rotbrow] since 2011, but it had never displayed malicious behavior until its association with Sefnit was discovered in 2013,” the report said.