Microsoft Reveals Details About “Rotbrow” Malware Infection Rate
Microsoft released its Security Intelligence Report (SIR) this past Wednesday, an updated document it lets out twice a year. Inside the latest copy, according to news site PC World, is a host of details concerning the late-2013 malware “Rotbrow” and the drastic increase of computers that became infected with the malicious program.
PC World quotes Tim Rains, the director of Microsoft’s Trustworthy Computing division, as saying that, on average, only 5.8 computers out of 1,000 were infected with malware during the third quarter of 2013. This number spiked to approximately 17 computers out of 1,000 during the fourth quarter – “the largest quarter-to-quarter infection rate increase ever measured by the [Microsoft Malicious Software Removal Tool],” says Microsoft's report – and officials largely blame that increase on a trio of programs: Sefnit, Rotbrow, and Brantall.
Most notably, the Rotbrow trojan was reportedly not considered immediately dangerous. Security providers classified it as a “dropper” and knew that it was capable of downloading and installing additional software onto users' computers. When it was first found in the wild, however, it was not downloading malware. So, security programs were not red flagging the program.
Once Microsoft found out that it was downloading malicious browser extensions, it alerted security companies which then added the trojan to their blacklists. In its recent SIR, Microsoft reveals that the malware had been around since 2011 and that it never caused such serious problems until the final quarter of 2013.
“Rotbrow presented itself as a browser add-on called 'Browser Protector'”, the company says in its report.
“Researchers discovered that some versions of the Browser Protector process, called BitGuard.exe, drop an installer for a harmless program called File Scout, and also secretly install Sefnit at the same time,” it continues.
Sefnit, a bot that allows remote attackers to use hosts' computers for click fraud, Bitcoin mining, and search redirection, had existed since 2010 and was used by attackers to help them make money. In 2013, the program began to act somewhat differently than it had in the past. It began to use a proxy service that relayed HTTP traffic. It was in December 2013 when Microsoft added “Rotbrow” signatures to its MSRT to detect the program and combat the proliferation of Sefnit which was added to the MSRT signature database in January 2012.
Image courtesy of Adam Caudill via Flickr