Microsoft calls out malicious downloaders

Microsoft is putting makers of downloader software on notice when it sees that their products are being used to infect PCs, and it is telling anti-virus vendors that perhaps these downloader programs ought to be tagged as malware.

In its latest Security Intelligence Report the company notes that the use of formerly benign downloaders has increasingly become a means to infect computers with malware, particularly click-fraud programs and ransomware in which attackers extort cash from victims in return for restoring their machines to a functional state.

+ Also on Network World: Internet Explorer security fault forces Microsoft to save Windows XP one more time | 9 must-do's if you must stick with Windows XP +

As part of its industry collaboration, Microsoft shares the data it gathers from its customers about infections with relevant parties. In this case it tells the downloader makers in hopes they can restrict use of their products to legitimate purposes.

It tells anti-malware vendors so they are aware that certain downloaders represent a threat and should be removed from machines protected by their products, says Holly Stewart, a senior program manager in Microsoft's Malware Protection Center.

A downloader called Rotbrow was the one most often used to facilitate malicious behavior during the last half of 2013, most commonly by downloading a click-fraud app called Sefnit. Before that Rotbrow didn't register at all as a tool use by attackers, Stewart says.

Typically the downloaders are bundled with useful freeware such as software to unzip files. The downloaders could be used legitimately to download updates to the unzip programs, or to download malware, Stewart says.

The dominant types of malware Microsoft observed being downloaded in this way during the last half of 2013 were BitCoin miners and click-fraud programs.

Bitcoin miners run in the background of infected computers to confirm and process Bitcoin transactions in exchange for earning Bitcoins. The attacker reaps the Bitcoins earned by the infected machines. Click fraud forces the infected computer's browser to automatically click on advertisements that earn cash for each click logged. In both cases symptoms of the infections can reduce performance of the machine involved.

Microsoft also observed the proliferation of ransomware, with one called Reveton leading the pack and enjoying a 45% increase in use during the last half of 2013, Stewart says. The need to disinfect Microsoft computers of ransomware tripled during the same time period, according to the Security Intelligence Report.

Microsoft measures prevalence of malware by counting the number of computers cleaned per 1,000 computers that are executing Microsoft's Malicious Software Removal Tool. For ransomware in general, that count rose from 5.6 to 17.8 between the third and fourth quarters of last year, Stewart says.

Ransomware attackers target particular regions with particular ransomware platforms, she says. For example, the one called Crilock is aimed mainly at computers in the U.S. and U.K. while Reveton aims at the likes of Spain, Belgium, Portugal, Hungary and Austria.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityMicrosoft downloader malwareMicrosoft security malicious downloadersintelanti-malwareMicrosoft Security Intelligence report ransomwareMicrosoft security downloader

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts