Microsoft calls out malicious downloaders

Microsoft is putting makers of downloader software on notice when it sees that their products are being used to infect PCs, and it is telling anti-virus vendors that perhaps these downloader programs ought to be tagged as malware.

In its latest Security Intelligence Report the company notes that the use of formerly benign downloaders has increasingly become a means to infect computers with malware, particularly click-fraud programs and ransomware in which attackers extort cash from victims in return for restoring their machines to a functional state.

+ Also on Network World: Internet Explorer security fault forces Microsoft to save Windows XP one more time | 9 must-do's if you must stick with Windows XP +

As part of its industry collaboration, Microsoft shares the data it gathers from its customers about infections with relevant parties. In this case it tells the downloader makers in hopes they can restrict use of their products to legitimate purposes.

It tells anti-malware vendors so they are aware that certain downloaders represent a threat and should be removed from machines protected by their products, says Holly Stewart, a senior program manager in Microsoft's Malware Protection Center.

A downloader called Rotbrow was the one most often used to facilitate malicious behavior during the last half of 2013, most commonly by downloading a click-fraud app called Sefnit. Before that Rotbrow didn't register at all as a tool use by attackers, Stewart says.

Typically the downloaders are bundled with useful freeware such as software to unzip files. The downloaders could be used legitimately to download updates to the unzip programs, or to download malware, Stewart says.

The dominant types of malware Microsoft observed being downloaded in this way during the last half of 2013 were BitCoin miners and click-fraud programs.

Bitcoin miners run in the background of infected computers to confirm and process Bitcoin transactions in exchange for earning Bitcoins. The attacker reaps the Bitcoins earned by the infected machines. Click fraud forces the infected computer's browser to automatically click on advertisements that earn cash for each click logged. In both cases symptoms of the infections can reduce performance of the machine involved.

Microsoft also observed the proliferation of ransomware, with one called Reveton leading the pack and enjoying a 45% increase in use during the last half of 2013, Stewart says. The need to disinfect Microsoft computers of ransomware tripled during the same time period, according to the Security Intelligence Report.

Microsoft measures prevalence of malware by counting the number of computers cleaned per 1,000 computers that are executing Microsoft's Malicious Software Removal Tool. For ransomware in general, that count rose from 5.6 to 17.8 between the third and fourth quarters of last year, Stewart says.

Ransomware attackers target particular regions with particular ransomware platforms, she says. For example, the one called Crilock is aimed mainly at computers in the U.S. and U.K. while Reveton aims at the likes of Spain, Belgium, Portugal, Hungary and Austria.

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Tags Microsoftintelanti-malwareMicrosoft security malicious downloadersMicrosoft downloader malwareMicrosoft Security Intelligence report ransomwareMicrosoft security downloader

Show Comments