PC health – Part 1: Information stealing malware


When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals:

  • To inform and guide customers on additional actions to take when malware might have put their information at risk
  • To monitor the health of PCs running our antimalware products and initiate remediation as required

We’ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our customers to take additional action when malware might have put their information at risk.

Information stealing malware

Background and Landscape

During 2013, nearly 24 million machines running Microsoft security products encountered information-stealing malware. We estimate that these threats stole user names and passwords, developer code-signing keys, and other data from 4.86M machines. This includes malware that ran, but may not have stolen any data.

Information stealing malware graph

Figure 1: Monthly count of machines with an active infection, in which the infection is of an information-stealing malware. Families include Gamarue, Dorkbot, Zbot, Banker, Bancos, and Fareit

What can we do to better protect these customers?

First, as part of our malware research and automation, we continue reduce the malware time-to-live; that is, we aim to reduce the time between when malware is released into the wild and when we start detecting it. However, it is also important to inform and appropriately guide our customers to take action and mitigate the impact of information-stealing malware.

Inform and guide: mitigating the impact of information-stealing malware

Since 2012 and the release of Windows 8, if you’re running Microsoft Security Essentials or Windows Defender, and an information-stealing malware gets into your machine, you might see a message similar to this in Windows Action Center:

Action center alert

Figure 2: Windows Action Center message if your machine gets infected by Zbot

 

We know from our research that, for example, Zbot is a malware family known to target user credentials for online banking websites. The message above will appear if your Microsoft antivirus product has detected and removed the threat. However, this message takes recovery one step further: it advises you to change your passwords for the websites that it’s known to target.

In 2013, a message like this was seen by more than 260,000 users within six months.

If you are running System Center Endpoint Protection or Windows Intune, we communicate this information through the event log channel. The administrator can use the information in the event log to determine if the malware ran on the machine. If the malware did run, the event log also contains a link to a description of the threat in our malware encyclopedia. From there, the admin can assess and take action if the malware exhibits information-stealing behavior.

What do our customers think about this approach?

To determine if customers found this valuable, we monitored user feedback about the Windows Action Center notifications for three months. We received more than three thousand reviews with a 90 percent satisfaction rate.

Further investments

 

With the release of Windows 8, your MS account can be used as the primary login across your Windows devices and services (such as Onedrive and Hotmail). To better secure your Microsoft account, we provide the Microsoft Accounts team the PC health information that includes information stealing malware encounters.

Deepak Manohar and Ina Ragragio
MMPC


Comments (6)

  1. DonAWolf says:

    @Angel Which AVs stop zeroday malware and viruses?

  2. Robert Scroggins says:

    From my experience in developing malware signatures for another AV company, I would like to ask what you are doing about heuristic detection of new malware? This should be an objective before you obtain malware samples and develop/test/distribute a signature. I know from my work that your AV products are primarily based upon either exact signatures, generic signatures, or probably a bit of both. However, if you would apply some simple hard-coded heuristics–PE metadata, detection of double extensions, inconsistent properties detail, etc., you could detect new malware much faster, more often, and provide better detection for your users with a minimum of complicated coding.

    Regards,

  3. Matthew Myhra says:

    I tend to agree with Robert. In the instances where a complex threat sandboxes itself from basic detection at the logical level, a scan which makes very distinct analysis methods could benefit the user by addressing common tactics that are outside the scope of signature based confirmation, add that to your diverse repository of threats and there is likely value added.

  4. Angel says:

    That's the problem with Microsoft's Anti-malware programs, they depend to much on signatures and not on building some kind of behavior blocker or heuristic detection. Almost most of Antivirus these days have some sort of zero day protection except Microsoft. And it's very disappointing knowing that most threats today are zero day

  5. marcela says:

    he recibido un mail donde usan la firma de microsft windows y la imagen de bill gates, promocionando una loteria .
    cómo saber si es un malware? a dónde puedo reenviar dicho mail, para que hagan algo si no es oficial de windows

  6. walter says:

    I am 73 years old I have norton thru comcast and defender. so many pop ups I can't read my newspapers. I am terrorized by companyies offering to fix the computer problems they are causing. Can someone please help? Many people I know who use microsoft are in the same situation. Mr Gates needs to come back and take care of business or there will be an Apple in every house. Thank you