The Microsoft Malware Protection Center (MMPC) helps to keep Windows customers in control of their computing experience, information, and privacy. We use objective criteria to help protect customers against malware and unwanted software. This means helping to protect you against monitoring software that maliciously collects and provides unauthorized access to your private data.
We are aware of social engineering campaigns that target users in Eastern Europe and Brazil using monitoring software. The technique that we have observed involves both:
- Concealing monitoring tools inside application or games available for download from file-sharing websites.
- Collecting private data using email accounts or ftp servers, once the bundled application has been opened.
Here are few examples of the files crafted as part of these campaigns:
|Icon||Hostile file||Blocks||Web host|
|||Op7 Trainer FREE v3.0.exe||3,647||mega.co.nz|
|||UGG Public 1.2.exe||3,464||rghost.net|
Figure 1: Some examples of game downloads containing monitoring software that are available from file-sharing websites
An unsuspecting user could download and run what seems to be a clean program, not knowing that in the background their privacy is being compromised.
Figure 2: We have seen Winbood_pokertable.exe used to trick users into installing a preconfigured hidden threat such as Win32/Ardamax
The malicious actors behind these threats use common email providers to retrieve private data from users. We are working with our partners to remove the hosted files and close their email accounts.
During the past month we have seen these monitoring tools impacting mostly Brazil, US and Russia, with 27% of all monitoring tool detections.
Figure 3: Monitoring tool detections by country
Using legitimate monitoring software
Monitoring software can be used for legitimate purposes, such as protecting your family’s safety or your enterprise data, as long as you know it is there.
It is the awareness of being monitored that ultimately gives the user the ability to express themselves selectively, and disengage from special or sensitive actions. A good example of implementing user notification when being monitored is the Activity Reports feature of the Windows Family Safety feature. Our objective criteria has more information about how we classify malware and unwanted software. If you trust software that has been detected by a Microsoft security product, you can add it to your allowed list.
Figure 4: Windows Family Safety feature prompts
Developers of parental control or employee monitoring software can minimize the risk of having their products abused by considering the following recommendations:
- Inform users that they are being monitored through clear messaging or notifications.
- Restrict the use of silent deployment or remote installation to system administrators.
- Design a user license agreement in accordance with the local, state, or federal regulations (for example, when the monitoring software is used on computers that are considered to be for public use, or where the owner of the computer did not agree with the terms and agreement).
As always, we urge Windows users to be vigilant against malware:
- Exercise caution when opening emails or social media messages from unknown users.
- Be wary about downloading software from websites other than the program developers.
- Run an antivirus software regularly.
If you’re using Windows 8 or later versions, Windows Defender is built-in. If you’re running an older operating system, you can install Microsoft Security Essentials.
Additional resources for software developers can be found on our Malware Protection Center.