Monitoring tools: user notification required


The Microsoft Malware Protection Center (MMPC) helps to keep Windows customers in control of their computing experience, information, and privacy. We use objective criteria to help protect customers against malware and unwanted software. This means helping to protect you against monitoring software that maliciously collects and provides unauthorized access to your private data.

We are aware of social engineering campaigns that target users in Eastern Europe and Brazil using monitoring software. The technique that we have observed involves both:

  1. Concealing monitoring tools inside application or games available for download from file-sharing websites.
  2. Collecting private data using email accounts or ftp servers, once the bundled application has been opened.

Here are few examples of the files crafted as part of these campaigns:

​Icon ​Hostile file ​Blocks ​Web host
Grand Theft Auto GTA_SanAndreas_5_Baku_Style.exe ​43,619 ​share.az
KMS KMSpico setup1.exe 20,267​ ​mediafire.com
Pokemon ​Pokemon online.exe ​263 ​multiupload.biz
OP7 ​Op7 Trainer FREE v3.0.exe ​3,647 ​mega.co.nz
UGG UGG Public 1.2.exe ​3,464 ​rghost.net
Card Winbood_pokertable.exe ​358 ​4shared.com

 

Figure 1: Some examples of game downloads containing monitoring software that are available from file-sharing websites

An unsuspecting user could download and run what seems to be a clean program, not knowing that in the background their privacy is being compromised.

Winbood_pokertable.exe

Figure 2: We have seen Winbood_pokertable.exe used to trick users into installing a preconfigured hidden threat such as Win32/Ardamax

The malicious actors behind these threats use common email providers to retrieve private data from users. We are working with our partners to remove the hosted files and close their email accounts.

During the past month we have seen these monitoring tools impacting mostly Brazil, US and Russia, with 27% of all monitoring tool detections.

Monitoring tool detections by country

Figure 3: Monitoring tool detections by country

Using legitimate monitoring software

Monitoring software can be used for legitimate purposes, such as protecting your family’s safety or your enterprise data, as long as you know it is there.

It is the awareness of being monitored that ultimately gives the user the ability to express themselves selectively, and disengage from special or sensitive actions. A good example of implementing user notification when being monitored is the Activity Reports feature of the Windows Family Safety feature. Our objective criteria has more information about how we classify malware and unwanted software. If you trust software that has been detected by a Microsoft security product, you can add it to your allowed list.

Family Safety feature prompts Family Safety feature prompts

Figure 4: Windows Family Safety feature prompts

Developers of parental control or employee monitoring software can minimize the risk of having their products abused by considering the following recommendations:

  1. Inform users that they are being monitored through clear messaging or notifications.
  2. Restrict the use of silent deployment or remote installation to system administrators.
  3. Design a user license agreement in accordance with the local, state, or federal regulations (for example, when the monitoring software is used on computers that are considered to be for public use, or where the owner of the computer did not agree with the terms and agreement).

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you’re using Windows 8 or later versions, Windows Defender is built-in. If you’re running an older operating system, you can install Microsoft Security Essentials.

Additional resources for software developers can be found on our Malware Protection Center.

MMPC
Mihai Calota


Comments (9)

  1. adwbust says:

    well done and well said. you guys are gradually tackling and taking a stand against the gray zone. first adware, now spy/monitor/logger tools. i do agree that people being monitored should know they are being monitored. you do it to discourage and not
    for pervasive/voyeuristic reasons. sometimes there's such a thing as knowing too much. transparency is the way to go.

    are mse's exclusion features (or the settings tab in general) accessible under a unprivileged/limited user account? hopefully not. add option for this under settings tab > advanced? maybe just add option to password-protect access to settings tab in the event
    child/elderly needs to use computer under admin account?

  2. adwbust says:

    just to clarify, i believe mmpc only detects loggers bundled with malware in the past. with the new criteria, you detect loggers regardless if theyre commercial, bundled or individual? as long as they match a static or proactive rule? parent or IT admin
    can add it to exclusions anyway. am i correct? mihai can you confirm please?

  3. adwbust says:

    another question, does mmpc detect and remove malware funded/made by govt/govt-related orgs? there seems to be a lot popping up lately and mmpc is quiet about it.

    http://www.wired.com/2015/02/nsa-firmware-hacking/
    http://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/

  4. adwbust says:

    another detection criteria for softwarebundler would be missing or vague/confusing/misleading option to optout leading to sneaky installs of unwanted baggage. does mse detect epic scale or litecoin miner? user needs to know of such program's presence on his system! if he agrees to having such program installed then he can just allow if from mse's alert/prompt. simple.
     

  5. adwbust says:

    another issue arises. the setup may include an option for opt out. helpful for those who install over or first time installers. but what if the built in updater does a silent install of the update with the bundle without asking user? that clearly should
    be flagged. that's a new trick to sneakily install a sponsor.

  6. star says:

    verry good idea, verry good way…

  7. why me says:

    I was new to being online in 2013 AND NOTICE my android was doing it's own thing since then on my 7th cell and no matter what I do to eliminate the problem it overcomes but am very familiar with fake pages, redirects, and the monitoring. For sure your right about the miss using monitoring tools that have stolen my email that I also looked up as it is under another user or hacker as I try to recover my email my android goes haywire and blocks me from the recover email site. Thinking I could use a different cell phone or public library computer it does the same thing. No matter where I try to get online it's there before I even log any info pertaining to me.
    Desperately in need of professional help!

  8. adwbust says:

    A month later, nothing has changed. MSE doesn't event detect updated keystroke spy. Sha256 is "11b4c474f32289e48b35044d3cf095be43587016eca779370b8faf4063920375". Its a logger that is easily accessible and abused. MMPC I don't see the commitment. No, I
    don't want to submit samples anymore. It just makes me feel bad. The submitted samples don't even get analysed. I don't even hear back from anyone, no one gets in touch. What even is the use of submitting?

  9. adwbust says:

    This page “https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx” has no Provide feedback button at bottom. I want to express my opinion on detection of monitoring programs.

    I believe that children and employees should be informed of the presence of such software but removal should be up to the parents and employers respectively. MSE should be neutral and still inform/warn about monitor “tools” but removal option should only be available to admin account or accessible by using a password. This is the ethical and legitimate use of monitor tools – their presence should be known if not then they’re spyware.

    feedback.microsoftsecurityessentials.com is dead 🙁

Skip to main content