As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for:
This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors are detailed in Microsoft’s objective criteria on detecting unwanted software and malicious behavior:
- Lack of choice:
- The threat bypasses your consent options from the browser or operating system.
- The threat fails to clearly indicate when it is active, and may attempt to hide or disguise its presence.
- Lack of control:
- The threat does not use the browser's supported extensibility model for installation, execution, disabling, and removal.
- The threat prevents or limits you from viewing or modifying browser features or settings.
- The threat modifies or manipulates webpage content without your consent.
Prifou is mainly distributed by software bundlers. A software bundler, in the context of unwanted software malware analysis, installs unwanted software on your PC at the same time as the legitimate software that you are trying to install, without adequate consent.
In the last two months, we have seen around 6.8 Million machines infected by this threat.
Like most BrowserModifiers and Adwares, this threat makes money from site visits through advertisements. It displays ads for products usually with discounted or lower prices, related to the product that the user is searching for on another online shopping websites.
Earlier versions of this threat added an extension to the browser. Browser extensions can be viewed, enabled, disabled and removed from the browser. This gives you full control over the browser extensions. But this threat automatically enables the extension that it adds and bypasses your choice and control.
Example of extensions added:
However, we have seen a new version of this threat that directly injects ads to your browser's process and no longer installs a browser extension. This does not use the supported browser extensibility and it also hides its presence from the user, thus restricting the user's control over it.
We have seen it display ads from the following browsers:
- Internet Explorer
- Mozilla Firefox
Note: During our tests, it did not display ads when using Microsoft Edge or Google Chrome.
The advertisements have the attribute name "Price Fountain". Displaying ads slows down the user's browsing experience. Thus, the webpages that the user visits may take additional time to load.
See some of the advertisement samples below:
From Internet Explorer:
From Mozilla Firefox:
Adds scheduled tasks
This threat also adds two scheduled tasks in your PC without your consent to:
- To automatically execute it every time you log into the infected machine.
- To check and download updates (if available) every hour.
Example of scheduled tasks added:
Adds uninstallation entry
This threat also adds two uninstallation entries: one for the main program, and the other for the updater component.
While other browser modifiers add uninstallation options which do not work, if at all, we have tested the following Prifou uninstallation entries and observed that it can remove the threat from the infected machine.
See the screenshot of the uninstallation entries:
Prevention and detection
To help stay protected:
- Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
- Use Microsoft Edge. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
- Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites)
- Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
- Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.
See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.
For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs:
- A brief discourse on Changing browsing experience
- Keeping Browsing Experience in Users’ Hands, an Update…
James Patrick Dee