{"id":6332,"date":"2017-01-23T15:50:24","date_gmt":"2017-01-23T23:50:24","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-170\/"},"modified":"2017-01-23T15:50:24","modified_gmt":"2017-01-23T23:50:24","slug":"news-170","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-170\/","title":{"rendered":"MSRT September 2016 release feature: Prifou"},"content":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the <a href=\"http:\/\/www.microsoft.com\/security\/pc-security\/malware-removal.aspx\">Microsoft Malicious Software Removal Tool <\/a>(MSRT) release this September includes detections for:<\/p>\n<ul>\n<li><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=BrowserModifier:Win32\/Prifou\">BrowserModifier:Win32\/Prifou<\/a><\/li>\n<li><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/NightClick\">TrojanClicker:Win32\/NightClick<\/a><\/li>\n<li><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Suweezy\">Trojan:Win32\/Suweezy<\/a><\/li>\n<li><a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Win32\/Xadupi\">Trojan:Win32\/Xadupi<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>This blog discusses <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=BrowserModifier:Win32\/Prifou\">BrowserModifier:Win32\/Prifou<\/a>\u00a0(Prifou).\u00a0Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors are detailed in Microsoft\u2019s <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/objectivecriteria.aspx\">objective criteria<\/a> on detecting unwanted software and malicious behavior:<\/p>\n<ul>\n<li><strong>Lack of choice:<\/strong>\n<ul>\n<li><em>The threat bypasses your consent options from the browser or operating system. <\/em><\/li>\n<li><em>The threat fails to clearly indicate when it is active, and may attempt to hide or disguise its presence. <\/em><\/li>\n<\/ul>\n<\/li>\n<li>\u00a0<strong>Lack of control: <\/strong>\n<ul>\n<li><em>The threat does not use the <\/em><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/04\/21\/a-brief-discourse-on-changing-browsing-experience\/\"><em>browser&#8217;s supported extensibility model<\/em><\/a><em> for installation, execution, disabling, and removal. <\/em><\/li>\n<li><em>The threat prevents or limits you from viewing or modifying browser features or settings. <\/em><\/li>\n<li><em>The threat modifies or manipulates webpage content without your consent. <\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Distribution<\/h2>\n<p><a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=BrowserModifier:Win32\/Prifou\">Prifou<\/a> is mainly distributed by <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/glossary.aspx#software_bundler\">software bundlers<\/a>. A software bundler, in the context of unwanted software malware analysis, installs unwanted software on your PC at the same time as the legitimate software that you are trying to install, without adequate consent.<\/p>\n<p>In the last two months, we have seen around\u00a06.8 Million\u00a0machines infected by this threat.<\/p>\n<p><div id=\"attachment_8926\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/PrifouGeoDist.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"741\" class=\"size-large wp-image-8926\" alt=\"This heatmap shows the geographical spread of Prifou-infected machines\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/PrifouGeoDist-1024x741.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 1: This heatmap shows the geographical spread of Prifou-infected machines.<\/em><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<h2>Symptoms<\/h2>\n<h3>Displays advertisements<\/h3>\n<p>Like\u00a0most BrowserModifiers and Adwares, this threat makes money from site visits through advertisements. It displays ads for products usually with discounted or lower prices, related to the product that the user is searching for on another online shopping websites.<\/p>\n<p>Earlier versions of this threat added an extension to the browser. Browser extensions can be viewed, enabled, disabled and removed from the browser. This gives you full control over the browser extensions. But this threat automatically enables the extension that it adds and bypasses your choice and control.<\/p>\n<h4><em>Example of extensions added:<\/em><\/h4>\n<p><div id=\"attachment_8935\" style=\"width: 1010px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/ie_addon.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"440\" class=\"size-full wp-image-8935\" alt=\"Figure 2: Screenshot of the threat as it displays as PriceFountain in the Toolbars and Extension section in the Manage Add-ons page. \" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/ie_addon.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 2: Screenshot of the threat as it displays as PriceFountain in the Toolbars and Extension section in the Manage Add-ons page.<\/em><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p>However, we have seen\u00a0a new version of this threat\u00a0that directly injects ads to your browser&#8217;s process and\u00a0no longer installs a browser extension. This does not use the supported browser extensibility and it also hides its presence from the user,\u00a0thus restricting the user&#8217;s control over it.<\/p>\n<p>We have seen it display ads from the following browsers:<\/p>\n<ul>\n<li>Internet Explorer<\/li>\n<li>Mozilla Firefox<\/li>\n<\/ul>\n<p><em>Note: During our tests, it did not display ads when using Microsoft Edge or Google Chrome.<\/em><\/p>\n<p>The advertisements have the attribute name &#8220;Price Fountain&#8221;. Displaying ads slows down the user&#8217;s browsing experience. Thus, the webpages that the user visits may take additional time to load.<\/p>\n<p>See some of the advertisement samples below:<\/p>\n<h4><em>From Internet Explorer:<\/em><\/h4>\n<p><div id=\"attachment_8945\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/ie_ads.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" class=\"size-large wp-image-8945\" alt=\"Figure 3: Screenshot of Prifou ads as it displays in Internet Explorer . \" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/ie_ads-1024x611.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 3: Screenshot of Prifou ads as it displays in Internet Explorer.<\/em><\/p>\n<\/div>\n<p><em>\u00a0<\/em><\/p>\n<h4><em>From Mozilla Firefox:<\/em><\/h4>\n<p><div id=\"attachment_8946\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/firefox_ads.jpg\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"612\" class=\"size-large wp-image-8946\" alt=\"Figure 4: Screenshot of Prifou ads as displayed in Mozilla FireFox\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/firefox_ads-1024x612.jpg\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 4: Screenshot of Prifou ads as displayed in Mozilla Firefox.<\/em><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<h3>Adds scheduled tasks<\/h3>\n<p>This threat also adds two scheduled tasks in your PC without your consent to:<\/p>\n<ul>\n<li>To automatically execute it\u00a0every time you log into the infected machine.<\/li>\n<li>To check and download updates (if available) every hour.<\/li>\n<\/ul>\n<p>Example of scheduled tasks added:<\/p>\n<h4><em>Earlier version:<\/em><\/h4>\n<p><div id=\"attachment_8965\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/scheduled_task1.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"396\" class=\"size-large wp-image-8965\" alt=\"Figure 5: Screenshot of the scheduled tasks that Prifou adds in its earlier variants.\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/scheduled_task1-1024x396.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 5: Screenshot of the scheduled tasks that Prifou adds in its earlier variants.<\/em><\/p>\n<\/div>\n<h4><em>New version:<\/em><\/h4>\n<p><div id=\"attachment_8956\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/scheduled_task.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"496\" class=\"size-large wp-image-8956\" alt=\"Figure 6: Screenshot of the scheduled tasks that Prifou adds in its recent variants.\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/scheduled_task-1024x496.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 6: Screenshot of the scheduled tasks that Prifou adds in its recent variants.<\/em><\/p>\n<\/div>\n<h3>Adds uninstallation entry<\/h3>\n<p>This threat also adds two uninstallation entries: one for the main program, and the other for the updater component.<\/p>\n<p>While other browser modifiers add uninstallation options which do not work, if at all, we have tested the following Prifou uninstallation entries and observed that it can remove the threat from the infected machine.<\/p>\n<p>See the screenshot of the uninstallation entries:<\/p>\n<p><div id=\"attachment_8975\" style=\"width: 1034px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/uninstall_entry.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"410\" class=\"size-large wp-image-8975\" alt=\"Figure 7: You can go in and uninstall the PriceFountain entries from your PC.\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/09\/uninstall_entry-1024x410.png\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>Figure 7: You can go in and uninstall the PriceFountain\u00a0software soon as you see them in your PC.<\/em><\/p>\n<\/div>\n<h2>Prevention and detection<\/h2>\n<p>To help stay protected:<\/p>\n<ul>\n<li>Keep your Windows Operating System and antivirus <a target=\"_blank\" href=\"http:\/\/www.microsoft.com\/security\/portal\/mmpc\/help\/updatesoftware.aspx\">up-to-date<\/a> and, if you haven\u2019t already, upgrade to <a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\">Windows 10<\/a>.<\/li>\n<li><a target=\"_blank\" href=\"https:\/\/blogs.windows.com\/msedgedev\/2015\/12\/16\/smartscreen-drive-by-improvements\/\">Use Microsoft Edge<\/a>. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.<\/li>\n<li>Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites)<\/li>\n<li>Ensure your antimalware protection (such as <a target=\"_blank\" href=\"http:\/\/windows.microsoft.com\/en-us\/windows\/using-defender#1TC=windows-10\">Windows Defender<\/a> and <a target=\"_blank\" href=\"http:\/\/www.microsoft.com\/en-us\/download\/malicious-software-removal-tool-details.aspx\">Microsoft Malicious Software Removal Tool<\/a>) is up-to-date.<\/li>\n<li><a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2015\/01\/14\/maps-in-the-cloud-how-can-it-help-your-enterprise\/\">Enable Microsoft Active Protection Service (MAPS)<\/a> to get the latest cloud-based unwanted software detection and blocking.<\/li>\n<\/ul>\n<h2>Related information<\/h2>\n<p>See\u00a0<a target=\"_blank\" href=\"https:\/\/www.microsoft.com\/security\/portal\/mmpc\/shared\/objectivecriteria.aspx\">How Microsoft antimalware products identify malware: unwanted software and malicious software<\/a> for the objective criteria details.<\/p>\n<p>For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs:<\/p>\n<ul>\n<li><a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/04\/21\/a-brief-discourse-on-changing-browsing-experience\/\">A brief discourse on Changing browsing experience<\/a><\/li>\n<li><a target=\"_blank\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/03\/23\/keeping-browsing-experience-update\/\">Keeping Browsing Experience in Users\u2019 Hands, an Update\u2026<\/a><u>\u00a0<\/u><\/li>\n<\/ul>\n<p><em>\u00a0<\/em><\/p>\n<p><em>James Patrick Dee<\/em><\/p>\n<p><em>MMPC<\/em><\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/09\/13\/msrt-september-2016-release-feature-prifou\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for: BrowserModifier:Win32\/Prifou TrojanClicker:Win32\/NightClick Trojan:Win32\/Suweezy Trojan:Win32\/Xadupi &#160; This blog discusses BrowserModifier:Win32\/Prifou\u00a0(Prifou).\u00a0Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors are detailed&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10760,10858,10946,10785,10947,10786,10948,10949,10767,10950,10951,10952,10953,10954,10768,10955,10762,10956],"class_list":["post-6332","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-browser-modifier","tag-browsermodifierwin32prifou","tag-microsoft-malicious-software-removal-tool","tag-microsofts-objective-criteria","tag-msrt","tag-msrt-september-2016","tag-nightclick","tag-objective-criteria","tag-prifou","tag-suweezy","tag-trojanwin32suweezy","tag-trojanwin32xadupi","tag-trojanclickerwin32nightclick","tag-unwanted-software","tag-unwanted-software-objective-criteria","tag-windows-defender","tag-xadupi"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6332"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6332\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6332"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}