Monitoring tools: user notification required

The Microsoft Malware Protection Center (MMPC) helps to keep Windows customers in control of their computing experience, information, and privacy. We use objective criteria to help protect customers against malware and unwanted software. This means helping to protect you against monitoring software that maliciously collects and provides unauthorized access to your private data.

We are aware of social engineering campaigns that target users in Eastern Europe and Brazil using monitoring software. The technique that we have observed involves both:

  1. Concealing monitoring tools inside application or games available for download from file-sharing websites.
  2. Collecting private data using email accounts or ftp servers, once the bundled application has been opened.

Here are few examples of the files crafted as part of these campaigns:

​Icon ​Hostile file ​Blocks ​Web host
Grand Theft Auto GTA_SanAndreas_5_Baku_Style.exe ​43,619 ​share.az
KMS ​KMSpico setup1.exe 20,267​ ​mediafire.com
Pokemon ​Pokemon online.exe ​263 ​multiupload.biz
OP7 ​Op7 Trainer FREE v3.0.exe ​3,647 ​mega.co.nz
UGG ​UGG Public 1.2.exe ​3,464 ​rghost.net
Card Winbood_pokertable.exe ​358 ​4shared.com

     

Figure 1: Some examples of game downloads containing monitoring software that are available from file-sharing websites

An unsuspecting user could download and run what seems to be a clean program, not knowing that in the background their privacy is being compromised.

Winbood_pokertable.exe

Figure 2: We have seen Winbood_pokertable.exe used to trick users into installing a preconfigured hidden threat such as Win32/Ardamax

The malicious actors behind these threats use common email providers to retrieve private data from users. We are working with our partners to remove the hosted files and close their email accounts. 

During the past month we have seen these monitoring tools impacting mostly Brazil, US and Russia, with 27% of all monitoring tool detections.

Monitoring tool detections by country

Figure 3: Monitoring tool detections by country

Using legitimate monitoring software

Monitoring software can be used for legitimate purposes, such as protecting your family's safety or your enterprise data, as long as you know it is there.

It is the awareness of being monitored that ultimately gives the user the ability to express themselves selectively, and disengage from special or sensitive actions. A good example of implementing user notification when being monitored is the Activity Reports feature of the Windows Family Safety feature. Our objective criteria has more information about how we classify malware and unwanted software. If you trust software that has been detected by a Microsoft security product, you can add it to your allowed list.

Family Safety feature prompts Family Safety feature prompts

Figure 4: Windows Family Safety feature prompts

Developers of parental control or employee monitoring software can minimize the risk of having their products abused by considering the following recommendations:

  1. Inform users that they are being monitored through clear messaging or notifications.
  2. Restrict the use of silent deployment or remote installation to system administrators.
  3. Design a user license agreement in accordance with the local, state, or federal regulations (for example, when the monitoring software is used on computers that are considered to be for public use, or where the owner of the computer did not agree with the terms and agreement).

As always, we urge Windows users to be vigilant against malware:

  • Exercise caution when opening emails or social media messages from unknown users.
  • Be wary about downloading software from websites other than the program developers.
  • Run an antivirus software regularly.

If you're using Windows 8 or later versions, Windows Defender is built-in. If you're running an older operating system, you can install Microsoft Security Essentials.

Additional resources for software developers can be found on our Malware Protection Center.

MMPC
Mihai Calota


Microsoft Malware Protection Center
Secure Hunter Anti -Malware