PC health – Part 1: Information stealing malware
When we were building Windows 8, MMPC partnered with several teams in Microsoft to start the PC Health program. The PC health program has two goals:
- To inform and guide customers on additional actions to take when malware might have put their information at risk
- To monitor the health of PCs running our antimalware products and initiate remediation as required
We’ll discuss the PC health program in this two-part blog. Part 1 focuses on the first goal: informing and guiding our customers to take additional action when malware might have put their information at risk.
Information stealing malware
Background and Landscape
During 2013, nearly 24 million machines running Microsoft security products encountered information-stealing malware. We estimate that these threats stole user names and passwords, developer code-signing keys, and other data from 4.86M machines. This includes malware that ran, but may not have stolen any data.
Figure 1: Monthly count of machines with an active infection, in which the infection is of an information-stealing malware. Families include Gamarue, Dorkbot, Zbot, Banker, Bancos, and Fareit
What can we do to better protect these customers?
First, as part of our malware research and automation, we continue reduce the malware time-to-live; that is, we aim to reduce the time between when malware is released into the wild and when we start detecting it. However, it is also important to inform and appropriately guide our customers to take action and mitigate the impact of information-stealing malware.
Inform and guide: mitigating the impact of information-stealing malware
Since 2012 and the release of Windows 8, if you’re running Microsoft Security Essentials or Windows Defender, and an information-stealing malware gets into your machine, you might see a message similar to this in Windows Action Center:
Figure 2: Windows Action Center message if your machine gets infected by Zbot
We know from our research that, for example, Zbot is a malware family known to target user credentials for online banking websites. The message above will appear if your Microsoft antivirus product has detected and removed the threat. However, this message takes recovery one step further: it advises you to change your passwords for the websites that it’s known to target.
In 2013, a message like this was seen by more than 260,000 users within six months.
If you are running System Center Endpoint Protection or Windows Intune, we communicate this information through the event log channel. The administrator can use the information in the event log to determine if the malware ran on the machine. If the malware did run, the event log also contains a link to a description of the threat in our malware encyclopedia. From there, the admin can assess and take action if the malware exhibits information-stealing behavior.
What do our customers think about this approach?
To determine if customers found this valuable, we monitored user feedback about the Windows Action Center notifications for three months. We received more than three thousand reviews with a 90 percent satisfaction rate.
With the release of Windows 8, your MS account can be used as the primary login across your Windows devices and services (such as Onedrive and Hotmail). To better secure your Microsoft account, we provide the Microsoft Accounts team the PC health information that includes information stealing malware encounters.
Deepak Manohar and Ina Ragragio