MSRT September 2016 release feature: Prifou

January 23, 2017 admin Antimalware research for IT pros and enthusiasts, browser modifier, BrowserModifier:Win32/Prifou, Microsoft Malicious Software Removal Tool, Microsoft's objective criteria, MSRT, MSRT September 2016, NightClick, Objective Criteria, Prifou, Suweezy, Trojan:Win32/Suweezy, Trojan:Win32/Xadupi, TrojanClicker:Win32/NightClick, Unwanted software, unwanted software objective criteria, Windows Defender, Xadupi

As part of our ongoing effort to provide better malware protection, the Microsoft Malicious Software Removal Tool (MSRT) release this September includes detections for:

This blog discusses BrowserModifier:Win32/Prifou (Prifou). Windows Defender detects this threat because it limits your choice and control over your browser and operating system. The unwanted behaviors are detailed in Microsoft’s objective criteria on detecting unwanted software and malicious behavior:

Lack of choice:
- The threat bypasses your consent options from the browser or operating system.
- The threat fails to clearly indicate when it is active, and may attempt to hide or disguise its presence.
Lack of control:
- The threat does not use the browser’s supported extensibility model for installation, execution, disabling, and removal.
- The threat prevents or limits you from viewing or modifying browser features or settings.
- The threat modifies or manipulates webpage content without your consent.

Distribution

Prifou is mainly distributed by software bundlers. A software bundler, in the context of unwanted software malware analysis, installs unwanted software on your PC at the same time as the legitimate software that you are trying to install, without adequate consent.

In the last two months, we have seen around 6.8 Million machines infected by this threat.

Figure 1: This heatmap shows the geographical spread of Prifou-infected machines.

Symptoms

Displays advertisements

Like most BrowserModifiers and Adwares, this threat makes money from site visits through advertisements. It displays ads for products usually with discounted or lower prices, related to the product that the user is searching for on another online shopping websites.

Earlier versions of this threat added an extension to the browser. Browser extensions can be viewed, enabled, disabled and removed from the browser. This gives you full control over the browser extensions. But this threat automatically enables the extension that it adds and bypasses your choice and control.

Example of extensions added:

Figure 2: Screenshot of the threat as it displays as PriceFountain in the Toolbars and Extension section in the Manage Add-ons page.

However, we have seen a new version of this threat that directly injects ads to your browser’s process and no longer installs a browser extension. This does not use the supported browser extensibility and it also hides its presence from the user, thus restricting the user’s control over it.

We have seen it display ads from the following browsers:

Internet Explorer
Mozilla Firefox

Note: During our tests, it did not display ads when using Microsoft Edge or Google Chrome.

The advertisements have the attribute name “Price Fountain”. Displaying ads slows down the user’s browsing experience. Thus, the webpages that the user visits may take additional time to load.

See some of the advertisement samples below:

From Internet Explorer:

Figure 3: Screenshot of Prifou ads as it displays in Internet Explorer.

From Mozilla Firefox:

Figure 4: Screenshot of Prifou ads as displayed in Mozilla Firefox.

Adds scheduled tasks

This threat also adds two scheduled tasks in your PC without your consent to:

To automatically execute it every time you log into the infected machine.
To check and download updates (if available) every hour.

Example of scheduled tasks added:

Earlier version:

Figure 5: Screenshot of the scheduled tasks that Prifou adds in its earlier variants.

New version:

Figure 6: Screenshot of the scheduled tasks that Prifou adds in its recent variants.

Adds uninstallation entry

This threat also adds two uninstallation entries: one for the main program, and the other for the updater component.

While other browser modifiers add uninstallation options which do not work, if at all, we have tested the following Prifou uninstallation entries and observed that it can remove the threat from the infected machine.

See the screenshot of the uninstallation entries:

Figure 7: You can go in and uninstall the PriceFountain entries from your PC.

Figure 7: You can go in and uninstall the PriceFountain software soon as you see them in your PC.

Prevention and detection

To help stay protected:

Keep your Windows Operating System and antivirus up-to-date and, if you haven’t already, upgrade to Windows 10.
Use Microsoft Edge. It can help warn you about sites that are known to be hosting exploits, and help protect you from socially-engineered attacks such as phishing and malware downloads.
Avoid browsing web sites that are known for hosting malware (such as illegal music, movies and TV, and software download sites)
Ensure your antimalware protection (such as Windows Defender and Microsoft Malicious Software Removal Tool) is up-to-date.
Enable Microsoft Active Protection Service (MAPS) to get the latest cloud-based unwanted software detection and blocking.

Related information

See How Microsoft antimalware products identify malware: unwanted software and malicious software for the objective criteria details.

For additional information about what Browser Extensibility Models are, and why we require programs to use them, see our previous blogs:

James Patrick Dee

MMPC

https://blogs.technet.microsoft.com/mmpc/feed/