Home / malwarePDF  

Win32/Sirefef


First posted on 25 April 2012.
Source: Microsoft

Aliases :

There are no other names known for Win32/Sirefef.

Explanation :

Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence on an affected computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:

  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of security features


Caution: Win32/Sirefef is a dangerous threat that uses advanced stealth techniques in order to hinder its detection and removal. Particular variants of Win32/Sirefef may also make lasting changes to your computer that will NOT be restored - some system files may be irrevocably corrupted and essential security services may be disabled.

Due to the severe consequences associated with this threat, you may need to reinstall your Windows operating system and other computer programs, and restore your files and data from backup if your computer is infected with any of the following Sirefef variants:

  • Trojan:Win32/Sirefef.AA
  • Trojan:Win32/Sirefef.AC
  • Trojan:Win32/Sirefef.AH

Top

Win32/Sirefef is a multi-component family of malware that uses stealth to hide its presence on an affected computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:

  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of security features


Installation

The dropper component of Win32/Sirefef has been observed to be distributed by exploits and programs that promote software-piracy, such as 'keygens' and 'cracks' (programs designed to bypass software licensing).

When executed, the malware attempts to replace a randomly-selected system driver with its own malicious copy. The replaced driver could be any of the following:

  • afd.sys
  • i8042prt.sys
  • ipsec.sys
  • mrxsmb.sys
  • netbt.sys
  • raspppoe.sys
  • serial.sys


Note that this list is not comprehensive.

The replaced driver will load each time Windows starts. The replaced driver may be detected as a variant of Virus:Win32/Sirefef or as TrojanDropper:Win32/Sirefef.B.



Payload

Downloads and executes arbitrary files

Sirefef utilizes a peer-to-peer (P2P) protocol to download or update additional malware components from remote peers. The downloaded components are saved to the U\ directory in a hidden folder that it creates for this purpose. The downloaded components may:

  • Moderate an affected user's Internet experience by modifying search results
  • Generate pay-per-click advertising revenue for its controllers
  • Run Bitcoin (digital currency) mining on the affected computer


Terminates security-related services

Sirefef attempts to stop and delete the following security-related services:

  • Windows Defender Service (windefend)
  • IP Helper Service (iphlpsvc)
  • Windows Security Center Service (wscsvc)
  • Windows Firewall Service (mpssvc)
  • Base Filtering Engine Service (bfe)


Contacts remote hosts

Sirefef contacts a remote host to send information about the infected computer. This information may then be used to create a network of infected computers that the attacker may utilize for practically any purpose.

Turns off Windows Firewall

Sirefef attempts to turn off Windows Firewall to make sure its own traffic won't be blocked.

Additional information

Sirefef implements a disk-level hook to hide its own presence on the affected computer. If an attempt is made to read the replaced driver, Sirefef returns the original, clean driver. Any modifications that are made to this driver will have no impact on the computer, as the replacement, malicious driver will always run instead.

Sirefef includes a self-defense mechanism to protect against security related software; the malware attempts to terminate any process that attempts to access Sirefef.

Creates a folder in which to store other malware

Sirefef creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.

The created folder uses the following format:

<system root>\$NtUninstallKB<number>$

where <number> is a randomly generated number.

Note: The files stored under this folder are encrypted, and are not generally accessible.





Analysis by Chun Feng

Last update 25 April 2012

 

TOP

Malware :