Archive for the ‘Sirefef’ Category

Microsoft Disrupts Botnet Hijacking Search Results and Exploiting Search Engines

December 5th, 2013 No comments

Today, Microsoft’s Digital Crimes Unit (DCU), in partnership with law enforcement and industry partners, announced the successful disruption of the Sirefef botnet, also known as ZeroAccess. This dangerous botnet is responsible for hijacking people’s search results and taking them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud. According to the latest Microsoft Security Intelligence Report, by the end of 2012, malicious or compromised websites had emerged to become the top threats facing enterprises as well as consumers.  This botnet specifically targets search results on the major online search and advertising platforms including Google, Bing and Yahoo!, and is estimated to cost online advertisers $2.7 million each month. Read more

…(read more)

January ’12 MSRT: Win32/Sefnit

January 10th, 2012 No comments

The January 2012 edition of the Microsoft Malicious Software Removal Tool (MSRT) includes detection and removal of the Win32/Sefnit family of trojans. This trojan family moderates and redirects web browser search engine results for Bing, Yahoo! and Google.

The earliest reported variant in this family can be traced back to August 2010. The installation mechanism employed by early samples remains very similar to samples we observe in the wild today. Variants of Sefnit employ the use of a Nullsoft Scriptable Install System (NSIS) dropper to install an obfuscated a dynamic link library (DLL) component. The component is executed by the dropper by using “rundll32.exe” and also will execute during Windows logon.

The obfuscation technique used has changed from the “spaghetti-style” of numerous unconditional branches between small islands of code to one that is “in plain sight”. In the following example, we can see the immediate value of 1Bh move via the local variable ‘var_1’ to the cl register, rather than being moved directly.

Example of simply obfuscated subroutine from a recent Sefnit variant

Figure 1. Example of simply obfuscated subroutine from a recent Sefnit variant

Once this component of Sefnit is installed, it attempts to perform browser search result redirection for Bing, Yahoo and Google search engines. Win32/Sefnit is often installed by different exploit kits including such as “Blackhole” (detected as Blacole), or distributed on file sharing networks with enticing “keygen” or “crack” styled file names.

If we examine the reports during December 2011 from a total of 81,147 unique customer machines which reported a Sefnit infection to MMPC, we observed the following:

  • Blacole was the second most reported family, affecting 9.3% of computers
  • FakeRean was the most reported family, affecting 9.78% of computers
  • Following closely in third place was Sirefef, affecting 9.15% of computers

Consider this month’s release of the MSRT like a digital beagle, sniffing out Sefnit as if it were a doggy biscuit and disposing of it properly. Thank you for reading!

Scott Molenkamp
MMPC Melbourne

Categories: Blacole, FakeRean, MSRT, Sirefef, Win32/Sefnit Tags: