Trojan.Win32.Sirefef.pm

by Atlantis on April 17th, 2012 in Malware Descriptions.

Detect: Trojan.Win32.Sirefef.pm
Platform: Win32
Type: Trojan
md5: 065EFD579429DE85C9A0C55DF7E8CABE
sha1:0a6b40809556199f0e746bf37e7ab29b97c4a90eb84d85360a1caf065c190ca

Summary

It is a malicious software designed to download other malicious programs and install them on the user's PC. It is an NT kernel mode driver.

Technical Details

Installation

Once launched, the following catalog is created:

%SystemRoot%\$NtUninstallKB<rnd>$

where <rnd> is a random number.

Then, the malicious program infects a random driver:

%SystemRoot%\system32\drivers

The malicious program writes its body in the beginning of the file. With that, a copy of the original driver is saved in the folder earlier created by a rootkit under a random name which consists of 8 random latin alphabet letters.

For the following folder:

%SystemRoot%\$NtUninstallKB<rnd>

where <rnd> is a random number

reparse point is created. It connects the folder mentioned above with a device which creates a malicious program driver. The device name is a random 8 digit hexadecimal number. Below is an example of the device name:

\\.\ce50db80

A malicious program driver blocks an access to the folder. Only malicious program components can access this folder content via a device created by the driver. In the folder, all files are encrypted. They become decrypted if they are accessed via the rootkit device. Thus, the folder content can be accessed only by the malicious program components.

Payload

Once launched, the rootkit downloads its components from the Internet and saves them to the files in the folder created beforehand:

%SystemRoot%\$NtUninstallKB<rnd>$

where <rnd> is a random number.

Depending on the current date, the rootkit uses a special algorithm to generate command server domain names. Generated addresses are available in the ".cn" zone.

Once the component downloading process is successfully completed, the rootkit those components into the user process. The injection occurs from the driver into the address space of user processes using the mapping of memory pages which contain a malicious code and launch of the code via installing APC threads in an alertable wait state.

In addition, the rootkit replaces a system section object "\KnownDlls\mswsock.dll" by its own object containing a malicious dll library code. It causes its loading to any process which will use a system "mswsock.dll" library. Once initialized, a malicious library downloads the original "mswsock.dll" to a process address space that does not affect the system performance.

Depending on the malicious program modification, components loaded by the rootkit may have the following functionalites:

  • Capturing the API functions to spread the information via the network for stealing user’s passwords to the FTP servers.
  • Increasing the number of visited sites, a list of command server addresses.
  • Redirecting the search queries on the popular search engines:

Google

Bing

Yahoo

to the intruders’ sites substituting search results.

Malware Hiding in System

The rootkit hides its driver in the list of downloaded drivers by deleting its element: LDR_DATA_TABLE_ENTRY from the linked list: PsLoadedModuleList.

In addition, the rootkit hides the original content of the infected driver. In an attempt to read a file on the infected drive, the original file content is shown. The original file copy is located in the folder:

%SystemRoot%\$NtUninstallKB<rnd>

where <rnd> is a random number.

Replacing the infected file content occurs using filtering the IRP_MJ_SCSI queries between the FDO and PDO devices in the disk stack. For this purpose, the rootkit replaces the device pointer that follows FDO in the disc stack by a device created by the rootkit driver.

In the rootkit driver, a complex logic is realized. It defines queries to read/write sectors where the rootkit file is located, and then returns a false content of the original file. In addition, the rootkit can hide processes of another malware it installs by itself. For this purpose, the rootkit deletes an EPROCESS core object which belongs to a hidden process from the linked list EPROCESS.ActiveProcessLinks.

Removal recommendations

  1. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).