Get some Popchips and have seat and read the newest info about a new MBR-infecting malware. Now, let’s keep in mind these won’t be new techniques, just a new name for an old technique.
According to Israeli security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network.
For the attacking process, it also allows the command-and-control server to be in effect from a second computer (huh?), in which the first computer originally communicated that data to. Which means, there is an alternative trojan being used on the second computer that accepts the data and communicates to the servers for the hackers privately.
We call this second computer a “master”. Which means it is the core computer used to send data to the server. This second computer can accepts data from multiple computers, not just one first computer (hope that makes sense). This is a similar method to the botmasters we see on the IRC networks. Very similar work done, except only automatic.
Shock is found that malware is crippling the computer, after the data is stolen. Normally, malware writers or hackers tend to just withdraw from a computer and no damage is done, except maybe one or two infected files. It is unknown at this point what the algorithm is to overwrite the files, but it is known that the MBR shall be infected in this process.
What does this malware like to overwrite though? Documents, pictures, videos, etc. It likes to kill personal, salvageable data. Sadly, even after removing the malware, your data cannot be recovered. It doesn’t hold it for ransom. It just overwrites it. Right now, it is also unknown whether or not it overwrites the files with malicious code that – when executed – will distribute more malware to the computer. That is… if the computer can be disinfected of the MBR infection first… and hopefully the operating system is accessed.
In the end, it’s just another malware to be removed!
Now, time for technical details:
Reporting agent (keeps in touch with hacker) %systemroot%\system32\netinit.exe
Dropper (distributed malware on system) %systemroot%\system32\trksrv.exe
Kernel Mode Driver (clean driver used to gain root access, so MBR can be infected) %systemroot%\system32\drivers\drdisk.sys
File wiping module (literally wipes files on the system) %systemroot%\system32\[RANDOM_NAME].exe
Service information for trksrv.exe:
Display Name: Distributed Link Tracking Server
Service name: TrkSrv
File name: trksrv.exe
After done with its MBR deletion or modification methods, you may get one of few messages on system startup:
- Operating System not found (75% of the time probably)
- (Windows Advanced Options Menu Appears) Windows has failed to start… (10% of the time probably)
- Blue Screen of Death (other 15% of the time probably)
The statistics in parentheses are only speculation. It is imagined that no matter what, system failure or unlikely to boot is caused by this malware. Beware!
Purchase Malwarebytes’ Anti-Malware to protect against the download and install of computer-controlling malware.
In addition, it is best to have a good data backup plan, in order to prevent damage due to malware like this. Please consider the following as a purchase of your next protection method:
In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.
Q: How to protect from this atrocity?
Q: Are Sirefef and ZeroAccess the same thing?
A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.
Q: Can the ZeroAccess virus infect my flash drive?
A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.
Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?
All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.
Q: What is Sirefef, how did it infect my computer, or when are new variants released?
Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.
Q: How did Sirefef infect me?
Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.
Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.
Those whom do not have proper Internet security protection will fall victim to exploits.
Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.