Tag Archive | Sirefef

Fall Malware Threats 2012

Latest release of Fall Malware for 2012 from seCURE Connexion

The goal in releasing a comprised list of threats that security companies will be dealing with the most this Fall is to help instruct users on the latest vectors, so that they know how important it is to maintain an updated antivirus program.

Most of the malware threats listed below are audience aggregated, which means what most security companies are dealing with currently, and there is no hope of it ending anytime soon. These are in order of the most distributed.

KEY: Vir=Virus, Rtk=Rootkit, Trj=Trojan, WM=Worm, Adw=Adware, Spy=Spyware

  1. Trj.ZeroAccess(Sirefef)
  2. Trj.Agent
    • The Agent trojan is a backdoor proxy trojan, that attempts to change the proxy on the target computer to help redirect search results and browsing activity in attempts to mine money or bitcoins.
    • Outlook: Seems this trojan is the most updated trojan ever seen, and will continue to be a problem with all of its low-to-medium risk threats.
  3. Vir.Sality
    • See Microsoft’s writeup
    • Outlook: Sality has been a problem for a few years now, and it still will be a problem. It infects almost every user/system file on the operating system.
  4. Rtk.TDL4/TDSS
    • See Microsoft’s writeup
    • Outlook: TDL4 has continued to be a problem and will continue to be a problem as long as computers have a working master boot record.
  5. Adw.FakeAV
    • See Microsoft’s writeup
    • Outlook: Fake or rogue antivirus has been a problem for over four years of scamming users in to buying antivirus software. It will continue to be a problem for at least the next six months to a year.

Get best protection now:

ZeroAccess/Sirefef infects up to 9 million PCs

The ZeroAccess rootkit, some know as Sirefef, has grown its command and control servers over the past year. Now, it has spanned all around the globe to infect up to 9 million PCs. It’s botnet started growing rapidly once it hit one million infections, and now has multiplied it by 9.

Like the new TDL4 variant, it can create its own hidden partition, which can be problematic for PC users, especially because it normally is unknown that a hidden partition exists. Tools like TDSSKiller, though, can see through its disguise. There are two total botnets, each for a 32-bit and 64-bit version (totaling 4 botnets), and usually distributed by exploits.

Fast facts:

The latest versions seem to have no kernel mode components, therefore they do not infect drivers like previously did. It instead uses usermode components and drops their own GUID (CLSID) in the following locations:

  • c:\windows\installer\{GUID STRING}
  • c:\users\<user>\AppData\Local\{GUID STRING}
  • C:\Windows\System32\config\systemprofile\AppData\Local\{GUID STRING}
  • C:\RECYCLER\S-x-x-x\${RANDOM STRING}

It also parks its own infections in these locations:

  • C:\Windows\assembly\GAC\Desktop.ini
  • If on x64: c:\windows\assembly\GAC_32\Desktop.ini AND c:\windows\assembly\GAC_64\Desktop.ini
  • Infects c:\windows\system32\services.exe

For the ports that it uses for each version of the botnet:

  1. Port numbers 16464 and 16465 are used by one botnet for both 32 and 64 bit platforms.
  2. Post numbers 16470 and 16471 are used by the other botnet for both platforms.

It commits two types of fraudulent activity:

  1. Click fraud
  2. Bitcoin mining

 


Get the review of Malwarebytes’ Anti-Malware

FAQ: How did Sirefef or ZeroAccess Infect You?

In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.

Q: How to protect from this atrocity?

A:
Get the review of Malwarebytes’ Anti-Malware

 

Q: Are Sirefef and ZeroAccess the same thing?

A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.

Q: Can the ZeroAccess virus infect my flash drive?

A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.

Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?

All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.

Q: What is Sirefef, how did it infect my computer, or when are new variants released?

Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.

Q: How did Sirefef infect me?

Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.

Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.

Those whom do not have proper Internet security protection will fall victim to exploits.

Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.

It is highly recommended to have proper Internet security protection! We recommend you to read that post and pick out a premium antivirus program for your computer RIGHT AWAY!

%d bloggers like this: