Win32/Sirefef

Installation

We have seen the dropper component of Win32/Sirefef distributed by exploits and programs that promote software-piracy, like "keygens" and "cracks" (programs designed to bypass software licensing).

Variants of Win32/Sirefef might also be dropped or installed by other malware, including variants of the Trojan:Win32/Necurs family.

In the wild, we have seen newer Sirefef variants copying themselves as GoogleUpdate.exe, and dropping that file into the following folders along with a file with the name @:

• %ProgramFiles% \Google\Desktop\Install\<GUID>\<non-printable bytes>\<non-printable bytes>\<non-printable bytes>\<GUID>\
• %LOCALAPPDATA% \Google\Desktop\Install\<GUID>\<non-printable bytes>\<non-printable bytes>\<non-printable bytes>\<GUID>\

where <GUID> is a series of characters unique to your PC.

This might look like %ProgramFiles%\Google\Desktop\Install\{17727cf2-f323-850a-10b1-029cdc14179d}\ \ \<\x2E\x20\xF9\xFB\x5B\x0E>\{17727cf2-f323-850a-10b1-029cdc14179d}\GoogleUpdate.exe.

The @ file contains information that Sirefef can use to find other infected PCs

They make those files run every time you start your PC by adding a system service with the name L"<right-left unicode character>etadpug" (which will appear as gupdate) and changing the registry:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: ""
With data: "<location and name of the GoogleUpdate.exe file>"

Other variants have been seen dropping the @ file and a file called nto a chosen directory, for example, C:\recycler\s<removed>\<removed>.

The n file contains malicious code used for peer-to-peer (P2P) communication.

They make the following changes to the registry so Sirefef runs each time you start your PC:

In subkey: HKLM\Software\Classes\clsid\{5839fca9-774d-42a1-acda-d6a79037f57f}\InprocServer32
Changes value: "(Default)"
From data: "<system folder>\wbem\wbemess.dll"
With data: "<path to n>" (for example, "c:\recycler\s<removed>\<removed>\n")

Older variants of Sirefef try to replace a randomly-selected system driver with its own malicious copy. The replaced driver could be any of the following:

• afd.sys
• i8042prt.sys
• ipsec.sys
• mrxsmb.sys
• netbt.sys
• raspppoe.sys
• serial.sys

This list is not comprehensive.

The replaced driver will load each time you start your PC. The replaced driver might be detected as a variant of Virus:Win32/Sirefef or as TrojanDropper:Win32/Sirefef.B.

Payload

Downloads and runs other files

Sirefef uses a peer-to-peer (P2P) protocol to download or update additional malware components from other PCs. The downloaded components are saved to the U\ directory in a hidden folder that it creates for this purpose. The downloaded components might:

• Change search results
• Generate pay-per-click advertising revenue for its controllers
• Run Bitcoin (digital currency) mining on the affected PC

Stops and deletes security-related services

Sirefef tries to stop and delete the following security-related services:

• Base Filtering Engine Service (bfe)
• IP Helper Service (iphlpsvc)
• Windows Defender Service (windefend)
• Windows Firewall Service (mpssvc)
• Windows Security Center Service (wscsvc)
• Windows Firewall
• Windows Update
• Multiple other services, including PolicyAgent, Program Compatibility Assistant Service (pcasvc), and RemoteAccess

Contacts remote hosts

Sirefef contacts a remote host to send information about your PC. This information can then be used to create a network of infected PCs that the malicious hacker can use for any purpose.

Turns off Windows Firewall

Sirefef tries to turn off Windows Firewall to make sure its own traffic won’t be blocked.

Additional information

Sirefef implements a disk-level hook to hide its presence on your PC. If an try is made to read the replaced driver, Sirefef returns the original, clean driver. Any changes that are made to this driver will have no impact on the PC, as the replacement, malicious driver will always run instead.

Sirefef includes a self-defense mechanism to protect against security related software; the malware tries to stop and delete any process that tries to access it.

Infects files/Uses stealth

Some Sirefef variants have been observed infecting services.exe with shellcode to load malicious data from Extended Attributes (EA). It uses Extended Attributes to store additional components which it later loads, as part of its effort to use stealth to hide itself on your PC.

Intercepts and hijacks network traffic

Some variants of Sirefef might drop a Windows Socket Service Provider file which it uses to intercept and/or hijack network activity, so it can redirect your browser.

In the wild, we have observed this file being dropped as:

• %windir%\assembly\GAC\desktop.ini
• %windir%\assembly\GAC_32\desktop.ini

Creates a folder in which to store other malware

Sirefef creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.

The created folder uses the following format:

%SystemRoot% \$NtUninstallKB<number>

<number> is a randomly generated number.

The files stored under this folder are encrypted, and are not generally accessible.

Further reading

• MMPC Blog - Reversal of fortune: Sirefef's registry illusion
• MMPC Blog - The Wonder of Sirefef Plunder
• Naked Security - The ZeroAccess rootkits
• We live security - ZeroAccess? Much too much access…

Analysis by Chun Feng and Shawn Wang