Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


May 3rd, 2013

Regents of Louisiana spreading Sirefef malware

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

govt_la_000
A link looking like the following one hxxp://regents.la.gov/wp-content/upgrade/<some_numbers>.exe seems suspicious at first glance. Websites directly serving executable files without any installer, archive, and further information ( hash, checksum…) are often interesting subjects for analysis.

Then I downloaded the file. It had 232 448 bytes. After executing it in our testing environment, I immediately noticed suspicious internet communication. First it connected to www.maxmind.com, which is a legitimate website offering various GeoIP information. The request and reply were in my case as shown in the picture below.

govt_la_002

Malware then makes several GET requests to www.e-zeeinternet.com with several different page parameters.

govt_la_003

e-zeeinternet is a service offering various web counters. These web counters are sometimes used by cybercriminals to measure the size of their botnets.

govt_la_005

Sirefef family, as mentioned in title, connects infected computers into a botnet. This botnet is peer-to-peer, which means that there is no central command and control server, which allows botnet operator to control it. Each member of this botnet has a list of several botnet peers which it maintains the connection and communicates with. Botnet cannot be simply deactivated by disconnecting the main communication node, because there is no such node.

If botnet operators want to measure the size of their botnet, they do it simply by using innocent website counters. Every time the botnet dropper successfully completes an important step in its installation process (installation started, admin privileges acquired, rootkit installed, 32/64 bit environment detected,…), then it calls GET requests with various page parameters.

Botnet operators can then see how many computers they attempted to infect, and what portion of these computers were actually infected.

In the figure below, you can see a few counters with different page parameter values, which were collected during infection of our testing computer. You can see that these numbers slowly decrease, because not all installation attempts succeeded. In our example, it seems that there were more than 800K attempts to install virus, decreased down to about 300K machines, which were infected successfully.

govt_la_004

On a compromised computer, it is possible to record communication with many different IP addresses, which are other peers in the botnet.

govt_la_001

 

Conclusion:

In this example we can see that even a binary downloaded from legitimate website can be malicious.

We would like to thank PhysicalDrive0 for notifying us about this threat.

shas:
3CFF3A5394FEFBD3BF032AA70AE2D725783F931C4888CBC41AD56CB5C094A415

Categories: analyses, Virus Lab Tags:
  • http://use2bawildchild@yahoo.com Lazarusthe2nd

    WOW! Seems the word goes out OK to even give everyone a date for when a big Cyber Attack is going to hit and the places most likely to be affected and I just don’t know what I would do if I didn’t get a warning! That takes me to the whole point of me leaving this blog. What in Gods Green Earth can anyone at all do by knowing something could happen that no one can do anything about it? Why even tell people this threat could be coming when nothing could be done for the small time E-Net users. Are a group that found out about the problem no one can do anything about , just wanting to make themselves look smart?

  • http://netemperoraaiframe/src= netemperor”><a<a<iframe/src=
  • http://href=javascript:alert(1) javascript:alert(1);