Jaromír Hořejší

3 May 2013

Regents of Louisiana spreading Sirefef malware

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

A link looking like the following one hxxp://regents.la.gov/wp-content/upgrade/<some_numbers>.exe seems suspicious at first glance. Websites directly serving executable files without any installer, archive, and further information ( hash, checksum...) are often interesting subjects for analysis.

Then I downloaded the file. It had 232 448 bytes. After executing it in our testing environment, I immediately noticed suspicious internet communication. First it connected to www.maxmind.com, which is a legitimate website offering various GeoIP information. The request and reply were in my case as shown in the picture below.


Malware then makes several GET requests to www.e-zeeinternet.com with several different page parameters.


e-zeeinternet is a service offering various web counters. These web counters are sometimes used by cybercriminals to measure the size of their botnets.


Sirefef family, as mentioned in title, connects infected computers into a botnet. This botnet is peer-to-peer, which means that there is no central command and control server, which allows botnet operator to control it. Each member of this botnet has a list of several botnet peers which it maintains the connection and communicates with. Botnet cannot be simply deactivated by disconnecting the main communication node, because there is no such node.

If botnet operators want to measure the size of their botnet, they do it simply by using innocent website counters. Every time the botnet dropper successfully completes an important step in its installation process (installation started, admin privileges acquired, rootkit installed, 32/64 bit environment detected,...), then it calls GET requests with various page parameters.

Botnet operators can then see how many computers they attempted to infect, and what portion of these computers were actually infected.

In the figure below, you can see a few counters with different page parameter values, which were collected during infection of our testing computer. You can see that these numbers slowly decrease, because not all installation attempts succeeded. In our example, it seems that there were more than 800K attempts to install virus, decreased down to about 300K machines, which were infected successfully.


On a compromised computer, it is possible to record communication with many different IP addresses, which are other peers in the botnet.




In this example we can see that even a binary downloaded from legitimate website can be malicious.

We would like to thank PhysicalDrive0 for notifying us about this threat.


Threat Research, Security News