Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Trojan.Sasfis: A Closer Look

Created: 16 Jul 2010 08:04:19 GMT • Updated: 23 Jan 2014 18:26:26 GMT • Translations available: 日本語
Masaki Suenaga's picture
+1 1 Vote
Login to vote

In our recent article on Trojan.Sasfis we focused on the spam angle of the attack and in this piece we will take a deeper look at this somewhat persistent threat which our global sensors indicate is recently on the rise.

Distribution
To recap, Sasfis has been making a significant contribution to the global email volume for some time now by use of prolific spam campaigns including guises such as Amazon_Tracking_Number_N[RANDOM NUMBER][LONG SPACE]DOC.exe and iTunes_certificate[RANDOM NUMBER].exe with the latest round of email attachments purporting to be some kind of change log - Changelog_[DAY]_[MONTH]_2010.DOC[LONG SPACE].exe (for those who may not be aware, a change log will commonly have a .txt or .log extension, and possibly a .html or similar extension but certainly not be in an executable format which .exe represents). Previous campaigns have involved the use of Trojan.Bredolab variants pretending to be tracking emails from UPS or DHL which if executed then install Trojan.Sasfis - rather incestuous behavior to say the least. Variants to date have also included .DOC or .PDF in the filename, trying to disguise themselves as either a Microsoft Word document or a file commonly associated with Adobe reader. The executable is packed and variants are usually just the original file repacked in an attempt to circumvent security measures already in place for those specific packed versions.

Figure 1. Example of the latest email that distributes Trojan.Sasfis

Figure 2. Actual executable file inside the .zip file

Purpose
Trojan.Sasfis is essentially a back door Trojan that can perform various actions upon receiving commands from a malicious host. Downloading and installing misleading applications is the most common of these that we have observed to date, although we have also witnessed the installation of such infamous threats as Trojan.Vundo, Backdoor.Tidserv. While the download is retrieved from a hard-coded URL, the file at the end of that URL can be changed at any time by the attacker. This suggests that Sasfis itself is a gun for hire so to speak, the authors obviously being only too happy to use Sasfis to spread any other threat that will make them money, either where they directly control the downloaded threat themselves, or get paid for downloading and installing the threat for a third party. As to who the Sasfis authors are, investigations are ongoing but the use of Russian domains in the code is an indication that possibly the authors and certainly much of the activity originate from Russia.

Installation
When the Trojan is executed, it creates a temporary (.tmp) file and opens Microsoft Word (if it is installed) and runs a VBA script that loads the .tmp file and executes it. The .tmp file injects a thread into a newly created process of svchost.exe (as mentioned in the previous Sasfis article, this effectively cloaks the threat allowing it to bypass a firewall disguised as a legitimate process), copies itself as a .dll file into the system directory and executes the Word application, adding VBA code into Word which it uses to load the malicious DLL into memory (the usage of VBA code in the Word application purely for loading the malicious DLL is fairly unique and quite puzzling - see the appendix below for details). Once this has all taken place the threat will delete the original executable (the one that arrived inside the email attachment). If Microsoft Word is not present in the system, the threat will start svchost.exe and injects a remote thread into the process to continue the installation.

Network Communications
Other than the means to communicate with its controlling host Sasfis has no means of replicating or spreading itself. Those communications are accommodated via backdoor commands received using the HTTP protocol over TCP port 80. Contacting the URL hard-coded into the threat results in other URLs being contacted which may then result in a file being downloaded and executed on the compromised computer, and while this is typically what we have observed the host server instruct clients to do, there are 16 possible parameters which may be added to the URL to facilitate different actions:

  1. id
  2. runurl (this is the parameter used to download and execute a remote file)
  3. delay
  4. backurls
  5. tasakid
  6. v
  7. b
  8. tm
  9. info
  10. r
  11. bot_php
  12. load_file
  13. tid
  14. kill
  15. upd
  16. report_urls

Ways to identify an infected computer

  1. Look for a registry value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = "Explorer.exe rundll32.exe xxxx" where xxxx is a random looking file name and a random looking parameter, eg. "Explorer.exe rundll32.exe thxr.wgo sesrj".
     
  2. Search the registry for HKEY_CLASSES_ROOT\idid\"url0" (this may also be "url1" or "url2", etc).
     
  3. Look for a dll file in the %UserProfile%\Local Settings\Temp\ or %System% directories that contains four random characters followed by a "." and then either "tmp" or 3 random characters. Eg. "thxr.tmp" or "thxr.wgo".
     
  4. Check to see if there is an instance of svchost.exe that has been injected with the dll file above.
     
  5. Check firewall logs for traffic from the following domains:
  • hulejsoops.ru (this is the domain hard-coded inside the executable)
  • russianmomds.ru (this and the below domains may be redirected to from the main URL)
  • leeitpopbod.ru
  • loloohuildifsd.ru
  • nemohuildifsd.ru

    Note: This list is by no means a complete list.

Charts
- Prevalance
Symantec has observed the following infection levels of Trojan.Sasfis worldwide.

- Geographical distribution
Symantec has observed the following geographic distribution of this threat.

Conclusion
Trojan.Sasfis is a simple back door program that acts as an entry point for other threats and malicious activities that appear to be a part of a money-making scheme. To use an American football analogy, Trojan.Sasfis is a huge fullback whose job is to create a hole for a halfback, in this case Trojan.Vundo, Backdoor.Tidserv and the rest, to run through the defense. It goes without saying, those halfbacks are well experienced and can be difficult to knock to the ground.

Appendix: Using VBA code in the Word application to load the malicious DLL
As mentioned in the Installation section, Trojan.Sasfis gets Microsoft Word to load the malicious DLL into memory. This is done as the following:

  1. Sets the following registry key: HKEY_CURRENT_USER\Software\Microsoft\Office\[version]\Word\Security\"AccessVBOM" = "1"
  2. This will allow Microsoft Word to accept macro that will be added later.
  3. Start up Microsoft Word.
  4. Calls the following methods of Word.Application OLE object. (Please note this is a concept and not a real code)

    Documents = _Application.Documents (get Documents object from a blank new Word document)
    VBProject = Documents.Add (add a VBProject object to the Documents object)
    VBComponents = VBProject.VBComponents (get VBComponents object from the VBProject object)
    Component = VBComponents.Add (add a Component object to the VBComponents object)
    CodeModule = Component.CodeModule (get CodeModule that holds VBA code from the Component)
    code = "Declare Function wvsbivq Lib [DLL name] (ByVal s As String) As Long" (this character strings is the VBA code that declares the macro function “wvsbivq” that resides in the DLL)
    CodeModule.AddFromString(code) (add the character string to the VBA CodeModule)
    _Application.Run("wvsbivq") (execute “Wvsbibq” in the DLL)

There is no reason why Trojan.Sasfis has to call the Word application to load the DLL, while it can call the DLL directly or inject a remote thread that loads the DLL if it is capable of taking those methods above. As such those steps are most likely taken to confuse and slow down the analysis.

Special thanks to Shunichi Imano for his help with this blog.