Trojan.Sasfis is a Trojan horse that opens a back door on the compromised computer.
The Trojan may arrive as a spammed email. Once executed, it injects itself into processes running on the computer so that it can operate stealthily. It may then download more files on to the compromised computer.
Trojan.Sasfis typically arrives on the computer through one of the following methods:
- Spam email
- Drive-by downloads
Spam email is one of the primary infection methods used to distribute this threat. The emails used to spread this threat commonly social engineering to mislead the user into opening, and unknowingly executing, the attachment.
The following topics have been observed in past campaigns:
A drive-by-download may occur when a user visits a website that has been rigged to contain a number of exploits. The exploits cause malware to be downloaded on to the user's computer without his or her consent.
Trojan.Sasfis may use Microsoft Word to execute itself and it also injects itself into legitimate processes on the computer in order to avoid detection. After the Trojan has been installed on the compromised computer, it connects with a command and control (C&C) server to register itself as a bot. The Trojan then awaits instructions from the C&C server, which is typically to download additional files and malware on to the computer.
Often, malware authors, such as fake antivirus software, do not have the resources or bandwidth to spread their malware on a large scale. Instead they rely on a network of affiliates, e.g. the owners of the Trojan.Sasfis botnet, to distribute the malware. In return, the owners of the botnet get paid a commission for every installation. More information on this pay-per-install concept can be found in this Symantec whitepaper
The following illustration details the infection method and functionality of the threat:
Symantec has observed the following geographic distribution of this threat.
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.