1. /
  2. Security Response/
  3. Trojan.Sasfis

Trojan.Sasfis

Risk Level 1: Very Low

Discovered:
February 2, 2010
Updated:
January 20, 2012 12:28:26 PM
Also Known As:
W32/Oficla.AE [F-Secure], Backdoor.Win32.Bredavi.he [Kaspersky], Trojan.Win32.Agent.daec [Kaspersky]
Type:
Trojan
Infection Length:
19,456 bytes
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Avoid emails with .zip attachments
2. Infection method
2.1 Spam email
2.2 Drive-by downloads
3. Functionality
3.1 System modifications
3.2 Network activity
3.3 Affiliate schemes
4. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat.


1.1 User behavior and precautions
Use of a firewall or IDS may block or detect back door server communications with the remote client application.

Users should be wary of any unsolicited emails whether from known or unknown sources. Be particularly wary if the email includes a tracking number, describes a change log, or provides a statement of fees and involves opening attachments.


1.2 Avoid emails with .zip attachments
Trojan.Sasfis may arrive on the computer as an attachment with a .zip extension. Typically the .zip file contains an executable file inside. The Trojan only executes after the file inside the attachment is extracted and then run by the user. Therefore it is relatively easy for users to avoid this Trojan (and indeed other malware) by simply not opening such file types.

To reduce the risk of infection, email gateways can be configured to block email with certain types of attachments such as .exe and .zip files.



2. INFECTION METHOD
Trojan.Sasfis typically arrives on the computer through one of the following methods:
  • Spam email
  • Drive-by downloads

A more detailed description of how the threat employs these techniques is provided in the following sections.


2.1 Spam email
One of the most common ways for this Trojan to arrive on a computer is as an attachment to a spammed email. The volume of spam emails is high and the contents are frequently changed and updated. The following are some representative samples of the types of emails that contain a copy of the threat.


Subject
Your log [DATE]

Email body
Good afternoon,
as promised your changelog is attached,
Vince

Attachment
Changelog_[DATE].zip





Or

Subject
Changelog [DATE]

Email body
Dear ladies and gentlemen,
as promised,
Amos

Attachment
Changelog_[DATE].PDF.zip





Or

Subject
Your fees 2010

Email body
Please find attached a statement of fees as requested, this will be posted today.
The accommodation is dealt with by another section and I have passed your request on to them today.
Kind regards.

Attachment
Fees_2010.zip





Other known attachments
  • Amazon_Tracking_Number_N[RANDOM NUMBER][MANY SPACE CHARACTERS].DOC.exe
  • iTunes_certificate[RANDOM NUMBER].exe

The .zip files typically contain another file, which is a copy of the threat. Whilst the file may at first appear to be a legitimate file, it is just a disguise that is achieved through using legitimate icons and double file extensions. For example, on a computer configured to hide file extensions, a file named Fees_2010.DOC.exe will appear as Fees_2010.DOC. This is a common trick used by malware to hide the real file extension of the executable file from unsuspecting users.





The executable file is packed and variants of the threat are usually just the original file repacked in an attempt to avoid detection by antivirus software.


2.2 Drive-by downloads
Trojan.Sasfis is known to be spread by websites that exploit known vulnerabilities in Web browsers and their associated plugins. These exploits are often served by exploit kits available in the underground market (e.g. Eleonore, Fragus, Phoenix) and as such need not necessarily be crafted by individuals with a high degree of technical ability. The exploits used by these kits may vary as they are modular by design. This means that the attackers can buy new exploits for their website as they become available for purchase.

A drive-by-download may occur when a user visits a website that has been rigged to contain an exploit. The exploit causes malware to be downloaded on to the user's computer without his or her consent. This Trojan has been observed to be downloaded on to a computer through this method from the following locations:
  • [http://]asusmac.org/original/[REMOVED]
  • [http://]gruzakk.com/full/bb.[REMOVED]
  • [http://]webauc.ru/mydog/bb.[REMOVED]


This method can also use more than one exploit to target the following technologies in order to further its chance of success:
  • ActiveX
  • DirectShow
  • Flash
  • PDF
  • Snapshotviewer


Furthermore, a target computer is typically bombarded with many exploits until one is successful in compromising the computer. In doing this, the attackers illustrate their determination to break into the computer by any means possible.



3. FUNCTIONALITY
When this Trojan is executed, it may check whether Microsoft Word is installed on the compromised computer. If it is, the Trojan opens a .tmp file, which contains a VBA script, and executes it.

In order to disguise itself as a legitimate application, Trojan.Sasfis may inject itself into the following common processes, which allows it to bypass firewalls:
  • iexplore.exe
  • svchost.exe


Once successfully installed on the computer and executed, the Trojan opens a back door. It may then receive commands from a command and control (C&C) server telling it to perform various actions on the computer. Primarily, Trojan.Sasfis downloads more files on to the computer. The URL locations that the Trojan downloads files from are stored under the following registry subkey:

HKEY_CLASSES_ROOT\idid

The Trojan creates a registry entry named "url[NUMBER]", where [NUMBER] is "1", "2", "3", "4", etc. It points to a hexadecimal string, which, when decrypted, is a website address. This address may point to a server that hosts more malware or updates for the Trojan itself, or updates for the other malware that has been downloaded on to the computer. For example:

HKEY_CLASSES_ROOT\idid\"url2" =
"68 74 74 70 3A 2F 2F 6F 70 74 2D 6F 75 74 2D 6C 69 73 74 2E 6F 72 67 2F 66 75 6C 6C 2F 62 62 2E 70 68 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8C E6 07 00 6C E6 07 00 00 00 00 00 48 E7 07 00 9C E6 07 00 7C E6 07 00 A4 67 91 7C D4 E6 07 00 00 00 00 00 18 00 1A 00 EC E7 07 00 74 C1 97 7C 00 00 00 00 AC E6 07 00 00 00 02 00 A0 E6 07 00 A0 E6"

Note: Side effects created by associated threats are not included in this report.


3.1 System modifications
The following side effects may be observed on computers compromised by members of threat family.


Files/folders created
  • %Temp%\1.tmp
  • %System%\[RANDOMLY NAMED FILE]

Note:
[RANDOMLY NAMED FILE] is a variable for the file name. It is made up of a random four-letter file name and a random three-letter file extension.


Files/folders deleted
The Trojan deletes the original executable.


Files/folders modified
None


Registry subkeys created
HKEY_CLASSES_ROOT\idid


Registry subkeys/entries deleted
None


Registry subkeys/entries modified (final values given)

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Shell" = " Explorer.exe rundll32.exe %System%\[RANDOMLY NAMED FILE] [FIVE OR SIX RANDOM CHARACTERS]"
  • HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\"AccessVBOM" = "1"

Processes
The Trojan may inject itself into the following processes:
  • iexplore.exe
  • svchost.exe


3.2 Network activity
Trojan.Sasfis opens a back door. It can then receive commands to download more files on to the compromised computer.

The threat may perform the following network activities.

Downloading
The Trojan may download other files and updates on to the computer from the following locations:
  • [http://]newscriptbase.com/full/bb.[REMOVED]
  • [http://]opt-out-list.org/full/bb.[REMOVED]
  • [http://]truwebstart.com/full/bb.[REMOVED]
  • 193.104.27.91


3.3 Affiliate schemes
The Trojan mostly downloads various security risks on to the compromised computer, for example Antimalware Doctor and Adware.PurityScan. This could mean that the authors of Trojan.Sasfis may be participants of some affiliate scheme, providing a pay-per-install distribution service for certain misleading application vendors and earning a commission in the process.






4. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resource:
Blogs on Trojan.Sasfis

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Éamonn Young and Eoin Ward
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver