The Latest in IT Security

Regents of Louisiana spreading Sirefef malware

03
May
2013

I was given a suspicious website link pointing to the website belonging to Board of Regents of State of Louisiana. This link points to the main website hxxp://regents.la.gov/, followed by /wp-content/upgrade/<numbers>.exe, where <numbers>.exe represents several random numbers, followed by EXE extension.

govt_la_000
A link looking like the following one hxxp://regents.la.gov/wp-content/upgrade/<some_numbers>.exe seems suspicious at first glance. Websites directly serving executable files without any installer, archive, and further information ( hash, checksum.) are often interesting subjects for analysis.

Then I downloaded the file. It had 232 448 bytes. After executing it in our testing environment, I immediately noticed suspicious internet communication. First it connected to www.maxmind.com, which is a legitimate website offering various GeoIP information. The request and reply were in my case as shown in the picture below.

govt_la_002

Malware then makes several GET requests to www.e-zeeinternet.com with several different page parameters.

govt_la_003

e-zeeinternet is a service offering various web counters. These web counters are sometimes used by cybercriminals to measure the size of their botnets.

govt_la_005

Sirefef family, as mentioned in title, connects infected computers into a botnet. This botnet is peer-to-peer, which means that there is no central command and control server, which allows botnet operator to control it. Each member of this botnet has a list of several botnet peers which it maintains the connection and communicates with. Botnet cannot be simply deactivated by disconnecting the main communication node, because there is no such node.

If botnet operators want to measure the size of their botnet, they do it simply by using innocent website counters. Every time the botnet dropper successfully completes an important step in its installation process (installation started, admin privileges acquired, rootkit installed, 32/64 bit environment detected,.), then it calls GET requests with various page parameters.

Botnet operators can then see how many computers they attempted to infect, and what portion of these computers were actually infected.

In the figure below, you can see a few counters with different page parameter values, which were collected during infection of our testing computer. You can see that these numbers slowly decrease, because not all installation attempts succeeded. In our example, it seems that there were more than 800K attempts to install virus, decreased down to about 300K machines, which were infected successfully.

govt_la_004

On a compromised computer, it is possible to record communication with many different IP addresses, which are other peers in the botnet.

govt_la_001

Conclusion:

In this example we can see that even a binary downloaded from legitimate website can be malicious.

We would like to thank PhysicalDrive0 for notifying us about this threat.

shas:
3CFF3A5394FEFBD3BF032AA70AE2D725783F931C4888CBC41AD56CB5C094A415

Leave a reply


Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments