The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.
SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.
In the course of conducting research on SASFIS-related activities in the past few months, I have come across around the following infection numbers:
|January 20, 2010||99|
SASFIS variants may usually be downloaded while visiting sites that have been compromised using the Eleonore Exploits Pack as a file named load.exe. Upon execution, these create temporary files and modify registry entries. They then attempt to send a GET request to a remote site to download another file usually named max.exe, which will again download another file named max_b.exe, a FAKEAV variant.
SASFIS may be a simple Trojan downloader that downloads one or more files from a single domain via a GET request onto affected systems but like other malware, the download of several other binaries onto systems is no longer a simple matter.
SASFIS uses two primary business models. SASFIS uses the pay-per-install (PPI) business model, which has been discussed in more detail in “SDBOT IRC Botnet Continues to Make Waves.” In this model, the cybercriminals behind other malware families (e.g., ZBOT, KOOBFACE, etc.) pay those behind SASFIS to install their own creations onto SASFIS-affected systems for a fee.
The cybercriminals behind SASFIS also utilize the pay-per-access (PPA) business model wherein they hardcode a list of adult websites in some of the components their malicious creations download to redirect users to the said sites though their reason for doing so remains vague. They probably just do this to either annoy the users or to distract them to conceal the infection.
Though SASFIS has not been as notorious as other malware families, it still remains a threat. Users are advised to be wary of the sites they visit to avoid infection.
Trend Micro™ Smart Protection Network™ protects users from all kinds of SASFIS-related threats.