Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The number of systems infected by various SASFIS Trojan variants has been increasing since the end of 2009, affecting networks across the globe. SASFIS variants have recently been spotted in relation to spoofed messages supposedly from Facebook.

    SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from Zeus and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

    Click for larger view Click for larger view

    In the course of conducting research on SASFIS-related activities in the past few months, I have come across around the following infection numbers:

    Month/Year Infected Systems
    September 2009 49
    October 2009 191
    November 2009 185
    December 2009 105
    January 20, 2010 99

    SASFIS variants may usually be downloaded while visiting sites that have been compromised using the Eleonore Exploits Pack as a file named load.exe. Upon execution, these create temporary files and modify registry entries. They then attempt to send a GET request to a remote site to download another file usually named max.exe, which will again download another file named max_b.exe, a FAKEAV variant.

    SASFIS may be a simple Trojan downloader that downloads one or more files from a single domain via a GET request onto affected systems but like other malware, the download of several other binaries onto systems is no longer a simple matter.

    SASFIS uses two primary business models. SASFIS uses the pay-per-install (PPI) business model, which has been discussed in more detail in “SDBOT IRC Botnet Continues to Make Waves.” In this model, the cybercriminals behind other malware families (e.g., ZBOT, KOOBFACE, etc.) pay those behind SASFIS to install their own creations onto SASFIS-affected systems for a fee.

    The cybercriminals behind SASFIS also utilize the pay-per-access (PPA) business model wherein they hardcode a list of adult websites in some of the components their malicious creations download to redirect users to the said sites though their reason for doing so remains vague. They probably just do this to either annoy the users or to distract them to conceal the infection.

    Though SASFIS has not been as notorious as other malware families, it still remains a threat. Users are advised to be wary of the sites they visit to avoid infection.

    Trend Micro™ Smart Protection Network™ protects users from all kinds of SASFIS-related threats.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice