Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.
TrendLabsSM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.
This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.
While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.
This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.
Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.
Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.
Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)
In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.