• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Botnets   »   SASFIS Malware Uses a New Trick

SASFIS Malware Uses a New Trick

  • Posted on:May 31, 2010 at 4:14 am
  • Posted in:Botnets, Malware, Spam
  • Author:
    Joseph Cepe (Threats Analyst)
1

Early this year, the SASFIS Trojan became notorious in relation to spoofed email messages supposedly from Facebook. SASFIS infections usually result in tons of other malware infections, as this particular family makes systems susceptible to botnet attacks, particularly from ZeuS and BREDOLAB, and is affiliated with various FAKEAV variants, usually those associated with pornographic sites.

TrendLabsSM engineer Shih-Hao Weng came across a new SASFIS variant that uses the right-to-left override (RLO) technique, which was more commonly associated with spamming in the past, but has now become a new social engineering tactic.

Click for larger view

This SASFIS Trojan arrives via a spammed message with a .RAR file attachment, which contains an .XLS file. Upon extraction to the desktop, the supposed .XLS file looks like an authentic MS Excel document. In reality, however, the file is a screensaver detected by Trend Micro as TROJ_SASFIS.HBC. This Trojan drops BKDR_SASFIS.AC, which allows threads to be injected to the normal svchost.exe process.

While the file may appear at first to be an Excel worksheet, it possesses a Win32 binary header, which only executable files have. Its real file name (minus the Chinese characters) is phone&mail).[U+202e}slx.scr, wherein U+202e is the Unicode control character that tells the system to render succeeding characters from right to left. Thus, to the user, the file will appear to be named phone&mail).xls.scr. This could lead them to believe that the file is indeed an Excel file and thus “safe” to open, when in reality it is an executable .SCR file.

This technique also uses other file names for the same purpose, such as BACKS[U+2020e]FWS.BAT and I-LOVE-YOU-XOX[U+2020e]TXT.EXE to be rendered as BACKSTAB.SWF and I-LOVE-YOU-XOXEXE.TXT instead. In the former case, a batch file is disguised as an Adobe Flash file; in the latter an executable file is disguised as a text file.

Click for larger view

Users can, however, prevent this attack from affecting their systems by employing the usual best practices—not opening suspicious-looking email messages and not downloading and executing attachments.

Trend Micro™ Smart Protection Network™ protects product users from this threat by preventing the spammed messages from even reaching their inboxes via the email reputation service. Trend Micro products also detect and delete the malicious files TROJ_SASFIS.HBC and BKDR_SASFIS.AC from affected systems via the file reputation service.

Update as of June 2, 2010, 12:30 a.m. (GMT – 7:00)

In related news, JPCERT/CC has issued an alert warning users in Japan that spam messages with a malicious attachment are now using this very tactic. (A translation of the alert into English can be found here.) Trend Micro detects this malicious attachment as TROJ_UNDEF.QC.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.